35 lines
1.1 KiB
Diff
35 lines
1.1 KiB
Diff
|
From 462fca2c666e0cd2b60d6d2593a7216a83047aaf Mon Sep 17 00:00:00 2001
|
||
|
|
From: Simon McVittie <smcv@collabora.com>
|
||
|
|
Date: Wed, 1 Sep 2021 14:21:04 +0100
|
||
|
|
Subject: [PATCH] run: Don't allow chroot()
|
||
|
|
|
||
|
|
If we don't allow pivot_root() then there seems no reason why we should
|
||
|
|
allow chroot().
|
||
|
|
|
||
|
|
Partially fixes GHSA-67h7-w3jq-vh4q.
|
||
|
|
|
||
|
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||
|
|
|
||
|
|
Conflict:NA
|
||
|
|
Reference:https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf
|
||
|
|
|
||
|
|
---
|
||
|
|
common/flatpak-run.c | 1 +
|
||
|
|
1 file changed, 1 insertion(+)
|
||
|
|
|
||
|
|
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
||
|
|
index b1a8db5..da96465 100644
|
||
|
|
--- a/common/flatpak-run.c
|
||
|
|
+++ b/common/flatpak-run.c
|
||
|
|
@@ -2824,6 +2824,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||
|
|
{SCMP_SYS (umount), EPERM},
|
||
|
|
{SCMP_SYS (umount2), EPERM},
|
||
|
|
{SCMP_SYS (pivot_root), EPERM},
|
||
|
|
+ {SCMP_SYS (chroot), EPERM},
|
||
|
|
#if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
|
||
|
|
/* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack
|
||
|
|
* and flags arguments are reversed so the flags come second */
|
||
|
|
--
|
||
|
|
2.27.0
|
||
|
|
|