46 lines
1.5 KiB
Diff
46 lines
1.5 KiB
Diff
From 9766ee05b1425db397d2cf23afd24c7f6146a69f Mon Sep 17 00:00:00 2001
|
|
From: Simon McVittie <smcv@collabora.com>
|
|
Date: Wed, 1 Sep 2021 12:45:54 +0100
|
|
Subject: [PATCH] run: Disallow recently-added mount-manipulation syscalls
|
|
|
|
If we don't allow mount() then we shouldn't allow these either.
|
|
|
|
Partially fixes GHSA-67h7-w3jq-vh4q.
|
|
|
|
Thanks: an anonymous reporter
|
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
Conflict:NA
|
|
Reference:https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f
|
|
|
|
---
|
|
common/flatpak-run.c | 12 ++++++++++++
|
|
1 file changed, 12 insertions(+)
|
|
|
|
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
|
index dad0cfe..2781694 100644
|
|
--- a/common/flatpak-run.c
|
|
+++ b/common/flatpak-run.c
|
|
@@ -2838,6 +2838,18 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
|
* Return ENOSYS so user-space will fall back to clone().
|
|
* (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */
|
|
{SCMP_SYS (clone3), ENOSYS},
|
|
+
|
|
+ /* New mount manipulation APIs can also change our VFS. There's no
|
|
+ * legitimate reason to do these in the sandbox, so block all of them
|
|
+ * rather than thinking about which ones might be dangerous.
|
|
+ * (GHSA-67h7-w3jq-vh4q) */
|
|
+ {SCMP_SYS (open_tree), ENOSYS},
|
|
+ {SCMP_SYS (move_mount), ENOSYS},
|
|
+ {SCMP_SYS (fsopen), ENOSYS},
|
|
+ {SCMP_SYS (fsconfig), ENOSYS},
|
|
+ {SCMP_SYS (fsmount), ENOSYS},
|
|
+ {SCMP_SYS (fspick), ENOSYS},
|
|
+ {SCMP_SYS (mount_setattr), ENOSYS},
|
|
};
|
|
|
|
struct
|
|
--
|
|
2.27.0
|
|
|