packages/flatpak
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:cab4333c74c579623242aa5ec2106120bf16825a
Branches Tags
packages:main
...
compare: packages:901d28c8ab34c6b07bd8e6f17836670dafafa515
Branches Tags
packages:main

10 Commits
cab4333c74 ... 901d28c8ab

Author SHA1 Message Date
openeuler-ci-bot
901d28c8ab
!90 Fix CVE-2024-42472 
From: @wk333 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001
 2024-08-19 06:58:04 +00:00
wk333
33d6af6586 Fix CVE-2024-42472 2024-08-19 10:13:06 +08:00
openeuler-ci-bot
de1df69514
!80 Fix CVE-2024-32462 
From: @wk333 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001
 2024-04-19 06:48:04 +00:00
wk333
35fd35e02d Fix CVE-2024-32462 2024-04-13 02:53:05 +08:00
openeuler-ci-bot
e981cf9ebe
!61 Fix CVE-2022-21682 
From: @dongyuzhen 
Reviewed-by: @zzm_567, @small_leek 
Signed-off-by: @small_leek
 2022-02-17 02:36:49 +00:00
dongyuzhen
36a9729ecf Fix CVE-2022-21682 2022-02-15 14:28:40 +08:00
openeuler-ci-bot
c0f3b3adb9
!55 Fix CVE-2021-43860 
Merge pull request !55 from dongyuzhen/openEuler-20.03-LTS-SP3
 2022-01-30 02:44:55 +00:00
dongyuzhen
9eabf69994 Fix CVE-2021-43860 2022-01-29 19:07:09 +08:00
openeuler-ci-bot
44d5120775 !36 [sync] PR-33: fix CVE-2021-41133 
From: @openeuler-sync-bot
Reviewed-by: @t_feng,@small_leek
Signed-off-by: @small_leek
 2021-10-21 09:40:02 +00:00
zhanzhimin
07ead92226 fix CVE-2021-41133 
(cherry picked from commit 22a178c97cde6a7fcebaff7dc2fdab21784edfa0)
 2021-10-20 19:26:23 +08:00
23 changed files with 2462 additions and 1 deletions
Show Stats Expand all files Collapse all files

72
CVE-2024-32462.patch Normal file
View File

@ -0,0 +1,72 @@
From 72016e3fce8fcbeab707daf4f1a02b931fcc004d Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Mon, 15 Apr 2024 16:10:36 +0200
Subject: [PATCH] When starting non-static command using bwrap use "--"
Origin: https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d
This ensures that the command is not taken to be a bwrap option.
Resolves: CVE-2024-32462
Resolves: GHSA-phv6-cpc2-2fgj
Signed-off-by: Alexander Larsson <alexl@redhat.com>
[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path]
[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct]
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
app/flatpak-builtins-build.c | 2 +-
common/flatpak-dir.c | 1 +
common/flatpak-run.c | 5 ++++-
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
index ce9ff7e..bb4bd06 100644
--- a/app/flatpak-builtins-build.c
+++ b/app/flatpak-builtins-build.c
@@ -569,7 +569,7 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
return FALSE;
- flatpak_bwrap_add_args (bwrap, command, NULL);
+ flatpak_bwrap_add_args (bwrap, "--", command, NULL);
flatpak_bwrap_append_argsv (bwrap,
&argv[rest_argv_start + 2],
rest_argc - 2);
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index f00e6bf..e7bc1f8 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -5391,6 +5391,7 @@ flatpak_dir_run_triggers (FlatpakDir *self,
g_ptr_array_add (argv_array, g_strdup ("--dev"));
g_ptr_array_add (argv_array, g_strdup ("/dev"));
g_ptr_array_add (argv_array, g_strdup ("--bind"));
+ g_ptr_array_add (argv_array, g_strdup ("--"));
g_ptr_array_add (argv_array, g_strdup (basedir));
g_ptr_array_add (argv_array, g_strdup (basedir));
#endif
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index d48be1f..0b2bada 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -754,6 +754,9 @@ add_bwrap_wrapper (FlatpakBwrap *bwrap,
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
return FALSE;
+ /* End of options: the next argument will be the executable name */
+ flatpak_bwrap_add_arg (bwrap, "--");
+
return TRUE;
}
@@ -3176,7 +3179,7 @@ flatpak_run_app (const char *app_ref,
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
return FALSE;
- flatpak_bwrap_add_arg (bwrap, command);
+ flatpak_bwrap_add_args (bwrap, "--", command, NULL);
if (!add_rest_args (bwrap, app_ref_parts[1],
exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0,
--
2.33.0

225
CVE-2024-42472.patch Normal file
View File

@ -0,0 +1,225 @@
Origin:
https://github.com/flatpak/flatpak/commit/8a18137d7e80f0575e8defabf677d81e5cc3a788
https://github.com/flatpak/flatpak/commit/db3a785241fda63bf53f0ec12bb519aa5210de19
https://github.com/flatpak/flatpak/commit/847dfb88cebbdf8825332730b837489684dfb91e
https://github.com/flatpak/flatpak/commit/7c63e53bb2af0aae9097fd2edfd6a9ba9d453e97
From 7c63e53bb2af0aae9097fd2edfd6a9ba9d453e97 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 14 Aug 2024 13:44:30 +0100
Subject: [PATCH] persist directories: Pass using new bwrap --bind-fd option
Instead of passing a /proc/self/fd bind mount we use --bind-fd, which
has two advantages:
* bwrap closes the fd when used, so it doesn't leak into the started app
* bwrap ensures that what was mounted was the passed in fd (same dev/ino),
as there is a small (required) gap between symlink resolve and mount
where the target path could be replaced.
Please note that this change requires an updated version of bubblewrap.
Resolves: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Make whitespace consistent]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-context.c | 109 +++++++++++++++++++++++++++++++++++++--
configure.ac | 3 ++
tests/test-run.sh | 39 ++++++++++++++
3 files changed, 148 insertions(+), 3 deletions(-)
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 6303c71..09dd440 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -2616,6 +2616,90 @@ flatpak_context_get_run_flags (FlatpakContext *context)
return flags;
}
+/* This creates zero or more directories unders base_fd+basedir, each
+ * being guaranteed to either exist and be a directory (no symlinks)
+ * or be created as a directory. The last directory is opened
+ * and the fd is returned.
+ */
+static gboolean
+mkdir_p_open_nofollow_at (int base_fd,
+ const char *basedir,
+ int mode,
+ const char *subdir,
+ int *out_fd,
+ GError **error)
+{
+ glnx_autofd int parent_fd = -1;
+
+ if (g_path_is_absolute (subdir))
+ {
+ const char *skipped_prefix = subdir;
+
+ while (*skipped_prefix == '/')
+ skipped_prefix++;
+
+ g_warning ("--persist=\"%s\" is deprecated, treating it as --persist=\"%s\"", subdir, skipped_prefix);
+ subdir = skipped_prefix;
+ }
+
+ g_autofree char *subdir_dirname = g_path_get_dirname (subdir);
+
+ if (strcmp (subdir_dirname, ".") == 0)
+ {
+ /* It is ok to open basedir with follow=true */
+ if (!glnx_opendirat (base_fd, basedir, TRUE, &parent_fd, error))
+ return FALSE;
+ }
+ else if (strcmp (subdir_dirname, "..") == 0)
+ {
+ return glnx_throw (error, "'..' not supported in --persist paths");
+ }
+ else
+ {
+ if (!mkdir_p_open_nofollow_at (base_fd, basedir, mode,
+ subdir_dirname, &parent_fd, error))
+ return FALSE;
+ }
+
+ g_autofree char *subdir_basename = g_path_get_basename (subdir);
+
+ if (strcmp (subdir_basename, ".") == 0)
+ {
+ *out_fd = glnx_steal_fd (&parent_fd);
+ return TRUE;
+ }
+ else if (strcmp (subdir_basename, "..") == 0)
+ {
+ return glnx_throw (error, "'..' not supported in --persist paths");
+ }
+
+ if (!glnx_shutil_mkdir_p_at (parent_fd, subdir_basename, mode, NULL, error))
+ return FALSE;
+
+ int fd = openat (parent_fd, subdir_basename, O_PATH | O_NONBLOCK | O_DIRECTORY | O_CLOEXEC | O_NOCTTY | O_NOFOLLOW);
+ if (fd == -1)
+ {
+ int saved_errno = errno;
+ struct stat stat_buf;
+
+ /* If it's a symbolic link, that could be a user trying to offload
+ * large data to another filesystem, but it could equally well be
+ * a malicious or compromised app trying to exploit GHSA-7hgv-f2j8-xw87.
+ * Produce a clearer error message in this case.
+ * Unfortunately the errno we get in this case is ENOTDIR, so we have
+ * to ask again to find out whether it's really a symlink. */
+ if (saved_errno == ENOTDIR &&
+ fstatat (parent_fd, subdir_basename, &stat_buf, AT_SYMLINK_NOFOLLOW) == 0 &&
+ S_ISLNK (stat_buf.st_mode))
+ return glnx_throw (error, "Symbolic link \"%s\" not allowed to avoid sandbox escape", subdir_basename);
+
+ return glnx_throw_errno_prefix (error, "openat(%s)", subdir_basename);
+ }
+
+ *out_fd = fd;
+ return TRUE;
+}
+
void
flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
FlatpakBwrap *bwrap,
@@ -2643,12 +2727,31 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
while (g_hash_table_iter_next (&iter, &key, NULL))
{
const char *persist = key;
- g_autofree char *src = g_build_filename (g_get_home_dir (), ".var/app", app_id, persist, NULL);
+ g_autofree char *appdir = g_build_filename (g_get_home_dir (), ".var/app", app_id, NULL);
g_autofree char *dest = g_build_filename (g_get_home_dir (), persist, NULL);
- g_mkdir_with_parents (src, 0755);
+ g_autoptr(GError) local_error = NULL;
+
+ if (g_mkdir_with_parents (appdir, 0755) != 0)
+ {
+ g_warning ("Unable to create directory %s", appdir);
+ continue;
+ }
+
+ /* Don't follow symlinks from the persist directory, as it is under user control */
+ glnx_autofd int src_fd = -1;
+ if (!mkdir_p_open_nofollow_at (AT_FDCWD, appdir, 0755,
+ persist, &src_fd,
+ &local_error))
+ {
+ g_warning ("Failed to create persist path %s: %s", persist, local_error->message);
+ continue;
+ }
+
+ g_autofree char *src_via_proc = g_strdup_printf ("%d", src_fd);
- flatpak_bwrap_add_bind_arg (bwrap, "--bind", src, dest);
+ flatpak_bwrap_add_fd (bwrap, glnx_steal_fd (&src_fd));
+ flatpak_bwrap_add_bind_arg (bwrap, "--bind-fd", src_via_proc, dest);
}
}
diff --git a/configure.ac b/configure.ac
index 8bf37b0..0862ae5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -175,6 +175,9 @@ if test "x$BWRAP" != xfalse; then
BWRAP_VERSION=`$BWRAP --version | sed 's,.*\ \([0-9]*\.[0-9]*\.[0-9]*\)$,\1,'`
AX_COMPARE_VERSION([$SYSTEM_BWRAP_REQS],[gt],[$BWRAP_VERSION],
[AC_MSG_ERROR([You need at least version $SYSTEM_BWRAP_REQS of bubblewrap to use the system installed version])])
+ AS_IF([$BWRAP --help | grep '@<:@-@:>@-bind-fd' >/dev/null],
+ [:],
+ [AC_MSG_ERROR([$BWRAP does not list required option --bind-fd in its --help])])
AM_CONDITIONAL([WITH_SYSTEM_BWRAP], [true])
else
AC_CHECK_LIB(cap, cap_from_text, CAP_LIB=-lcap)
diff --git a/tests/test-run.sh b/tests/test-run.sh
index 3c344df..f087ff2 100644
--- a/tests/test-run.sh
+++ b/tests/test-run.sh
@@ -494,3 +494,42 @@ ${FLATPAK} ${U} info -m org.test.App > out
assert_file_has_content err2.txt [Ii]nvalid
echo "ok no setuid"
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+run --command=sh --persist=.persist org.test.Hello -c 'echo can-persist > .persist/rc'
+sed -e 's,^,#--persist=.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
+
+ok "--persist=.persist persists a directory"
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+# G_DEBUG= to avoid the deprecation warning being fatal
+G_DEBUG= run --command=sh --persist=/.persist org.test.Hello -c 'echo can-persist > .persist/rc'
+sed -e 's,^,#--persist=/.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
+
+ok "--persist=/.persist is a deprecated form of --persist=.persist"
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+run --command=sh --persist=. org.test.Hello -c 'echo can-persist > .persistrc'
+sed -e 's,^,#--persist=.# ,g' < "$HOME/.var/app/org.test.Hello/.persistrc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persistrc" "can-persist"
+
+ok "--persist=. persists all files"
+
+mkdir "${TEST_DATA_DIR}/inaccessible"
+echo FOO > ${TEST_DATA_DIR}/inaccessible/secret-file
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+ln -fns "${TEST_DATA_DIR}/inaccessible" "$HOME/.var/app/org.test.Hello/persist"
+# G_DEBUG= to avoid the warnings being fatal when we reject a --persist option.
+# LC_ALL=C so we get the expected non-localized string.
+LC_ALL=C G_DEBUG= run --command=ls --persist=persist --persist=relative/../escape org.test.Hello -la ~/persist &> hello_out || true
+sed -e 's,^,#--persist=symlink# ,g' < hello_out >&2
+assert_file_has_content hello_out "not allowed to avoid sandbox escape"
+assert_not_file_has_content hello_out "secret-file"
+
+ok "--persist doesn't allow sandbox escape via a symlink (CVE-2024-42472)"
--
2.33.0

146
backport-0001-CVE-2021-41133.patch Normal file
View File

@ -0,0 +1,146 @@
From e26ac7586c392b5eb35ff4609fe232c52523b2cf Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 11:53:23 +0100
Subject: [PATCH] run: Add an errno value to seccomp filters
At the moment, if we block a syscall we always make it fail with EPERM,
but this is risky: user-space libraries can start to use new replacements
for old syscalls at any time, and will often treat EPERM as a fatal error.
For new syscalls, we should make the syscall fail with ENOSYS, which is
indistinguishable from running on an older kernel and will cause fallback
to an older implementation, for example clone3() to clone().
In future we should probably move from EPERM to ENOSYS for some of the
syscalls we already block, but for now keep the status quo.
This is a prerequisite for fixing the vulnerability tracked as
GHSA-67h7-w3jq-vh4q.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf
---
common/flatpak-run.c | 62 +++++++++++++++++++++++++-------------------
1 file changed, 36 insertions(+), 26 deletions(-)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 79b30cb..7476d86 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2098,54 +2098,56 @@ setup_seccomp (FlatpakBwrap *bwrap,
struct
{
int scall;
+ int errnum;
struct scmp_arg_cmp *arg;
} syscall_blacklist[] = {
/* Block dmesg */
- {SCMP_SYS (syslog)},
+ {SCMP_SYS (syslog), EPERM},
/* Useless old syscall */
- {SCMP_SYS (uselib)},
+ {SCMP_SYS (uselib), EPERM},
/* Don't allow disabling accounting */
- {SCMP_SYS (acct)},
+ {SCMP_SYS (acct), EPERM},
/* 16-bit code is unnecessary in the sandbox, and modify_ldt is a
historic source of interesting information leaks. */
- {SCMP_SYS (modify_ldt)},
+ {SCMP_SYS (modify_ldt), EPERM},
/* Don't allow reading current quota use */
- {SCMP_SYS (quotactl)},
+ {SCMP_SYS (quotactl), EPERM},
/* Don't allow access to the kernel keyring */
- {SCMP_SYS (add_key)},
- {SCMP_SYS (keyctl)},
- {SCMP_SYS (request_key)},
+ {SCMP_SYS (add_key), EPERM},
+ {SCMP_SYS (keyctl), EPERM},
+ {SCMP_SYS (request_key), EPERM},
/* Scary VM/NUMA ops */
- {SCMP_SYS (move_pages)},
- {SCMP_SYS (mbind)},
- {SCMP_SYS (get_mempolicy)},
- {SCMP_SYS (set_mempolicy)},
- {SCMP_SYS (migrate_pages)},
+ {SCMP_SYS (move_pages), EPERM},
+ {SCMP_SYS (mbind), EPERM},
+ {SCMP_SYS (get_mempolicy), EPERM},
+ {SCMP_SYS (set_mempolicy), EPERM},
+ {SCMP_SYS (migrate_pages), EPERM},
/* Don't allow subnamespace setups: */
- {SCMP_SYS (unshare)},
- {SCMP_SYS (mount)},
- {SCMP_SYS (pivot_root)},
- {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+ {SCMP_SYS (unshare), EPERM},
+ {SCMP_SYS (mount), EPERM},
+ {SCMP_SYS (pivot_root), EPERM},
+ {SCMP_SYS (clone), EPERM, &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
- {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
+ {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
};
struct
{
int scall;
+ int errnum;
struct scmp_arg_cmp *arg;
} syscall_nondevel_blacklist[] = {
/* Profiling operations; we expect these to be done by tools from outside
* the sandbox. In particular perf has been the source of many CVEs.
*/
- {SCMP_SYS (perf_event_open)},
+ {SCMP_SYS (perf_event_open), EPERM},
/* Don't allow you to switch to bsd emulation or whatnot */
- {SCMP_SYS (personality), &SCMP_A0 (SCMP_CMP_NE, allowed_personality)},
- {SCMP_SYS (ptrace)}
+ {SCMP_SYS (personality), EPERM, &SCMP_A0 (SCMP_CMP_NE, allowed_personality)},
+ {SCMP_SYS (ptrace), EPERM}
};
/* Blacklist all but unix, inet, inet6 and netlink */
struct
@@ -2230,10 +2232,14 @@ setup_seccomp (FlatpakBwrap *bwrap,
for (i = 0; i < G_N_ELEMENTS (syscall_blacklist); i++)
{
int scall = syscall_blacklist[i].scall;
+ int errnum = syscall_blacklist[i].errnum;
+
+ g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE);
+
if (syscall_blacklist[i].arg)
- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 1, *syscall_blacklist[i].arg);
+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blacklist[i].arg);
else
- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 0);
+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
if (r < 0 && r == -EFAULT /* unknown syscall */)
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall);
}
@@ -2243,10 +2249,14 @@ setup_seccomp (FlatpakBwrap *bwrap,
for (i = 0; i < G_N_ELEMENTS (syscall_nondevel_blacklist); i++)
{
int scall = syscall_nondevel_blacklist[i].scall;
+ int errnum = syscall_nondevel_blacklist[i].errnum;
+
+ g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE);
+
if (syscall_nondevel_blacklist[i].arg)
- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 1, *syscall_nondevel_blacklist[i].arg);
+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_nondevel_blacklist[i].arg);
else
- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 0);
+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
if (r < 0 && r == -EFAULT /* unknown syscall */)
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall);
--
2.19.1

36
backport-0001-CVE-2021-43860.patch Normal file
View File

@ -0,0 +1,36 @@
From 65cbfac982cb1c83993a9e19aa424daee8e9f042 Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Wed, 12 Jan 2022 11:00:56 +0100
Subject: [PATCH] Ensure that bundles have metadata on install
If we have a bundle without metadata we wouldn't properly present
the permissions in the transaction.
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/65cbfac982cb1c83993a9e19aa424daee8e9f042
---
common/flatpak-dir.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 56bca24..d6929ba 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -7608,6 +7608,13 @@ flatpak_dir_ensure_bundle_remote (FlatpakDir *self,
if (metadata == NULL)
return NULL;
+ /* If we rely on metadata (to e.g. print permissions), check it exists before creating the remote */
+ if (out_metadata && fp_metadata == NULL)
+ {
+ flatpak_fail_error (error, FLATPAK_ERROR_INVALID_DATA, "No metadata in bundler header");
+ return NULL;
+ }
+
gpg_data = extra_gpg_data ? extra_gpg_data : included_gpg_data;
parts = flatpak_decompose_ref (ref, error);
--
2.27.0

60
backport-0001-CVE-2022-21682.patch Normal file
View File

@ -0,0 +1,60 @@
From 949a3ec479d5ca0c962cf12adec70aea30bf0186 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 20 Jan 2020 19:20:14 +0000
Subject: [PATCH] context: Generalize handling of special filesystems a bit
Currently there are only "home" and "host", but I'm going to add one
that represents /usr and friends (/usr, /lib, ...), and one for /etc.
These differ from ordinary filesystem mounts because they are redirected
into /run/host to avoid conflicting with the runtime.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/949a3ec479d5ca0c962cf12adec70aea30bf0186
---
common/flatpak-context.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 6df9b1e..4892d7b 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -78,6 +78,12 @@ const char *flatpak_context_features[] = {
NULL
};
+const char *flatpak_context_special_filesystems[] = {
+ "home",
+ "host",
+ NULL
+};
+
FlatpakContext *
flatpak_context_new (void)
{
@@ -747,9 +753,7 @@ flatpak_context_verify_filesystem (const char *filesystem_and_mode,
{
g_autofree char *filesystem = parse_filesystem_flags (filesystem_and_mode, NULL);
- if (strcmp (filesystem, "host") == 0)
- return TRUE;
- if (strcmp (filesystem, "home") == 0)
+ if (g_strv_contains (flatpak_context_special_filesystems, filesystem))
return TRUE;
if (get_xdg_user_dir_from_string (filesystem, NULL, NULL, NULL))
return TRUE;
@@ -1988,8 +1992,7 @@ flatpak_context_export (FlatpakContext *context,
const char *filesystem = key;
FlatpakFilesystemMode mode = GPOINTER_TO_INT (value);
- if (strcmp (filesystem, "host") == 0 ||
- strcmp (filesystem, "home") == 0)
+ if (g_strv_contains (flatpak_context_special_filesystems, filesystem))
continue;
if (g_str_has_prefix (filesystem, "xdg-"))
--
2.27.0

34
backport-0002-CVE-2021-41133.patch Normal file
View File

@ -0,0 +1,34 @@
From 89ae9fe74c6d445bb1b3a40e568d77cf5de47e48 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 12:44:04 +0100
Subject: [PATCH] run: Add cross-references for some other seccomp syscall
filters
Signed-off-by: Simon McVittie <smcv@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48
---
common/flatpak-run.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 7476d86..f2f296e 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2093,6 +2093,10 @@ setup_seccomp (FlatpakBwrap *bwrap,
* https://git.gnome.org/browse/linux-user-chroot
* in src/setup-seccomp.c
*
+ * Other useful resources:
+ * https://github.com/systemd/systemd/blob/HEAD/src/shared/seccomp-util.c
+ * https://github.com/moby/moby/blob/HEAD/profiles/seccomp/default.json
+ *
**** END NOTE ON CODE SHARING
*/
struct
--
2.19.1

115
backport-0002-CVE-2021-43860.patch Normal file
View File

@ -0,0 +1,115 @@
From ba818f504c926baaf6e362be8159cfacf994310e Mon Sep 17 00:00:00 2001
From: Ryan Gonzalez <ryan.gonzalez@collabora.com>
Date: Thu, 23 Dec 2021 18:30:17 -0600
Subject: [PATCH] Fix metadata file contents after null terminators being
ignored
In particular, if a null terminator is placed inside the metadata file,
Flatpak will only compare the text *before* it to the value of
xa.metadata, but the full file will be parsed when permissions are set
at runtime. This means that any app can include a null terminator in its
permissions metadata, and Flatpak will only show the user the
permissions *preceding* the terminator during install, but the
permissions *after* the terminator are applied at runtime.
Fixes GHSA-qpjc-vq3c-572j / CVE-2021-43860
Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e
---
common/flatpak-dir.c | 5 +++--
common/flatpak-transaction.c | 4 ++--
common/flatpak-utils.c | 9 +++++----
3 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 56bca24..5af4b4b 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -6608,6 +6608,7 @@ flatpak_dir_deploy (FlatpakDir *self,
g_autoptr(GFile) metadata_file = NULL;
g_autofree char *metadata_contents = NULL;
g_autofree char *application_runtime = NULL;
+ gsize metadata_size = 0;
gboolean is_app;
if (!flatpak_dir_ensure_repo (self, cancellable, error))
@@ -6850,12 +6851,12 @@ flatpak_dir_deploy (FlatpakDir *self,
metadata_file = g_file_resolve_relative_path (checkoutdir, "metadata");
if (g_file_load_contents (metadata_file, NULL,
- &metadata_contents, NULL, NULL, NULL))
+ &metadata_contents, &metadata_size, NULL, NULL))
{
g_autoptr(GKeyFile) keyfile = g_key_file_new ();
if (!g_key_file_load_from_data (keyfile,
metadata_contents,
- -1,
+ metadata_size,
0, error))
return FALSE;
diff --git a/common/flatpak-transaction.c b/common/flatpak-transaction.c
index 396d75c..4e19e5d 100644
--- a/common/flatpak-transaction.c
+++ b/common/flatpak-transaction.c
@@ -1604,7 +1604,7 @@ flatpak_transaction_add_ref (FlatpakTransaction *self,
op = flatpak_transaction_add_op (self, remote, ref, subpaths, commit, bundle, kind);
if (external_metadata)
- op->external_metadata = g_bytes_new (external_metadata, strlen (external_metadata) + 1);
+ op->external_metadata = g_bytes_new (external_metadata, strlen (external_metadata));
return TRUE;
}
@@ -1839,7 +1839,7 @@ load_deployed_metadata (FlatpakTransaction *self, const char *ref)
return NULL;
}
- return g_bytes_new_take (g_steal_pointer (&metadata_contents), metadata_contents_length + 1);
+ return g_bytes_new_take (g_steal_pointer (&metadata_contents), metadata_contents_length);
}
static void
diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c
index 23b72d6..accf230 100644
--- a/common/flatpak-utils.c
+++ b/common/flatpak-utils.c
@@ -4674,6 +4674,7 @@ flatpak_pull_from_bundle (OstreeRepo *repo,
GCancellable *cancellable,
GError **error)
{
+ gsize metadata_size = 0;
g_autofree char *metadata_contents = NULL;
g_autofree char *to_checksum = NULL;
@@ -4691,6 +4692,8 @@ flatpak_pull_from_bundle (OstreeRepo *repo,
if (metadata == NULL)
return FALSE;
+ metadata_size = strlen (metadata_contents);
+
if (!ostree_repo_get_remote_option (repo, remote, "collection-id", NULL,
&remote_collection_id, NULL))
remote_collection_id = NULL;
@@ -4760,12 +4763,10 @@ flatpak_pull_from_bundle (OstreeRepo *repo,
cancellable, error) < 0)
return FALSE;
- /* Null terminate */
- g_output_stream_write (G_OUTPUT_STREAM (data_stream), "\0", 1, NULL, NULL);
-
metadata_valid =
metadata_contents != NULL &&
- strcmp (metadata_contents, g_memory_output_stream_get_data (data_stream)) == 0;
+ metadata_size == g_memory_output_stream_get_data_size (data_stream) &&
+ memcmp (metadata_contents, g_memory_output_stream_get_data (data_stream), metadata_size) == 0;
}
else
{
--
2.27.0

276
backport-0002-CVE-2022-21682.patch Normal file
View File

@ -0,0 +1,276 @@
From 517ad25b5fe83376af258acef646551cb97af97c Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 10 Aug 2020 23:58:11 +0100
Subject: [PATCH] context: Only parse filesystem/mode strings in one place
This gives us the ability for the parse function (the former verify
function) to carry out a normalization step as well.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/517ad25b5fe83376af258acef646551cb97af97c
---
common/flatpak-context.c | 77 +++++++++++++++++---------------
common/flatpak-exports-private.h | 1 +
common/flatpak-exports.c | 14 +++---
3 files changed, 48 insertions(+), 44 deletions(-)
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 4892d7b..3a99646 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -92,6 +92,7 @@ flatpak_context_new (void)
context = g_slice_new0 (FlatpakContext);
context->env_vars = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, g_free);
context->persistent = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL);
+ /* filename or special filesystem name => FlatpakFilesystemMode */
context->filesystems = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL);
context->session_bus_policy = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL);
context->system_bus_policy = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL);
@@ -748,19 +749,23 @@ parse_filesystem_flags (const char *filesystem,
}
static gboolean
-flatpak_context_verify_filesystem (const char *filesystem_and_mode,
- GError **error)
+flatpak_context_parse_filesystem (const char *filesystem_and_mode,
+ char **filesystem_out,
+ FlatpakFilesystemMode *mode_out,
+ GError **error)
{
- g_autofree char *filesystem = parse_filesystem_flags (filesystem_and_mode, NULL);
+ g_autofree char *filesystem = parse_filesystem_flags (filesystem_and_mode, mode_out);
- if (g_strv_contains (flatpak_context_special_filesystems, filesystem))
- return TRUE;
- if (get_xdg_user_dir_from_string (filesystem, NULL, NULL, NULL))
- return TRUE;
- if (g_str_has_prefix (filesystem, "~/"))
- return TRUE;
- if (g_str_has_prefix (filesystem, "/"))
- return TRUE;
+ if (g_strv_contains (flatpak_context_special_filesystems, filesystem) ||
+ get_xdg_user_dir_from_string (filesystem, NULL, NULL, NULL) ||
+ g_str_has_prefix (filesystem, "~/") ||
+ g_str_has_prefix (filesystem, "/"))
+ {
+ if (filesystem_out != NULL)
+ *filesystem_out = g_steal_pointer (&filesystem);
+
+ return TRUE;
+ }
g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED,
_("Unknown filesystem location %s, valid locations are: host, home, xdg-*[/...], ~/dir, /dir"), filesystem);
@@ -768,24 +773,13 @@ flatpak_context_verify_filesystem (const char *filesystem_and_mode,
}
static void
-flatpak_context_add_filesystem (FlatpakContext *context,
- const char *what)
+flatpak_context_take_filesystem (FlatpakContext *context,
+ char *fs,
+ FlatpakFilesystemMode mode)
{
- FlatpakFilesystemMode mode;
- char *fs = parse_filesystem_flags (what, &mode);
-
g_hash_table_insert (context->filesystems, fs, GINT_TO_POINTER (mode));
}
-static void
-flatpak_context_remove_filesystem (FlatpakContext *context,
- const char *what)
-{
- g_hash_table_insert (context->filesystems,
- parse_filesystem_flags (what, NULL),
- NULL);
-}
-
void
flatpak_context_merge (FlatpakContext *context,
FlatpakContext *other)
@@ -999,11 +993,13 @@ option_filesystem_cb (const gchar *option_name,
GError **error)
{
FlatpakContext *context = data;
+ g_autofree char *fs = NULL;
+ FlatpakFilesystemMode mode;
- if (!flatpak_context_verify_filesystem (value, error))
+ if (!flatpak_context_parse_filesystem (value, &fs, &mode, error))
return FALSE;
- flatpak_context_add_filesystem (context, value);
+ flatpak_context_take_filesystem (context, g_steal_pointer (&fs), mode);
return TRUE;
}
@@ -1014,11 +1010,14 @@ option_nofilesystem_cb (const gchar *option_name,
GError **error)
{
FlatpakContext *context = data;
+ g_autofree char *fs = NULL;
+ FlatpakFilesystemMode mode;
- if (!flatpak_context_verify_filesystem (value, error))
+ if (!flatpak_context_parse_filesystem (value, &fs, &mode, error))
return FALSE;
- flatpak_context_remove_filesystem (context, value);
+ flatpak_context_take_filesystem (context, g_steal_pointer (&fs),
+ FLATPAK_FILESYSTEM_MODE_NONE);
return TRUE;
}
@@ -1441,14 +1440,18 @@ flatpak_context_load_metadata (FlatpakContext *context,
for (i = 0; filesystems[i] != NULL; i++)
{
const char *fs = parse_negated (filesystems[i], &remove);
- if (!flatpak_context_verify_filesystem (fs, NULL))
+ g_autofree char *filesystem = NULL;
+ FlatpakFilesystemMode mode;
+
+ if (!flatpak_context_parse_filesystem (fs, &filesystem, &mode, NULL))
g_debug ("Unknown filesystem type %s", filesystems[i]);
else
{
if (remove)
- flatpak_context_remove_filesystem (context, fs);
+ flatpak_context_take_filesystem (context, g_steal_pointer (&filesystem),
+ FLATPAK_FILESYSTEM_MODE_NONE);
else
- flatpak_context_add_filesystem (context, fs);
+ flatpak_context_take_filesystem (context, g_steal_pointer (&filesystem), mode);
}
}
}
@@ -1674,7 +1677,7 @@ flatpak_context_save_metadata (FlatpakContext *context,
{
FlatpakFilesystemMode mode = GPOINTER_TO_INT (value);
- if (mode != 0)
+ if (mode != FLATPAK_FILESYSTEM_MODE_NONE)
g_ptr_array_add (array, unparse_filesystem_flags (key, mode));
else
g_ptr_array_add (array, g_strconcat ("!", key, NULL));
@@ -1781,7 +1784,7 @@ flatpak_context_save_metadata (FlatpakContext *context,
void
flatpak_context_allow_host_fs (FlatpakContext *context)
{
- flatpak_context_add_filesystem (context, "host");
+ flatpak_context_take_filesystem (context, g_strdup ("host"), FLATPAK_FILESYSTEM_MODE_READ_WRITE);
}
gboolean
@@ -1846,7 +1849,7 @@ flatpak_context_to_args (FlatpakContext *context,
{
FlatpakFilesystemMode mode = GPOINTER_TO_INT (value);
- if (mode != 0)
+ if (mode != FLATPAK_FILESYSTEM_MODE_NONE)
{
g_autofree char *fs = unparse_filesystem_flags (key, mode);
g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", fs));
@@ -1949,7 +1952,7 @@ flatpak_context_export (FlatpakContext *context,
gpointer key, value;
fs_mode = (FlatpakFilesystemMode) g_hash_table_lookup (context->filesystems, "host");
- if (fs_mode != 0)
+ if (fs_mode != FLATPAK_FILESYSTEM_MODE_NONE)
{
DIR *dir;
struct dirent *dirent;
@@ -1978,7 +1981,7 @@ flatpak_context_export (FlatpakContext *context,
}
home_mode = (FlatpakFilesystemMode) g_hash_table_lookup (context->filesystems, "home");
- if (home_mode != 0)
+ if (home_mode != FLATPAK_FILESYSTEM_MODE_NONE)
{
g_debug ("Allowing homedir access");
home_access = TRUE;
diff --git a/common/flatpak-exports-private.h b/common/flatpak-exports-private.h
index 64cf59a..e4b2c14 100644
--- a/common/flatpak-exports-private.h
+++ b/common/flatpak-exports-private.h
@@ -26,6 +26,7 @@
/* In numerical order of more privs */
typedef enum {
+ FLATPAK_FILESYSTEM_MODE_NONE = 0,
FLATPAK_FILESYSTEM_MODE_READ_ONLY = 1,
FLATPAK_FILESYSTEM_MODE_READ_WRITE = 2,
FLATPAK_FILESYSTEM_MODE_CREATE = 3,
diff --git a/common/flatpak-exports.c b/common/flatpak-exports.c
index 21a8b17..d31ef95 100644
--- a/common/flatpak-exports.c
+++ b/common/flatpak-exports.c
@@ -80,7 +80,7 @@ make_relative (const char *base, const char *path)
}
#define FAKE_MODE_DIR -1 /* Ensure a dir, either on tmpfs or mapped parent */
-#define FAKE_MODE_TMPFS 0
+#define FAKE_MODE_TMPFS FLATPAK_FILESYSTEM_MODE_NONE
#define FAKE_MODE_SYMLINK G_MAXINT
typedef struct
@@ -278,7 +278,7 @@ flatpak_exports_append_bwrap_args (FlatpakExports *exports,
}
}
- if (exports->host_fs != 0)
+ if (exports->host_fs != FLATPAK_FILESYSTEM_MODE_NONE)
{
if (g_file_test ("/usr", G_FILE_TEST_IS_DIR))
flatpak_bwrap_add_args (bwrap,
@@ -337,7 +337,7 @@ flatpak_exports_path_get_mode (FlatpakExports *exports,
break;
}
- return 0;
+ return FLATPAK_FILESYSTEM_MODE_NONE;
}
if (S_ISLNK (st.st_mode))
@@ -347,7 +347,7 @@ flatpak_exports_path_get_mode (FlatpakExports *exports,
int j;
if (resolved == NULL)
- return 0;
+ return FLATPAK_FILESYSTEM_MODE_NONE;
path2_builder = g_string_new (resolved);
@@ -361,7 +361,7 @@ flatpak_exports_path_get_mode (FlatpakExports *exports,
}
}
else if (parts[i + 1] == NULL)
- return 0; /* Last part was not mapped */
+ return FLATPAK_FILESYSTEM_MODE_NONE; /* Last part was not mapped */
}
if (is_readonly)
@@ -374,7 +374,7 @@ gboolean
flatpak_exports_path_is_visible (FlatpakExports *exports,
const char *path)
{
- return flatpak_exports_path_get_mode (exports, path) > 0;
+ return flatpak_exports_path_get_mode (exports, path) > FLATPAK_FILESYSTEM_MODE_NONE;
}
static gboolean
@@ -605,7 +605,7 @@ flatpak_exports_add_path_expose_or_hide (FlatpakExports *exports,
FlatpakFilesystemMode mode,
const char *path)
{
- if (mode == 0)
+ if (mode == FLATPAK_FILESYSTEM_MODE_NONE)
flatpak_exports_add_path_tmpfs (exports, path);
else
flatpak_exports_add_path_expose (exports, mode, path);
--
2.27.0

254
backport-0003-CVE-2021-41133.patch Normal file
View File

@ -0,0 +1,254 @@
From 26b12484eb8a6219b9e7aa287b298a894b2f34ca Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 14:17:04 +0100
Subject: [PATCH] common: Add a list of recently-added Linux syscalls
Historically, syscalls could take arbitrarily-different values on
different architectures, but new syscalls are added with syscall numbers
that align on each architecture.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca
---
common/Makefile.am.inc | 1 +
common/flatpak-run.c | 2 +
common/flatpak-syscalls-private.h | 197 ++++++++++++++++++++++++++++++
3 files changed, 200 insertions(+)
create mode 100644 common/flatpak-syscalls-private.h
diff --git a/common/Makefile.am.inc b/common/Makefile.am.inc
index 794bd4e..986a1ea 100644
--- a/common/Makefile.am.inc
+++ b/common/Makefile.am.inc
@@ -85,6 +85,7 @@ libflatpak_common_la_SOURCES = \
common/flatpak-dir.c \
common/flatpak-dir-private.h \
common/flatpak-run.c \
+ common/flatpak-syscalls-private.h \
common/flatpak-run-private.h \
common/flatpak-context.c \
common/flatpak-context-private.h \
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index f2f296e..de3dd38 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -33,6 +33,8 @@
#include <unistd.h>
#include <gio/gunixfdlist.h>
+#include "flatpak-syscalls-private.h"
+
#ifdef ENABLE_SECCOMP
#include <seccomp.h>
#endif
diff --git a/common/flatpak-syscalls-private.h b/common/flatpak-syscalls-private.h
new file mode 100644
index 0000000..04eb38c
--- /dev/null
+++ b/common/flatpak-syscalls-private.h
@@ -0,0 +1,197 @@
+/*
+ * Copyright 2021 Collabora Ltd.
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#pragma once
+
+#include <sys/syscall.h>
+
+#if defined(_MIPS_SIM)
+# if _MIPS_SIM == _MIPS_SIM_ABI32
+# define FLATPAK_MISSING_SYSCALL_BASE 4000
+# elif _MIPS_SIM == _MIPS_SIM_ABI64
+# define FLATPAK_MISSING_SYSCALL_BASE 5000
+# elif _MIPS_SIM == _MIPS_SIM_NABI32
+# define FLATPAK_MISSING_SYSCALL_BASE 6000
+# else
+# error "Unknown MIPS ABI"
+# endif
+#endif
+
+#if defined(__ia64__)
+# define FLATPAK_MISSING_SYSCALL_BASE 1024
+#endif
+
+#if defined(__alpha__)
+# define FLATPAK_MISSING_SYSCALL_BASE 110
+#endif
+
+#if defined(__x86_64__) && defined(__ILP32__)
+# define FLATPAK_MISSING_SYSCALL_BASE 0x40000000
+#endif
+
+/*
+ * FLATPAK_MISSING_SYSCALL_BASE:
+ *
+ * Number to add to the syscall numbers of recently-added syscalls
+ * to get the appropriate syscall for the current ABI.
+ */
+#ifndef FLATPAK_MISSING_SYSCALL_BASE
+# define FLATPAK_MISSING_SYSCALL_BASE 0
+#endif
+
+#ifndef __NR_open_tree
+# define __NR_open_tree (FLATPAK_MISSING_SYSCALL_BASE + 428)
+#endif
+#ifndef __SNR_open_tree
+# define __SNR_open_tree __NR_open_tree
+#endif
+
+#ifndef __NR_move_mount
+# define __NR_move_mount (FLATPAK_MISSING_SYSCALL_BASE + 429)
+#endif
+#ifndef __SNR_move_mount
+# define __SNR_move_mount __NR_move_mount
+#endif
+
+#ifndef __NR_fsopen
+# define __NR_fsopen (FLATPAK_MISSING_SYSCALL_BASE + 430)
+#endif
+#ifndef __SNR_fsopen
+# define __SNR_fsopen __NR_fsopen
+#endif
+
+#ifndef __NR_fsconfig
+# define __NR_fsconfig (FLATPAK_MISSING_SYSCALL_BASE + 431)
+#endif
+#ifndef __SNR_fsconfig
+# define __SNR_fsconfig __NR_fsconfig
+#endif
+
+#ifndef __NR_fsmount
+# define __NR_fsmount (FLATPAK_MISSING_SYSCALL_BASE + 432)
+#endif
+#ifndef __SNR_fsmount
+# define __SNR_fsmount __NR_fsmount
+#endif
+
+#ifndef __NR_fspick
+# define __NR_fspick (FLATPAK_MISSING_SYSCALL_BASE + 433)
+#endif
+#ifndef __SNR_fspick
+# define __SNR_fspick __NR_fspick
+#endif
+
+#ifndef __NR_pidfd_open
+# define __NR_pidfd_open (FLATPAK_MISSING_SYSCALL_BASE + 434)
+#endif
+#ifndef __SNR_pidfd_open
+# define __SNR_pidfd_open __NR_pidfd_open
+#endif
+
+#ifndef __NR_clone3
+# define __NR_clone3 (FLATPAK_MISSING_SYSCALL_BASE + 435)
+#endif
+#ifndef __SNR_clone3
+# define __SNR_clone3 __NR_clone3
+#endif
+
+#ifndef __NR_close_range
+# define __NR_close_range (FLATPAK_MISSING_SYSCALL_BASE + 436)
+#endif
+#ifndef __SNR_close_range
+# define __SNR_close_range __NR_close_range
+#endif
+
+#ifndef __NR_openat2
+# define __NR_openat2 (FLATPAK_MISSING_SYSCALL_BASE + 437)
+#endif
+#ifndef __SNR_openat2
+# define __SNR_openat2 __NR_openat2
+#endif
+
+#ifndef __NR_pidfd_getfd
+# define __NR_pidfd_getfd (FLATPAK_MISSING_SYSCALL_BASE + 438)
+#endif
+#ifndef __SNR_pidfd_getfd
+# define __SNR_pidfd_getfd __NR_pidfd_getfd
+#endif
+
+#ifndef __NR_faccessat2
+# define __NR_faccessat2 (FLATPAK_MISSING_SYSCALL_BASE + 439)
+#endif
+#ifndef __SNR_faccessat2
+# define __SNR_faccessat2 __NR_faccessat2
+#endif
+
+#ifndef __NR_process_madvise
+# define __NR_process_madvise (FLATPAK_MISSING_SYSCALL_BASE + 440)
+#endif
+#ifndef __SNR_process_madvise
+# define __SNR_process_madvise __NR_process_madvise
+#endif
+
+#ifndef __NR_epoll_pwait2
+# define __NR_epoll_pwait2 (FLATPAK_MISSING_SYSCALL_BASE + 441)
+#endif
+#ifndef __SNR_epoll_pwait2
+# define __SNR_epoll_pwait2 __NR_epoll_pwait2
+#endif
+
+#ifndef __NR_mount_setattr
+# define __NR_mount_setattr (FLATPAK_MISSING_SYSCALL_BASE + 442)
+#endif
+#ifndef __SNR_mount_setattr
+# define __SNR_mount_setattr __NR_mount_setattr
+#endif
+
+#ifndef __NR_quotactl_fd
+# define __NR_quotactl_fd (FLATPAK_MISSING_SYSCALL_BASE + 443)
+#endif
+#ifndef __SNR_quotactl_fd
+# define __SNR_quotactl_fd __NR_quotactl_fd
+#endif
+
+#ifndef __NR_landlock_create_ruleset
+# define __NR_landlock_create_ruleset (FLATPAK_MISSING_SYSCALL_BASE + 444)
+#endif
+#ifndef __SNR_landlock_create_ruleset
+# define __SNR_landlock_create_ruleset __NR_landlock_create_ruleset
+#endif
+
+#ifndef __NR_landlock_add_rule
+# define __NR_landlock_add_rule (FLATPAK_MISSING_SYSCALL_BASE + 445)
+#endif
+#ifndef __SNR_landlock_add_rule
+# define __SNR_landlock_add_rule __NR_landlock_add_rule
+#endif
+
+#ifndef __NR_landlock_restrict_self
+# define __NR_landlock_restrict_self (FLATPAK_MISSING_SYSCALL_BASE + 446)
+#endif
+#ifndef __SNR_landlock_restrict_self
+# define __SNR_landlock_restrict_self __NR_landlock_restrict_self
+#endif
+
+#ifndef __NR_memfd_secret
+# define __NR_memfd_secret (FLATPAK_MISSING_SYSCALL_BASE + 447)
+#endif
+#ifndef __SNR_memfd_secret
+# define __SNR_memfd_secret __NR_memfd_secret
+#endif
+
+/* Last updated: Linux 5.14, syscall numbers < 448 */
--
2.19.1

136
backport-0003-CVE-2021-43860.patch Normal file
View File

@ -0,0 +1,136 @@
From d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Mon, 10 Jan 2022 16:43:08 +0100
Subject: [PATCH] Transaction: Fail the resolve if xa.metadata invalid or
missing
If we fail to parse xa.metadata from the summary cache or the commit
xa.metadata we fail the resolve.
If xa.metadata is missing in the commit we fail the resolve (it is
always set in the summary cache, because summary update converts
missing xa.metadata to "", so we either get that, or cache miss which
leads to resolving from the commit.
This means that op->resolved_metadata is always set during install and
updates, which means we will show the app permissions. The transaction
will also always make sure that this data actually matches what gets
deployed.
Before this change an invalid metadata in the summary cache could lead
to a NULL resolved_metadata, which means we wouldn't print the app
permissions, yet we would still deploy some metadata file that could
have permissions. (NOTE: It would fail to deploy unless the
xa.metadata in the commit matched the metadata file, but in this
corner case we would't compare the summary and commit metadata, so
they may differ.)
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee
---
common/flatpak-transaction.c | 36 +++++++++++++++++++++---------------
1 file changed, 21 insertions(+), 15 deletions(-)
diff --git a/common/flatpak-transaction.c b/common/flatpak-transaction.c
index 4e19e5d..2134a3e 100644
--- a/common/flatpak-transaction.c
+++ b/common/flatpak-transaction.c
@@ -1842,11 +1842,12 @@ load_deployed_metadata (FlatpakTransaction *self, const char *ref)
return g_bytes_new_take (g_steal_pointer (&metadata_contents), metadata_contents_length);
}
-static void
+static gboolean
mark_op_resolved (FlatpakTransactionOperation *op,
const char *commit,
GBytes *metadata,
- GBytes *old_metadata)
+ GBytes *old_metadata,
+ GError **error)
{
g_debug ("marking op %s:%s resolved to %s", kind_to_str (op->kind), op->ref, commit ? commit : "-");
@@ -1860,13 +1861,12 @@ mark_op_resolved (FlatpakTransactionOperation *op,
if (metadata)
{
g_autoptr(GKeyFile) metakey = g_key_file_new ();
- if (g_key_file_load_from_bytes (metakey, metadata, G_KEY_FILE_NONE, NULL))
- {
- op->resolved_metadata = g_bytes_ref (metadata);
- op->resolved_metakey = g_steal_pointer (&metakey);
- }
- else
- g_message ("Warning: Failed to parse metadata for %s\n", op->ref);
+ if (!g_key_file_load_from_bytes (metakey, metadata, G_KEY_FILE_NONE, NULL))
+ return flatpak_fail_error (error, FLATPAK_ERROR_INVALID_DATA,
+ _("Invalid .flatpakref: %s"), op->ref);
+
+ op->resolved_metadata = g_bytes_ref (metadata);
+ op->resolved_metakey = g_steal_pointer (&metakey);
}
if (old_metadata)
{
@@ -1877,8 +1877,13 @@ mark_op_resolved (FlatpakTransactionOperation *op,
op->resolved_old_metakey = g_steal_pointer (&metakey);
}
else
- g_message ("Warning: Failed to parse old metadata for %s\n", op->ref);
+ {
+ /* This shouldn't happen, but a NULL old metadata is safe (all permisssions are considered new) */
+ g_message ("Warning: Failed to parse old metadata for %s\n", op->ref);
+ }
}
+
+ return TRUE;
}
static gboolean
@@ -1922,7 +1927,7 @@ resolve_p2p_ops (FlatpakTransaction *self,
g_autoptr(GBytes) old_metadata_bytes = NULL;
old_metadata_bytes = load_deployed_metadata (self, op->ref);
- mark_op_resolved (op, resolve->resolved_commit, resolve->resolved_metadata, old_metadata_bytes);
+ mark_op_resolved (op, resolve->resolved_commit, resolve->resolved_metadata, old_metadata_bytes,error);
}
return TRUE;
@@ -1960,14 +1965,15 @@ resolve_ops (FlatpakTransaction *self,
/* We resolve to the deployed metadata, becasue we need it to uninstall related ops */
metadata_bytes = load_deployed_metadata (self, op->ref);
- mark_op_resolved (op, NULL, metadata_bytes, NULL);
+ mark_op_resolved (op, NULL, metadata_bytes, NULL,error);
continue;
}
if (op->kind == FLATPAK_TRANSACTION_OPERATION_INSTALL_BUNDLE)
{
g_assert (op->commit != NULL);
- mark_op_resolved (op, op->commit, op->external_metadata, NULL);
+ if (!mark_op_resolved (op, op->commit, NULL, NULL, error))
+ return FALSE;
continue;
}
@@ -1993,7 +1999,7 @@ resolve_ops (FlatpakTransaction *self,
metadata_bytes = g_bytes_new (xa_metadata, strlen (xa_metadata) + 1);
old_metadata_bytes = load_deployed_metadata (self, op->ref);
- mark_op_resolved (op, checksum, metadata_bytes, old_metadata_bytes);
+ mark_op_resolved (op, checksum, metadata_bytes, old_metadata_bytes,error);
}
else if (state->collection_id == NULL) /* In the non-p2p case we have all the info available in the summary, so use it */
{
@@ -2031,7 +2037,7 @@ resolve_ops (FlatpakTransaction *self,
metadata_bytes = g_bytes_new (metadata, strlen (metadata) + 1);
old_metadata_bytes = load_deployed_metadata (self, op->ref);
- mark_op_resolved (op, checksum, metadata_bytes, old_metadata_bytes);
+ mark_op_resolved (op, checksum, metadata_bytes, old_metadata_bytes,error);
}
else
{
--
2.27.0

49
backport-0003-CVE-2022-21682.patch Normal file
View File

@ -0,0 +1,49 @@
From 5a83c73ed859fe3e4bd93a228a4bc8981d649c5e Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 27 Aug 2020 18:01:12 +0100
Subject: [PATCH] context: Implement MODE_NONE in unparse_filesystem_flags
flatpak doesn't yet use -Wswitch-enum, but perhaps it should at some
point. Now that FLATPAK_FILESYSTEM_MODE_NONE is a member of the enum,
it should be handled; and if we're doing that, we might as well make
the same function fully responsible for it.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/5a83c73ed859fe3e4bd93a228a4bc8981d649c5e
---
common/flatpak-context.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 3a99646..0d53b13 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -697,6 +697,10 @@ unparse_filesystem_flags (const char *path,
case FLATPAK_FILESYSTEM_MODE_READ_WRITE:
break;
+ case FLATPAK_FILESYSTEM_MODE_NONE:
+ g_string_insert_c (s, 0, '!');
+ break;
+
default:
g_warning ("Unexpected filesystem mode %d", mode);
break;
@@ -1677,10 +1681,7 @@ flatpak_context_save_metadata (FlatpakContext *context,
{
FlatpakFilesystemMode mode = GPOINTER_TO_INT (value);
- if (mode != FLATPAK_FILESYSTEM_MODE_NONE)
- g_ptr_array_add (array, unparse_filesystem_flags (key, mode));
- else
- g_ptr_array_add (array, g_strconcat ("!", key, NULL));
+ g_ptr_array_add (array, unparse_filesystem_flags (key, mode));
}
g_key_file_set_string_list (metakey,
--
2.27.0

43
backport-0004-CVE-2021-41133.patch Normal file
View File

@ -0,0 +1,43 @@
From a10f52a7565c549612c92b8e736a6698a53db330 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 11:59:00 +0100
Subject: [PATCH] run: Block clone3() in sandbox
clone3() can be used to implement clone() with CLONE_NEWUSER, allowing
a sandboxed process to get CAP_SYS_ADMIN in a new namespace and
manipulate its root directory. We need to block this so that AF_UNIX-based
socket servers (X11, Wayland, etc.) can rely on
/proc/PID/root/.flatpak-info existing for all Flatpak-sandboxed apps.
Partially fixes GHSA-67h7-w3jq-vh4q.
Thanks: an anonymous reporter
Signed-off-by: Simon McVittie <smcv@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330
---
common/flatpak-run.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index de3dd38..818df58 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2139,6 +2139,12 @@ setup_seccomp (FlatpakBwrap *bwrap,
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
{SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
+
+ /* seccomp can't look into clone3()'s struct clone_args to check whether
+ * the flags are OK, so we have no choice but to block clone3().
+ * Return ENOSYS so user-space will fall back to clone().
+ * (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */
+ {SCMP_SYS (clone3), ENOSYS},
};
struct
--
2.19.1

210
backport-0004-CVE-2021-43860.patch Normal file
View File

@ -0,0 +1,210 @@
From 54ec1a482dfc668127eaae57f135e6a8e0bc52da Mon Sep 17 00:00:00 2001
From: Phaedrus Leeds <mwleeds@protonmail.com>
Date: Tue, 28 Dec 2021 11:48:16 -0800
Subject: [PATCH] Add test for metadata validation
This tests for invalid metadata, missing xa.metadata and mismatched
values in xa.metadata and the real metadata, including the embedded
null leading to the hidden permissions of CVE-2021-43860.
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/54ec1a482dfc668127eaae57f135e6a8e0bc52da
---
tests/Makefile-test-matrix.am.inc | 1 +
tests/Makefile.am.inc | 1 +
tests/test-metadata-validation.sh | 158 ++++++++++++++++++++++++++++++
3 files changed, 160 insertions(+)
create mode 100644 tests/test-metadata-validation.sh
diff --git a/tests/Makefile-test-matrix.am.inc b/tests/Makefile-test-matrix.am.inc
index fcbfcd9..afde01c 100644
--- a/tests/Makefile-test-matrix.am.inc
+++ b/tests/Makefile-test-matrix.am.inc
@@ -17,6 +17,7 @@ TEST_MATRIX_DIST= \
tests/test-basic.sh \
tests/test-build-update-repo.sh \
tests/test-http-utils.sh \
+ tests/test-metadata-validation.sh \
tests/test-extensions.sh \
tests/test-oci.sh \
tests/test-unsigned-summaries.sh \
diff --git a/tests/Makefile.am.inc b/tests/Makefile.am.inc
index d72de8a..b9a6f61 100644
--- a/tests/Makefile.am.inc
+++ b/tests/Makefile.am.inc
@@ -93,6 +93,7 @@ TEST_MATRIX_SOURCE = \
tests/test-http-utils.sh \
tests/test-run.sh{{user+system},{nodeltas+deltas}} \
tests/test-repo.sh{user+system+collections+collections-server-only} \
+ tests/test-metadata-validation.sh \
tests/test-extensions.sh \
tests/test-bundle.sh{user+system} \
tests/test-oci.sh \
diff --git a/tests/test-metadata-validation.sh b/tests/test-metadata-validation.sh
new file mode 100644
index 0000000..7e3efcc
--- /dev/null
+++ b/tests/test-metadata-validation.sh
@@ -0,0 +1,158 @@
+#!/bin/bash
+#
+# Copyright (C) 2021 Matthew Leeds <mwleeds@protonmail.com>
+#
+# SPDX-License-Identifier: LGPL-2.0-or-later
+
+set -euo pipefail
+
+. $(dirname $0)/libtest.sh
+
+echo "1..7"
+
+setup_repo
+
+COUNTER=1
+
+create_app () {
+ local OPTIONS="$1"
+ local DIR=`mktemp -d`
+
+ mkdir ${DIR}/files
+ echo $COUNTER > ${DIR}/files/counter
+ let COUNTER=COUNTER+1
+
+ local INVALID=""
+ if [[ $OPTIONS =~ "invalid" ]]; then
+ INVALID=invalidkeyfileline
+ fi
+ cat > ${DIR}/metadata <<EOF
+[Application]
+name=org.test.Malicious
+runtime=org.test.Platform/${ARCH}/master
+$INVALID
+
+[Context]
+EOF
+ if [[ $OPTIONS =~ "mismatch" ]]; then
+ echo -e "filesystems=host;" >> ${DIR}/metadata
+ fi
+ if [[ $OPTIONS =~ "hidden" ]]; then
+ echo -ne "\0" >> ${DIR}/metadata
+ echo -e "\nfilesystems=home;" >> ${DIR}/metadata
+ fi
+ local XA_METADATA=--add-metadata-string=xa.metadata="$(head -n6 ${DIR}/metadata)"$'\n'
+ if [[ $OPTIONS =~ "no-xametadata" ]]; then
+ XA_METADATA="--add-metadata-string=xa.nometadata=1"
+ fi
+ ostree commit --repo=repos/test --branch=app/org.test.Malicious/${ARCH}/master ${FL_GPGARGS} "$XA_METADATA" ${DIR}/
+ if [[ $OPTIONS =~ "no-cache-in-summary" ]]; then
+ ostree --repo=repos/test ${FL_GPGARGS} summary -u
+ # force use of legacy summary format
+ rm -rf repos/test/summary.idx repos/test/summaries
+ else
+ update_repo
+ fi
+ rm -rf ${DIR}
+}
+
+cleanup_repo () {
+ ostree refs --repo=repos/test --delete app/org.test.Malicious/${ARCH}/master
+ update_repo
+}
+
+create_app "hidden"
+
+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
+ assert_not_reached "Should not be able to install app with hidden permissions"
+fi
+
+assert_file_has_content install-error-log "not matching expected metadata"
+
+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active
+
+cleanup_repo
+
+ok "app with hidden permissions can't be installed (CVE-2021-43860)"
+
+create_app no-xametadata
+
+# The install will fail because the metadata in the summary doesn't match the metadata on the commit
+# The missing xa.metadata in the commit got turned into "" in the xa.cache
+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
+ assert_not_reached "Should not be able to install app with missing xa.metadata"
+fi
+
+assert_file_has_content install-error-log "not matching expected metadata"
+
+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active
+
+cleanup_repo
+
+ok "app with no xa.metadata can't be installed"
+
+create_app "no-xametadata no-cache-in-summary"
+
+# The install will fail because there's no metadata in the summary or on the commit
+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
+ assert_not_reached "Should not be able to install app with missing metadata"
+fi
+assert_file_has_content install-error-log "No xa.metadata in local commit"
+
+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active
+
+cleanup_repo
+
+ok "app with no xa.metadata and no metadata in summary can't be installed"
+
+create_app "invalid"
+
+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
+ assert_not_reached "Should not be able to install app with invalid metadata"
+fi
+assert_file_has_content install-error-log "Metadata for .* is invalid"
+
+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active
+
+cleanup_repo
+
+ok "app with invalid metadata (in summary) can't be installed"
+
+create_app "invalid no-cache-in-summary"
+
+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
+ assert_not_reached "Should not be able to install app with invalid metadata"
+fi
+assert_file_has_content install-error-log "Metadata for .* is invalid"
+
+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active
+
+cleanup_repo
+
+ok "app with invalid metadata (in commit) can't be installed"
+
+create_app "mismatch no-cache-in-summary"
+
+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
+ assert_not_reached "Should not be able to install app with non-matching metadata"
+fi
+assert_file_has_content install-error-log "Commit metadata for .* not matching expected metadata"
+
+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active
+
+cleanup_repo
+
+ok "app with mismatched metadata (in commit) can't be installed"
+
+create_app "mismatch"
+
+if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
+ assert_not_reached "Should not be able to install app with non-matching metadata"
+fi
+assert_file_has_content install-error-log "Commit metadata for .* not matching expected metadata"
+
+assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active
+
+cleanup_repo
+
+ok "app with mismatched metadata (in summary) can't be installed"
--
2.27.0

47
backport-0004-CVE-2022-21682.patch Normal file
View File

@ -0,0 +1,47 @@
From 55b27b1393a3880b79dfe108b6f13f1a2fa1888b Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 26 Aug 2020 20:25:15 +0100
Subject: [PATCH] context: Expose flatpak_context_parse_filesystem for testing
Signed-off-by: Simon McVittie <smcv@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/55b27b1393a3880b79dfe108b6f13f1a2fa1888b
---
common/flatpak-context-private.h | 5 +++++
common/flatpak-context.c | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/common/flatpak-context-private.h b/common/flatpak-context-private.h
index f47079b..d84f4e0 100644
--- a/common/flatpak-context-private.h
+++ b/common/flatpak-context-private.h
@@ -79,6 +79,11 @@ extern const char *flatpak_context_devices[];
extern const char *flatpak_context_features[];
extern const char *flatpak_context_shares[];
+gboolean flatpak_context_parse_filesystem (const char *filesystem_and_mode,
+ char **filesystem_out,
+ FlatpakFilesystemMode *mode_out,
+ GError **error);
+
FlatpakContext *flatpak_context_new (void);
void flatpak_context_free (FlatpakContext *context);
void flatpak_context_merge (FlatpakContext *context,
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 0d53b13..3b2bcfe 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -752,7 +752,7 @@ parse_filesystem_flags (const char *filesystem,
return g_string_free (g_steal_pointer (&s), FALSE);
}
-static gboolean
+gboolean
flatpak_context_parse_filesystem (const char *filesystem_and_mode,
char **filesystem_out,
FlatpakFilesystemMode *mode_out,
--
2.27.0

45
backport-0005-CVE-2021-41133.patch Normal file
View File

@ -0,0 +1,45 @@
From 9766ee05b1425db397d2cf23afd24c7f6146a69f Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 12:45:54 +0100
Subject: [PATCH] run: Disallow recently-added mount-manipulation syscalls
If we don't allow mount() then we shouldn't allow these either.
Partially fixes GHSA-67h7-w3jq-vh4q.
Thanks: an anonymous reporter
Signed-off-by: Simon McVittie <smcv@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f
---
common/flatpak-run.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 818df58..0fbd5a9 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2145,6 +2145,18 @@ setup_seccomp (FlatpakBwrap *bwrap,
* Return ENOSYS so user-space will fall back to clone().
* (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */
{SCMP_SYS (clone3), ENOSYS},
+
+ /* New mount manipulation APIs can also change our VFS. There's no
+ * legitimate reason to do these in the sandbox, so block all of them
+ * rather than thinking about which ones might be dangerous.
+ * (GHSA-67h7-w3jq-vh4q) */
+ {SCMP_SYS (open_tree), ENOSYS},
+ {SCMP_SYS (move_mount), ENOSYS},
+ {SCMP_SYS (fsopen), ENOSYS},
+ {SCMP_SYS (fsconfig), ENOSYS},
+ {SCMP_SYS (fsmount), ENOSYS},
+ {SCMP_SYS (fspick), ENOSYS},
+ {SCMP_SYS (mount_setattr), ENOSYS},
};
struct
--
2.19.1

81
backport-0005-CVE-2022-21682.patch Normal file
View File

@ -0,0 +1,81 @@
From aafe1d36e0225f54db8ca2ba03d8b1981c2d09e0 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 26 Aug 2020 19:05:21 +0100
Subject: [PATCH] context: Do some syntactic normalization on filesystems
Paths containing ".." are rejected: they're almost certainly a
terrible idea.
Paths containing "." or multiple slashes are syntactically normalized.
This assumes that nobody is going to use "--filesystem=/foo/bar/" to
mean "make /foo/bar available, unless it's a non-directory, in which
case fail".
Signed-off-by: Simon McVittie <smcv@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/aafe1d36e0225f54db8ca2ba03d8b1981c2d09e0
---
common/flatpak-context.c | 44 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 3b2bcfe..84b292e 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -759,6 +759,50 @@ flatpak_context_parse_filesystem (const char *filesystem_and_mode,
GError **error)
{
g_autofree char *filesystem = parse_filesystem_flags (filesystem_and_mode, mode_out);
+ char *slash;
+
+ slash = strchr (filesystem, '/');
+
+ /* Forbid /../ in paths */
+ if (slash != NULL)
+ {
+ if (g_str_has_prefix (slash + 1, "../") ||
+ g_str_has_suffix (slash + 1, "/..") ||
+ strstr (slash + 1, "/../") != NULL)
+ {
+ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_BAD_VALUE,
+ _("Filesystem location \"%s\" contains \"..\""),
+ filesystem);
+ return FALSE;
+ }
+
+ /* Convert "//" and "/./" to "/" */
+ for (; slash != NULL; slash = strchr (slash + 1, '/'))
+ {
+ while (TRUE)
+ {
+ if (slash[1] == '/')
+ memmove (slash + 1, slash + 2, strlen (slash + 2) + 1);
+ else if (slash[1] == '.' && slash[2] == '/')
+ memmove (slash + 1, slash + 3, strlen (slash + 3) + 1);
+ else
+ break;
+ }
+ }
+
+ /* Eliminate trailing "/." or "/". */
+ while (TRUE)
+ {
+ slash = strrchr (filesystem, '/');
+
+ if (slash != NULL &&
+ ((slash != filesystem && slash[1] == '\0') ||
+ (slash[1] == '.' && slash[2] == '\0')))
+ *slash = '\0';
+ else
+ break;
+ }
+ }
if (g_strv_contains (flatpak_context_special_filesystems, filesystem) ||
get_xdg_user_dir_from_string (filesystem, NULL, NULL, NULL) ||
--
2.27.0

34
backport-0006-CVE-2021-41133.patch Normal file
View File

@ -0,0 +1,34 @@
From 4c34815784e9ffda5733225c7d95824f96375e36 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 14:19:31 +0100
Subject: [PATCH] run: Block setns()
If we don't allow unshare() or clone() with CLONE_NEWUSER, we also
shouldn't allow joining an existing (but different) namespace.
Partially fixes GHSA-67h7-w3jq-vh4q.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36
---
common/flatpak-run.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 0fbd5a9..458e3c3 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2133,6 +2133,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
/* Don't allow subnamespace setups: */
{SCMP_SYS (unshare), EPERM},
+ {SCMP_SYS (setns), EPERM},
{SCMP_SYS (mount), EPERM},
{SCMP_SYS (pivot_root), EPERM},
{SCMP_SYS (clone), EPERM, &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
--
2.19.1

381
backport-0006-CVE-2022-21682.patch Normal file
View File

@ -0,0 +1,381 @@
From 5709f1aaed6579f0136976e14e7f3cae399134ca Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Sun, 16 Jan 2022 12:42:30 +0000
Subject: [PATCH] context: Introduce new --nofilesystem=host:reset
This reintroduces the special case that existed in Flatpak 1.12.3, but
under a different name, so that it will be backwards-compatible. With
this change, flatpak-builder will be able to resolve CVE-2022-21682 by
using --filesystem=host:reset.
We want to implement this as a suffix rather than as a new keyword,
because unknown suffixes are ignored with a warning, rather than causing
a fatal error. This means that the new version of flatpak-builder will
be able to run against older versions of flatpak: it will still be
vulnerable to CVE-2022-21682 in that situation, but at least it will run.
Co-authored-by: Alexander Larsson <alexl@redhat.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/5709f1aaed6579f0136976e14e7f3cae399134ca
---
common/flatpak-context-private.h | 1 +
common/flatpak-context.c | 166 ++++++++++++++++++++++++++++---
doc/flatpak-override.xml | 8 ++
doc/flatpak-run.xml | 8 ++
4 files changed, 169 insertions(+), 14 deletions(-)
diff --git a/common/flatpak-context-private.h b/common/flatpak-context-private.h
index d84f4e0..2d2a40e 100644
--- a/common/flatpak-context-private.h
+++ b/common/flatpak-context-private.h
@@ -80,6 +80,7 @@ extern const char *flatpak_context_features[];
extern const char *flatpak_context_shares[];
gboolean flatpak_context_parse_filesystem (const char *filesystem_and_mode,
+ gboolean negated,
char **filesystem_out,
FlatpakFilesystemMode *mode_out,
GError **error);
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 84b292e..30a84bd 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -81,6 +81,7 @@ const char *flatpak_context_features[] = {
const char *flatpak_context_special_filesystems[] = {
"home",
"host",
+ "host-reset",
NULL
};
@@ -699,6 +700,12 @@ unparse_filesystem_flags (const char *path,
case FLATPAK_FILESYSTEM_MODE_NONE:
g_string_insert_c (s, 0, '!');
+
+ if (g_str_has_suffix (s->str, "-reset"))
+ {
+ g_string_truncate (s, s->len - 6);
+ g_string_append (s, ":reset");
+ }
break;
default:
@@ -711,11 +718,14 @@ unparse_filesystem_flags (const char *path,
static char *
parse_filesystem_flags (const char *filesystem,
- FlatpakFilesystemMode *mode_out)
+ gboolean negated,
+ FlatpakFilesystemMode *mode_out,
+ GError **error)
{
g_autoptr(GString) s = g_string_new ("");
const char *p, *suffix;
FlatpakFilesystemMode mode;
+ gboolean reset = FALSE;
p = filesystem;
while (*p != 0 && *p != ':')
@@ -730,7 +740,31 @@ parse_filesystem_flags (const char *filesystem,
g_string_append_c (s, *p++);
}
- mode = FLATPAK_FILESYSTEM_MODE_READ_WRITE;
+ if (negated)
+ mode = FLATPAK_FILESYSTEM_MODE_NONE;
+ else
+ mode = FLATPAK_FILESYSTEM_MODE_READ_WRITE;
+
+ if (g_str_equal (s->str, "host-reset"))
+ {
+ reset = TRUE;
+
+ if (!negated)
+ {
+ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED,
+ "Filesystem token \"%s\" is only applicable for --nofilesystem",
+ s->str);
+ return NULL;
+ }
+
+ if (*p != '\0')
+ {
+ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED,
+ "Filesystem token \"%s\" cannot be used with a suffix",
+ s->str);
+ return NULL;
+ }
+ }
if (*p == ':')
{
@@ -742,10 +776,63 @@ parse_filesystem_flags (const char *filesystem,
mode = FLATPAK_FILESYSTEM_MODE_READ_WRITE;
else if (strcmp (suffix, "create") == 0)
mode = FLATPAK_FILESYSTEM_MODE_CREATE;
+ else if (strcmp (suffix, "reset") == 0)
+ reset = TRUE;
else if (*suffix != 0)
g_warning ("Unexpected filesystem suffix %s, ignoring", suffix);
+
+ if (negated && mode != FLATPAK_FILESYSTEM_MODE_NONE)
+ {
+ g_warning ("Filesystem suffix \"%s\" is not applicable for --nofilesystem",
+ suffix);
+ mode = FLATPAK_FILESYSTEM_MODE_NONE;
+ }
+
+ if (reset)
+ {
+ if (!negated)
+ {
+ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED,
+ "Filesystem suffix \"%s\" only applies to --nofilesystem",
+ suffix);
+ return NULL;
+ }
+
+ if (!g_str_equal (s->str, "host"))
+ {
+ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED,
+ "Filesystem suffix \"%s\" can only be applied to "
+ "--nofilesystem=host",
+ suffix);
+ return NULL;
+ }
+
+ /* We internally handle host:reset (etc) as host-reset, only exposing it as a flag in the public
+ part to allow it to be ignored (with a warning) for old flatpak versions */
+ g_string_append (s, "-reset");
+ }
}
+ /* Postcondition check: the code above should make some results
+ * impossible */
+ if (negated)
+ {
+ g_assert (mode == FLATPAK_FILESYSTEM_MODE_NONE);
+ }
+ else
+ {
+ g_assert (mode > FLATPAK_FILESYSTEM_MODE_NONE);
+ /* This flag is only applicable to --nofilesystem */
+ g_assert (!reset);
+ }
+
+ /* Postcondition check: filesystem token is host-reset iff reset flag
+ * was found */
+ if (reset)
+ g_assert (g_str_equal (s->str, "host-reset"));
+ else
+ g_assert (!g_str_equal (s->str, "host-reset"));
+
if (mode_out)
*mode_out = mode;
@@ -754,13 +841,18 @@ parse_filesystem_flags (const char *filesystem,
gboolean
flatpak_context_parse_filesystem (const char *filesystem_and_mode,
+ gboolean negated,
char **filesystem_out,
FlatpakFilesystemMode *mode_out,
GError **error)
{
- g_autofree char *filesystem = parse_filesystem_flags (filesystem_and_mode, mode_out);
+ g_autofree char *filesystem = NULL;
char *slash;
+ filesystem = parse_filesystem_flags (filesystem_and_mode, negated, mode_out, error);
+ if (filesystem == NULL)
+ return FALSE;
+
slash = strchr (filesystem, '/');
/* Forbid /../ in paths */
@@ -825,6 +917,14 @@ flatpak_context_take_filesystem (FlatpakContext *context,
char *fs,
FlatpakFilesystemMode mode)
{
+ /* Special case: --nofilesystem=host-reset implies --nofilesystem=host.
+ * --filesystem=host-reset (or host:reset) is not allowed. */
+ if (g_str_equal (fs, "host-reset"))
+ {
+ g_return_if_fail (mode == FLATPAK_FILESYSTEM_MODE_NONE);
+ g_hash_table_insert (context->filesystems, g_strdup ("host"), GINT_TO_POINTER (mode));
+ }
+
g_hash_table_insert (context->filesystems, fs, GINT_TO_POINTER (mode));
}
@@ -856,6 +956,14 @@ flatpak_context_merge (FlatpakContext *context,
while (g_hash_table_iter_next (&iter, &key, &value))
g_hash_table_insert (context->persistent, g_strdup (key), value);
+ /* We first handle host:reset, as it overrides all other keys from the parent */
+ if (g_hash_table_lookup_extended (other->filesystems, "host-reset", NULL, &value))
+ {
+ g_warn_if_fail (GPOINTER_TO_INT (value) == FLATPAK_FILESYSTEM_MODE_NONE);
+ g_hash_table_remove_all (context->filesystems);
+ }
+
+ /* Then set the new ones, which includes propagating host:reset. */
g_hash_table_iter_init (&iter, other->filesystems);
while (g_hash_table_iter_next (&iter, &key, &value))
g_hash_table_insert (context->filesystems, g_strdup (key), value);
@@ -1044,7 +1152,7 @@ option_filesystem_cb (const gchar *option_name,
g_autofree char *fs = NULL;
FlatpakFilesystemMode mode;
- if (!flatpak_context_parse_filesystem (value, &fs, &mode, error))
+ if (!flatpak_context_parse_filesystem (value, FALSE, &fs, &mode, error))
return FALSE;
flatpak_context_take_filesystem (context, g_steal_pointer (&fs), mode);
@@ -1061,7 +1169,7 @@ option_nofilesystem_cb (const gchar *option_name,
g_autofree char *fs = NULL;
FlatpakFilesystemMode mode;
- if (!flatpak_context_parse_filesystem (value, &fs, &mode, error))
+ if (!flatpak_context_parse_filesystem (value, TRUE, &fs, &mode, error))
return FALSE;
flatpak_context_take_filesystem (context, g_steal_pointer (&fs),
@@ -1491,15 +1599,13 @@ flatpak_context_load_metadata (FlatpakContext *context,
g_autofree char *filesystem = NULL;
FlatpakFilesystemMode mode;
- if (!flatpak_context_parse_filesystem (fs, &filesystem, &mode, NULL))
+ if (!flatpak_context_parse_filesystem (fs, remove,
+ &filesystem, &mode, NULL))
g_debug ("Unknown filesystem type %s", filesystems[i]);
else
{
- if (remove)
- flatpak_context_take_filesystem (context, g_steal_pointer (&filesystem),
- FLATPAK_FILESYSTEM_MODE_NONE);
- else
- flatpak_context_take_filesystem (context, g_steal_pointer (&filesystem), mode);
+ g_assert (mode == FLATPAK_FILESYSTEM_MODE_NONE || !remove);
+ flatpak_context_take_filesystem (context, g_steal_pointer (&filesystem), mode);
}
}
}
@@ -1720,11 +1826,24 @@ flatpak_context_save_metadata (FlatpakContext *context,
{
g_autoptr(GPtrArray) array = g_ptr_array_new_with_free_func (g_free);
+ /* Serialize host-reset first, because order can matter in
+ * corner cases. */
+ if (g_hash_table_lookup_extended (context->filesystems, "host-reset",
+ NULL, &value))
+ {
+ g_warn_if_fail (GPOINTER_TO_INT (value) == FLATPAK_FILESYSTEM_MODE_NONE);
+ g_ptr_array_add (array, g_strdup ("!host:reset"));
+ }
+
g_hash_table_iter_init (&iter, context->filesystems);
while (g_hash_table_iter_next (&iter, &key, &value))
{
FlatpakFilesystemMode mode = GPOINTER_TO_INT (value);
+ /* We already did this */
+ if (g_str_equal (key, "host-reset"))
+ continue;
+
g_ptr_array_add (array, unparse_filesystem_flags (key, mode));
}
@@ -1829,7 +1948,8 @@ flatpak_context_save_metadata (FlatpakContext *context,
void
flatpak_context_allow_host_fs (FlatpakContext *context)
{
- flatpak_context_take_filesystem (context, g_strdup ("host"), FLATPAK_FILESYSTEM_MODE_READ_WRITE);
+ flatpak_context_take_filesystem (context, g_strdup ("host"),
+ FLATPAK_FILESYSTEM_MODE_READ_WRITE);
}
gboolean
@@ -1889,18 +2009,36 @@ flatpak_context_to_args (FlatpakContext *context,
g_ptr_array_add (args, g_strdup_printf ("--system-%s-name=%s", flatpak_policy_to_string (policy), name));
}
+ /* Serialize host-reset first, because order can matter in
+ * corner cases. */
+ if (g_hash_table_lookup_extended (context->filesystems, "host-reset",
+ NULL, &value))
+ {
+ g_warn_if_fail (GPOINTER_TO_INT (value) == FLATPAK_FILESYSTEM_MODE_NONE);
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
+ }
+
g_hash_table_iter_init (&iter, context->filesystems);
while (g_hash_table_iter_next (&iter, &key, &value))
{
+ g_autofree char *fs = NULL;
FlatpakFilesystemMode mode = GPOINTER_TO_INT (value);
+ /* We already did this */
+ if (g_str_equal (key, "host-reset"))
+ continue;
+
+ fs = unparse_filesystem_flags (key, mode);
+
if (mode != FLATPAK_FILESYSTEM_MODE_NONE)
{
- g_autofree char *fs = unparse_filesystem_flags (key, mode);
g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", fs));
}
else
- g_ptr_array_add (args, g_strdup_printf ("--nofilesystem=%s", (char *) key));
+ {
+ g_assert (fs[0] == '!');
+ g_ptr_array_add (args, g_strdup_printf ("--nofilesystem=%s", &fs[1]));
+ }
}
}
diff --git a/doc/flatpak-override.xml b/doc/flatpak-override.xml
index 60fa58c..bddb36e 100644
--- a/doc/flatpak-override.xml
+++ b/doc/flatpak-override.xml
@@ -221,6 +221,14 @@
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos,
an absolute path, or a homedir-relative path like ~/dir.
This option can be used multiple times.
+ </para><para>
+ As a special case,
+ <option>--nofilesystem=host:reset</option>
+ will ignore all <option>--filesystem</option>
+ permissions inherited from the app manifest or a
+ lower-precedence layer of overrides, in addition to
+ having the behaviour of
+ <option>--nofilesystem=host</option>.
</para></listitem>
</varlistentry>
diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml
index 8e1a3fd..be77092 100644
--- a/doc/flatpak-run.xml
+++ b/doc/flatpak-run.xml
@@ -324,6 +324,14 @@
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos,
an absolute path, or a homedir-relative path like ~/dir.
This option can be used multiple times.
+ </para><para>
+ As a special case,
+ <option>--nofilesystem=host:reset</option>
+ will ignore all <option>--filesystem</option>
+ permissions inherited from the app manifest or
+ <citerefentry><refentrytitle>flatpak-override</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ in addition to having the behaviour of
+ <option>--nofilesystem=host</option>.
</para></listitem>
</varlistentry>
--
2.27.0

35
backport-0007-CVE-2021-41133.patch Normal file
View File

@ -0,0 +1,35 @@
From 1330662f33a55e88bfe18e76de28b7922d91a999 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 14:20:29 +0100
Subject: [PATCH] run: Don't allow unmounting filesystems
If we don't allow mounting filesystems, we shouldn't allow unmounting
either.
Partially fixes GHSA-67h7-w3jq-vh4q.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999
---
common/flatpak-run.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 458e3c3..3a229b9 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2135,6 +2135,8 @@ setup_seccomp (FlatpakBwrap *bwrap,
{SCMP_SYS (unshare), EPERM},
{SCMP_SYS (setns), EPERM},
{SCMP_SYS (mount), EPERM},
+ {SCMP_SYS (umount), EPERM},
+ {SCMP_SYS (umount2), EPERM},
{SCMP_SYS (pivot_root), EPERM},
{SCMP_SYS (clone), EPERM, &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
--
2.19.1

34
backport-0008-CVE-2021-41133.patch Normal file
View File

@ -0,0 +1,34 @@
From 462fca2c666e0cd2b60d6d2593a7216a83047aaf Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 14:21:04 +0100
Subject: [PATCH] run: Don't allow chroot()
If we don't allow pivot_root() then there seems no reason why we should
allow chroot().
Partially fixes GHSA-67h7-w3jq-vh4q.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf
---
common/flatpak-run.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 3a229b9..c2c0218 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2138,6 +2138,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
{SCMP_SYS (umount), EPERM},
{SCMP_SYS (umount2), EPERM},
{SCMP_SYS (pivot_root), EPERM},
+ {SCMP_SYS (chroot), EPERM},
{SCMP_SYS (clone), EPERM, &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
--
2.19.1

33
backport-Fix-handling-of-syscalls-only-allowed-by-devel.patch Normal file
View File

@ -0,0 +1,33 @@
From 3fc8c672676ae016f8e7cc90481b2feecbad9861 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 8 Oct 2021 19:00:13 +0100
Subject: [PATCH] Fix handling of syscalls only allowed by --devel
This was incorrectly looking at errno instead of -r.
Fixes: 0b38b0f0 "run: Handle unknown syscalls as intended"
Signed-off-by: Simon McVittie <smcv@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/3fc8c672676ae016f8e7cc90481b2feecbad9861
---
common/flatpak-run.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 11f2f19..0130aef 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2296,7 +2296,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
/* See above for the meaning of EFAULT. */
- if (errno == EFAULT)
+ if (r == -EFAULT)
flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?",
scall);
else if (r < 0)
--
2.19.1

72
backport-run-Handle-unknown-syscalls-as-intended.patch Normal file
View File

@ -0,0 +1,72 @@
From d419fa67038370e4f4c3ce8c3b5f672d4876cfc8 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 8 Oct 2021 17:05:07 +0100
Subject: [PATCH] run: Handle unknown syscalls as intended
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: https://github.com/flatpak/flatpak/issues/4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/d419fa67038370e4f4c3ce8c3b5f672d4876cfc8
---
common/flatpak-run.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index c2c0218..11f2f19 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2268,7 +2268,16 @@ setup_seccomp (FlatpakBwrap *bwrap,
r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blacklist[i].arg);
else
r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
- if (r < 0 && r == -EFAULT /* unknown syscall */)
+
+ /* EFAULT means "internal libseccomp error", but in practice we get
+ * this for syscall numbers added via flatpak-syscalls-private.h
+ * when trying to filter them on a non-native architecture, because
+ * libseccomp cannot map the syscall number to a name and back to a
+ * number for the non-native architecture. */
+ if (r == -EFAULT)
+ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?",
+ scall);
+ else if (r < 0)
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall);
}
@@ -2286,7 +2295,11 @@ setup_seccomp (FlatpakBwrap *bwrap,
else
r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
- if (r < 0 && r == -EFAULT /* unknown syscall */)
+ /* See above for the meaning of EFAULT. */
+ if (errno == EFAULT)
+ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?",
+ scall);
+ else if (r < 0)
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall);
}
}
--
2.19.1

45
flatpak.spec
View File

@ -1,6 +1,6 @@
Name: flatpak
Version: 1.0.3
Release: 6
Release: 13
Summary: Application deployment framework for desktop apps
License: LGPLv2+
URL: http://flatpak.org/
@ -16,6 +16,28 @@ Patch0007: CVE-2021-21381-2.patch
Patch0008: CVE-2021-21381-3.patch
Patch0009: CVE-2019-8308.patch
Patch0010: CVE-2019-10063.patch
Patch6000: backport-0001-CVE-2021-41133.patch
Patch6001: backport-0002-CVE-2021-41133.patch
Patch6002: backport-0003-CVE-2021-41133.patch
Patch6003: backport-0004-CVE-2021-41133.patch
Patch6004: backport-0005-CVE-2021-41133.patch
Patch6005: backport-0006-CVE-2021-41133.patch
Patch6006: backport-0007-CVE-2021-41133.patch
Patch6007: backport-0008-CVE-2021-41133.patch
Patch6008: backport-run-Handle-unknown-syscalls-as-intended.patch
Patch6009: backport-Fix-handling-of-syscalls-only-allowed-by-devel.patch
Patch6010: backport-0001-CVE-2021-43860.patch
Patch6011: backport-0002-CVE-2021-43860.patch
Patch6012: backport-0003-CVE-2021-43860.patch
Patch6013: backport-0004-CVE-2021-43860.patch
Patch6014: backport-0001-CVE-2022-21682.patch
Patch6015: backport-0002-CVE-2022-21682.patch
Patch6016: backport-0003-CVE-2022-21682.patch
Patch6017: backport-0004-CVE-2022-21682.patch
Patch6018: backport-0005-CVE-2022-21682.patch
Patch6019: backport-0006-CVE-2022-21682.patch
Patch6020: CVE-2024-32462.patch
Patch6021: CVE-2024-42472.patch
BuildRequires: pkgconfig(appstream-glib) pkgconfig(gio-unix-2.0) pkgconfig(gobject-introspection-1.0) >= 1.40.0 pkgconfig(json-glib-1.0) pkgconfig(libarchive) >= 2.8.0
BuildRequires: pkgconfig(libsoup-2.4) pkgconfig(libxml-2.0) >= 2.4 pkgconfig(ostree-1) >= 2018.7 pkgconfig(polkit-gobject-1) pkgconfig(libseccomp) pkgconfig(xau)
@ -110,6 +132,27 @@ flatpak remote-list --system &> /dev/null || :
%{_mandir}/man5/flatpak-remote.5*
%changelog
* Thu Aug 15 2024 wangkai <13474090681@163.com> - 1.0.3-13
- Fix CVE-2024-42472
* Fri Apr 19 2024 wangkai <13474090681@163.com> - 1.0.3-12
- Fix CVE-2024-32462
* Tue Feb 15 2022 dongyuzhen <dongyuzhen@h-partners.com> - 1.0.3-11
- Fix CVE-2022-21682
* Sat Jan 29 2022 dongyuzhen <dongyuzhen@h-partners.com> - 1.0.3-10
- Fix CVE-2021-43860
* Tue Jan 25 2022 hanhui <hanhui15@huawei.com> - 1.0.3-9
- revert CVE-2022-21682
* Sat Jan 22 2022 wangkerong <wangkerong@huawei.com> - 1.0.3-8
- Fix CVE-2022-21682
* Wed Oct 20 2021 zhanzhimin <zhanhzimin@huawei.com> - 1.0.3-7
- Fix CVE-2021-41133
* Mon Sep 27 2021 houyingchao <houyingchao@huawei.com> - 1.0.3-6
- Fix CVE-2019-10063