From 462fca2c666e0cd2b60d6d2593a7216a83047aaf Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 14:21:04 +0100
Subject: [PATCH] run: Don't allow chroot()

If we don't allow pivot_root() then there seems no reason why we should
allow chroot().

Partially fixes GHSA-67h7-w3jq-vh4q.

Signed-off-by: Simon McVittie <smcv@collabora.com>

Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf

---
 common/flatpak-run.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 3a229b9..c2c0218 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2138,6 +2138,7 @@ setup_seccomp (FlatpakBwrap   *bwrap,
     {SCMP_SYS (umount), EPERM},
     {SCMP_SYS (umount2), EPERM},
     {SCMP_SYS (pivot_root), EPERM},
+    {SCMP_SYS (chroot), EPERM},
     {SCMP_SYS (clone), EPERM, &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
 
     /* Don't allow faking input to the controlling tty (CVE-2017-5226) */
-- 
2.19.1