Use new --disable-userns bubblewrap feature when possible

This feature (added in containers/bubblewrap#488) allows us to improve the guarantees of disallowing the sandbox to use recursive user namespaces (which is a security risk) compared to the existing limits that use seccomp. [smcv: Move this to flatpak_run_setup_base_argv() so it will apply equally in apply_extra_data() and `flatpak build`; make the compile-time check for a setuid bwrap into a runtime check] Co-authored-by: Simon McVittie <smcv@collabora.com> Signed-off-by: Simon McVittie <smcv@collabora.com>
alexlarsson · Mar 23, 2023 · 81a2ef8 · 81a2ef8
1 parent 48328ab
commit 81a2ef8
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
@@ -3498,6 +3498,38 @@ flatpak_run_setup_base_argv (FlatpakBwrap   *bwrap,
   gulong pers;
   gid_t gid = getgid ();
   g_autoptr(GFile) etc = NULL;
+  gboolean parent_expose_pids = (flags & FLATPAK_RUN_FLAG_PARENT_EXPOSE_PIDS) != 0;
+  gboolean parent_share_pids = (flags & FLATPAK_RUN_FLAG_PARENT_SHARE_PIDS) != 0;
+  gboolean bwrap_unprivileged = flatpak_bwrap_is_unprivileged ();
+
+  /* Disable recursive userns for all flatpak processes, as we need this
+   * to guarantee that the sandbox can't restructure the filesystem.
+   * Allowing to change e.g. /.flatpak-info would allow sandbox escape
+   * via portals.
+   *
+   * This is also done via seccomp, but here we do it using userns
+   * unsharing in combination with max_user_namespaces.
+   *
+   * If bwrap is setuid, then --disable-userns will not work, which
+   * makes the seccomp filter security-critical.
+   */
+  if (bwrap_unprivileged)
+    {
+      if (parent_expose_pids || parent_share_pids)
+        {
+          /* If we're joining an existing sandbox's user and process
+           * namespaces, then it should already have creation of
+           * nested user namespaces disabled. */
+          flatpak_bwrap_add_arg (bwrap, "--assert-userns-disabled");
+        }
+      else
+        {
+          /* This is a new sandbox, so we need to disable creation of
+           * nested user namespaces. */
+          flatpak_bwrap_add_arg (bwrap, "--unshare-user");
+          flatpak_bwrap_add_arg (bwrap, "--disable-userns");
+        }
+    }
 
   run_dir = g_strdup_printf ("/run/user/%d", getuid ());