From 81a2ef87fb4374b051a7b1363f32374ff6b62826 Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Tue, 6 Sep 2022 11:40:22 +0200 Subject: [PATCH] Use new --disable-userns bubblewrap feature when possible This feature (added in https://github.com/containers/bubblewrap/pull/488) allows us to improve the guarantees of disallowing the sandbox to use recursive user namespaces (which is a security risk) compared to the existing limits that use seccomp. [smcv: Move this to flatpak_run_setup_base_argv() so it will apply equally in apply_extra_data() and `flatpak build`; make the compile-time check for a setuid bwrap into a runtime check] Co-authored-by: Simon McVittie Signed-off-by: Simon McVittie --- common/flatpak-run.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/common/flatpak-run.c b/common/flatpak-run.c index f871fb04d0..fa549c19a6 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -3498,6 +3498,38 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap, gulong pers; gid_t gid = getgid (); g_autoptr(GFile) etc = NULL; + gboolean parent_expose_pids = (flags & FLATPAK_RUN_FLAG_PARENT_EXPOSE_PIDS) != 0; + gboolean parent_share_pids = (flags & FLATPAK_RUN_FLAG_PARENT_SHARE_PIDS) != 0; + gboolean bwrap_unprivileged = flatpak_bwrap_is_unprivileged (); + + /* Disable recursive userns for all flatpak processes, as we need this + * to guarantee that the sandbox can't restructure the filesystem. + * Allowing to change e.g. /.flatpak-info would allow sandbox escape + * via portals. + * + * This is also done via seccomp, but here we do it using userns + * unsharing in combination with max_user_namespaces. + * + * If bwrap is setuid, then --disable-userns will not work, which + * makes the seccomp filter security-critical. + */ + if (bwrap_unprivileged) + { + if (parent_expose_pids || parent_share_pids) + { + /* If we're joining an existing sandbox's user and process + * namespaces, then it should already have creation of + * nested user namespaces disabled. */ + flatpak_bwrap_add_arg (bwrap, "--assert-userns-disabled"); + } + else + { + /* This is a new sandbox, so we need to disable creation of + * nested user namespaces. */ + flatpak_bwrap_add_arg (bwrap, "--unshare-user"); + flatpak_bwrap_add_arg (bwrap, "--disable-userns"); + } + } run_dir = g_strdup_printf ("/run/user/%d", getuid ());