Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use new libostree APIs to reject world-writable/suid content
This uses the new libostree APIs that landed recently to ensure that we reject any files with mode outside of `0775` for system helper pulls, and we also mask directory modes during checkout. However, this does *not* fix up any already downloaded content. For that, one could uninstall/reinstall; or a future patch could do a one-time fixup pass. Note that I am not aware of a way for flatpak applications to escalate their privileges directly with this flaw; the bubblewrap `PR_SET_NO_NEW_PRIVS` turns of setuid. However, in combination with code execution on the host via another mechanism (e.g. unsandboxed app), a setuid app injected could be used to gain full host privileges. At this time we're not aware of any flatpak content exploiting this issue. Closes: flatpak#845
- Loading branch information