Use new libostree APIs to reject world-writable/suid content

This uses the new libostree APIs that landed recently to ensure that we reject any files with mode outside of `0775` for system helper pulls, and we also mask directory modes during checkout. However, this does *not* fix up any already downloaded content. For that, one could uninstall/reinstall; or a future patch could do a one-time fixup pass. Note that I am not aware of a way for flatpak applications to escalate their privileges directly with this flaw; the bubblewrap `PR_SET_NO_NEW_PRIVS` turns of setuid. However, in combination with code execution on the host via another mechanism (e.g. unsandboxed app), a setuid app injected could be used to gain full host privileges. At this time we're not aware of any flatpak content exploiting this issue. Closes: flatpak#845
cgwalters · Jun 15, 2017 · aed5d09 · aed5d09
1 parent e50decc
commit aed5d09
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
@@ -1609,6 +1609,7 @@ flatpak_dir_deploy_appstream (FlatpakDir          *self,
   options.mode = OSTREE_REPO_CHECKOUT_MODE_USER;
   options.overwrite_mode = OSTREE_REPO_CHECKOUT_OVERWRITE_UNION_FILES;
   options.enable_fsync = FALSE; /* We checkout to a temp dir and sync before moving it in place */
+  options.bareuseronly_dirs = TRUE; /* https://github.com/ostreedev/ostree/pull/927 */
 
   if (!ostree_repo_checkout_at (self->repo, &options,
                                 AT_FDCWD, checkout_dir_path, new_checksum,
@@ -1837,6 +1838,9 @@ repo_pull_one_dir (OstreeRepo          *self,
   const char *revs_to_fetch[2];
   guint32 update_freq = 0;
 
+  /* We always want this on for every type of pull */
+  flags |= OSTREE_REPO_PULL_FLAGS_BAREUSERONLY_FILES;
+
   g_variant_builder_init (&builder, G_VARIANT_TYPE ("a{sv}"));
 
   if (dirs_to_pull)
@@ -2568,7 +2572,8 @@ repo_pull_one_untrusted (OstreeRepo          *self,
                          GCancellable        *cancellable,
                          GError             **error)
 {
-  OstreeRepoPullFlags flags = OSTREE_REPO_PULL_FLAGS_UNTRUSTED;
+  /* The latter flag was introduced in https://github.com/ostreedev/ostree/pull/926 */
+  const OstreeRepoPullFlags flags = OSTREE_REPO_PULL_FLAGS_UNTRUSTED |OSTREE_REPO_PULL_FLAGS_BAREUSERONLY_FILES;
   GVariantBuilder builder;
   g_auto(GLnxConsoleRef) console = { 0, };
   g_autoptr(OstreeAsyncProgress) console_progress = NULL;
@@ -4479,6 +4484,7 @@ flatpak_dir_deploy (FlatpakDir          *self,
   options.mode = OSTREE_REPO_CHECKOUT_MODE_USER;
   options.overwrite_mode = OSTREE_REPO_CHECKOUT_OVERWRITE_UNION_FILES;
   options.enable_fsync = FALSE; /* We checkout to a temp dir and sync before moving it in place */
+  options.bareuseronly_dirs = TRUE; /* https://github.com/ostreedev/ostree/pull/927 */
   checkoutdirpath = g_file_get_path (checkoutdir);
 
   if (subpaths == NULL || *subpaths == NULL)

diff --git a/configure.ac b/configure.ac
@@ -30,7 +30,7 @@ AC_INIT([Flatpak],
 
 GLIB_REQS=2.44
 SYSTEM_BWRAP_REQS=0.1.8
-OSTREE_REQS=2017.6
+OSTREE_REQS=2017.7
 
 AC_SYS_LARGEFILE
 AC_USE_SYSTEM_EXTENSIONS