Skip to content

Commit 9766ee0

Browse files
smcvalexlarsson
authored andcommitted
run: Disallow recently-added mount-manipulation syscalls
If we don't allow mount() then we shouldn't allow these either. Partially fixes GHSA-67h7-w3jq-vh4q. Thanks: an anonymous reporter Signed-off-by: Simon McVittie <smcv@collabora.com>
1 parent a10f52a commit 9766ee0

File tree

1 file changed

+12
-0
lines changed

1 file changed

+12
-0
lines changed

Diff for: common/flatpak-run.c

+12
Original file line numberDiff line numberDiff line change
@@ -2951,6 +2951,18 @@ setup_seccomp (FlatpakBwrap *bwrap,
29512951
* Return ENOSYS so user-space will fall back to clone().
29522952
* (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */
29532953
{SCMP_SYS (clone3), ENOSYS},
2954+
2955+
/* New mount manipulation APIs can also change our VFS. There's no
2956+
* legitimate reason to do these in the sandbox, so block all of them
2957+
* rather than thinking about which ones might be dangerous.
2958+
* (GHSA-67h7-w3jq-vh4q) */
2959+
{SCMP_SYS (open_tree), ENOSYS},
2960+
{SCMP_SYS (move_mount), ENOSYS},
2961+
{SCMP_SYS (fsopen), ENOSYS},
2962+
{SCMP_SYS (fsconfig), ENOSYS},
2963+
{SCMP_SYS (fsmount), ENOSYS},
2964+
{SCMP_SYS (fspick), ENOSYS},
2965+
{SCMP_SYS (mount_setattr), ENOSYS},
29542966
};
29552967

29562968
struct

0 commit comments

Comments
 (0)