Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
run: Block clone3() in sandbox
clone3() can be used to implement clone() with CLONE_NEWUSER, allowing a sandboxed process to get CAP_SYS_ADMIN in a new namespace and manipulate its root directory. We need to block this so that AF_UNIX-based socket servers (X11, Wayland, etc.) can rely on /proc/PID/root/.flatpak-info existing for all Flatpak-sandboxed apps. Partially fixes GHSA-67h7-w3jq-vh4q. Thanks: an anonymous reporter Signed-off-by: Simon McVittie <smcv@collabora.com>
- Loading branch information
a10f52aThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Blocking clone3 in Docker caused issues with glibc, not sure if will here as well. See moby/moby#42680
a10f52aThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ssssam:
Blocking clone3 in Docker caused issues with glibc because they block it with
EPERM. We're blocking it withENOSYS, which should be indistinguishable from running on an older kernel that doesn't knowclone3().a10f52aThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excellent news :)
a10f52aThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you encounter a concrete problem, please open an issue instead of commenting on a commit - comments on commits are very non-discoverable on Github.