Skip to content
Permalink
Browse files Browse the repository at this point in the history
run: Block clone3() in sandbox
clone3() can be used to implement clone() with CLONE_NEWUSER, allowing
a sandboxed process to get CAP_SYS_ADMIN in a new namespace and
manipulate its root directory. We need to block this so that AF_UNIX-based
socket servers (X11, Wayland, etc.) can rely on
/proc/PID/root/.flatpak-info existing for all Flatpak-sandboxed apps.

Partially fixes GHSA-67h7-w3jq-vh4q.

Thanks: an anonymous reporter
Signed-off-by: Simon McVittie <smcv@collabora.com>
  • Loading branch information
smcv authored and alexlarsson committed Oct 8, 2021
1 parent 26b1248 commit a10f52a
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions common/flatpak-run.c
Expand Up @@ -2945,6 +2945,12 @@ setup_seccomp (FlatpakBwrap *bwrap,

/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
{SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},

/* seccomp can't look into clone3()'s struct clone_args to check whether
* the flags are OK, so we have no choice but to block clone3().
* Return ENOSYS so user-space will fall back to clone().
* (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */
{SCMP_SYS (clone3), ENOSYS},
};

struct
Expand Down

4 comments on commit a10f52a

@ssssam
Copy link
Contributor

@ssssam ssssam commented on a10f52a Oct 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking clone3 in Docker caused issues with glibc, not sure if will here as well. See moby/moby#42680

@smcv
Copy link
Collaborator Author

@smcv smcv commented on a10f52a Oct 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ssssam:

Blocking clone3 in Docker caused issues with glibc, not sure if will here as well. See moby/moby#42680

Blocking clone3 in Docker caused issues with glibc because they block it with EPERM. We're blocking it with ENOSYS, which should be indistinguishable from running on an older kernel that doesn't know clone3().

@ssssam
Copy link
Contributor

@ssssam ssssam commented on a10f52a Oct 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent news :)

@smcv
Copy link
Collaborator Author

@smcv smcv commented on a10f52a Oct 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you encounter a concrete problem, please open an issue instead of commenting on a commit - comments on commits are very non-discoverable on Github.

Please sign in to comment.