Skip to content

Commit a10f52a

Browse files
smcvalexlarsson
authored andcommitted
run: Block clone3() in sandbox
clone3() can be used to implement clone() with CLONE_NEWUSER, allowing a sandboxed process to get CAP_SYS_ADMIN in a new namespace and manipulate its root directory. We need to block this so that AF_UNIX-based socket servers (X11, Wayland, etc.) can rely on /proc/PID/root/.flatpak-info existing for all Flatpak-sandboxed apps. Partially fixes GHSA-67h7-w3jq-vh4q. Thanks: an anonymous reporter Signed-off-by: Simon McVittie <smcv@collabora.com>
1 parent 26b1248 commit a10f52a

File tree

1 file changed

+6
-0
lines changed

1 file changed

+6
-0
lines changed

Diff for: common/flatpak-run.c

+6
Original file line numberDiff line numberDiff line change
@@ -2945,6 +2945,12 @@ setup_seccomp (FlatpakBwrap *bwrap,
29452945

29462946
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
29472947
{SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
2948+
2949+
/* seccomp can't look into clone3()'s struct clone_args to check whether
2950+
* the flags are OK, so we have no choice but to block clone3().
2951+
* Return ENOSYS so user-space will fall back to clone().
2952+
* (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */
2953+
{SCMP_SYS (clone3), ENOSYS},
29482954
};
29492955

29502956
struct

0 commit comments

Comments
 (0)