You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In practice, a "privileged process" means a process outside of a Flatpak, or a Flatpak process with additional permissions. A malicious app could rely on luck or on social engineering for this to happen.
It seems to me that the PID is used in quite a few places to identify the process on the other end of the connection:
Additional note: it seems that Flatpak uses Bubblewrap's --unshare-pid flag, creating a PID namespace.
When a process ID is passed over a UNIX domain socket to a process in a different PID namespace (see the description of SCM_CREDENTIALS in unix(7)), it is translated into the corresponding PID value in the receiving process's PID namespace.
While PID namespaces make it more difficult for a malicious app to perform PID re-use attacks, I still think it's possible (assuming the default max PID, estimating the number of dummy processes that we need to create, opening as many sockets as possible in the first child process to get multiple tries, doing a dry run to gather data, maybe D-Bus' GetConnectionUnixProcessID, etc).
Disclaimer: I haven't actually checked whether this is an actual vulnerability. Please consider this more like a question.
Is Flatpak vulnerable to PID re-use?
The principle of PID re-use is:
Here is a rough, incomplete PoC: https://paste.sr.ht/%7Eemersion/58bd06c2f57e3c8dedb625af6719ce7b8149c0c7
In practice, a "privileged process" means a process outside of a Flatpak, or a Flatpak process with additional permissions. A malicious app could rely on luck or on social engineering for this to happen.
It seems to me that the PID is used in quite a few places to identify the process on the other end of the connection:
flatpak/portal/flatpak-portal-app-info.c
Line 100 in e8816b7
Thoughts?
The text was updated successfully, but these errors were encountered: