New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
flatpak build
regression after recent CVE fixes: LD_LIBRARY_PATH not set
#4080
Comments
I think this is because: In 6d1773d and its backports, I systematically converted all environment variable settings into However, my new code to convert environment variable setting into I see two possible solutions to this. One is to reinstate the code that I removed from The other is to call |
Uses of
|
This means we can systematically pass the environment variables through bwrap(1), even if it is setuid and thus is filtering out security-sensitive environment variables. bwrap itself ends up being run with an empty environment instead. This fixes a regression when CVE-2021-21261 was fixed: before the CVE fixes, LD_LIBRARY_PATH would have been passed through like this and appeared in the `flatpak build` shell, but during the CVE fixes, the special case that protected LD_LIBRARY_PATH was removed in favour of the more general flatpak_bwrap_envp_to_args(). That reasoning only works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere that we run the potentially-setuid bwrap. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: flatpak#4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Signed-off-by: Simon McVittie <smcv@collabora.com>
This code was removed in 6d1773d while fixing CVE-2021-21261, because it seemed redundant with the more general mechanism in flatpak_bwrap_envp_to_args(). However, it was not *completely* redundant, because not all callers of flatpak_run_add_environment_args() were converted to call flatpak_bwrap_envp_to_args() afterwards. This partially reverts commit 6d1773d. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: flatpak#4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
#4081. I think I prefer this one: it seems more like the direction that we ought to be going in. |
/cc @RyuzakiKK |
flatpak_dir_run_triggers() is not used to run a flatpak sandbox, just to make /usr read-only while running triggers such as the mimedata, icon and desktop database generation for the "exports" directory. These will be using the host libraries and binaries in the same place as usual, so I don't think those rely on LD_LIBRARY_PATH. |
This means we can systematically pass the environment variables through bwrap(1), even if it is setuid and thus is filtering out security-sensitive environment variables. bwrap itself ends up being run with an empty environment instead. This fixes a regression when CVE-2021-21261 was fixed: before the CVE fixes, LD_LIBRARY_PATH would have been passed through like this and appeared in the `flatpak build` shell, but during the CVE fixes, the special case that protected LD_LIBRARY_PATH was removed in favour of the more general flatpak_bwrap_envp_to_args(). That reasoning only works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere that we run the potentially-setuid bwrap. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: #4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Signed-off-by: Simon McVittie <smcv@collabora.com>
I think this is maybe working as intended, then, with the same reasoning you had for |
This means we can systematically pass the environment variables through bwrap(1), even if it is setuid and thus is filtering out security-sensitive environment variables. bwrap itself ends up being run with an empty environment instead. This fixes a regression when CVE-2021-21261 was fixed: before the CVE fixes, LD_LIBRARY_PATH would have been passed through like this and appeared in the `flatpak build` shell, but during the CVE fixes, the special case that protected LD_LIBRARY_PATH was removed in favour of the more general flatpak_bwrap_envp_to_args(). That reasoning only works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere that we run the potentially-setuid bwrap. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: flatpak#4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 9a61d2c)
This means we can systematically pass the environment variables through bwrap(1), even if it is setuid and thus is filtering out security-sensitive environment variables. bwrap itself ends up being run with an empty environment instead. This fixes a regression when CVE-2021-21261 was fixed: before the CVE fixes, LD_LIBRARY_PATH would have been passed through like this and appeared in the `flatpak build` shell, but during the CVE fixes, the special case that protected LD_LIBRARY_PATH was removed in favour of the more general flatpak_bwrap_envp_to_args(). That reasoning only works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere that we run the potentially-setuid bwrap. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: flatpak#4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 9a61d2c)
This means we can systematically pass the environment variables through bwrap(1), even if it is setuid and thus is filtering out security-sensitive environment variables. bwrap itself ends up being run with an empty environment instead. This fixes a regression when CVE-2021-21261 was fixed: before the CVE fixes, LD_LIBRARY_PATH would have been passed through like this and appeared in the `flatpak build` shell, but during the CVE fixes, the special case that protected LD_LIBRARY_PATH was removed in favour of the more general flatpak_bwrap_envp_to_args(). That reasoning only works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere that we run the potentially-setuid bwrap. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: flatpak#4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 9a61d2c)
This means we can systematically pass the environment variables through bwrap(1), even if it is setuid and thus is filtering out security-sensitive environment variables. bwrap itself ends up being run with an empty environment instead. This fixes a regression when CVE-2021-21261 was fixed: before the CVE fixes, LD_LIBRARY_PATH would have been passed through like this and appeared in the `flatpak build` shell, but during the CVE fixes, the special case that protected LD_LIBRARY_PATH was removed in favour of the more general flatpak_bwrap_envp_to_args(). That reasoning only works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere that we run the potentially-setuid bwrap. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: #4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 9a61d2c)
This means we can systematically pass the environment variables through bwrap(1), even if it is setuid and thus is filtering out security-sensitive environment variables. bwrap itself ends up being run with an empty environment instead. This fixes a regression when CVE-2021-21261 was fixed: before the CVE fixes, LD_LIBRARY_PATH would have been passed through like this and appeared in the `flatpak build` shell, but during the CVE fixes, the special case that protected LD_LIBRARY_PATH was removed in favour of the more general flatpak_bwrap_envp_to_args(). That reasoning only works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere that we run the potentially-setuid bwrap. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: #4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 9a61d2c)
This means we can systematically pass the environment variables through bwrap(1), even if it is setuid and thus is filtering out security-sensitive environment variables. bwrap itself ends up being run with an empty environment instead. This fixes a regression when CVE-2021-21261 was fixed: before the CVE fixes, LD_LIBRARY_PATH would have been passed through like this and appeared in the `flatpak build` shell, but during the CVE fixes, the special case that protected LD_LIBRARY_PATH was removed in favour of the more general flatpak_bwrap_envp_to_args(). That reasoning only works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere that we run the potentially-setuid bwrap. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: flatpak#4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 9a61d2c) (cherry picked from commit 93ecea3)
This means we can systematically pass the environment variables through bwrap(1), even if it is setuid and thus is filtering out security-sensitive environment variables. bwrap itself ends up being run with an empty environment instead. This fixes a regression when CVE-2021-21261 was fixed: before the CVE fixes, LD_LIBRARY_PATH would have been passed through like this and appeared in the `flatpak build` shell, but during the CVE fixes, the special case that protected LD_LIBRARY_PATH was removed in favour of the more general flatpak_bwrap_envp_to_args(). That reasoning only works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere that we run the potentially-setuid bwrap. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: flatpak#4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 9a61d2c) (cherry picked from commit 93ecea3)
This means we can systematically pass the environment variables through bwrap(1), even if it is setuid and thus is filtering out security-sensitive environment variables. bwrap itself ends up being run with an empty environment instead. This fixes a regression when CVE-2021-21261 was fixed: before the CVE fixes, LD_LIBRARY_PATH would have been passed through like this and appeared in the `flatpak build` shell, but during the CVE fixes, the special case that protected LD_LIBRARY_PATH was removed in favour of the more general flatpak_bwrap_envp_to_args(). That reasoning only works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere that we run the potentially-setuid bwrap. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: flatpak#4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 9a61d2c) (cherry picked from commit 93ecea3)
This means we can systematically pass the environment variables through bwrap(1), even if it is setuid and thus is filtering out security-sensitive environment variables. bwrap itself ends up being run with an empty environment instead. This fixes a regression when CVE-2021-21261 was fixed: before the CVE fixes, LD_LIBRARY_PATH would have been passed through like this and appeared in the `flatpak build` shell, but during the CVE fixes, the special case that protected LD_LIBRARY_PATH was removed in favour of the more general flatpak_bwrap_envp_to_args(). That reasoning only works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere that we run the potentially-setuid bwrap. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: flatpak#4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 9a61d2c) (cherry picked from commit 93ecea3)
This means we can systematically pass the environment variables through bwrap(1), even if it is setuid and thus is filtering out security-sensitive environment variables. bwrap itself ends up being run with an empty environment instead. This fixes a regression when CVE-2021-21261 was fixed: before the CVE fixes, LD_LIBRARY_PATH would have been passed through like this and appeared in the `flatpak build` shell, but during the CVE fixes, the special case that protected LD_LIBRARY_PATH was removed in favour of the more general flatpak_bwrap_envp_to_args(). That reasoning only works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere that we run the potentially-setuid bwrap. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: flatpak#4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 9a61d2c) (cherry picked from commit 93ecea3)
This means we can systematically pass the environment variables through bwrap(1), even if it is setuid and thus is filtering out security-sensitive environment variables. bwrap itself ends up being run with an empty environment instead. This fixes a regression when CVE-2021-21261 was fixed: before the CVE fixes, LD_LIBRARY_PATH would have been passed through like this and appeared in the `flatpak build` shell, but during the CVE fixes, the special case that protected LD_LIBRARY_PATH was removed in favour of the more general flatpak_bwrap_envp_to_args(). That reasoning only works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere that we run the potentially-setuid bwrap. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: flatpak#4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 9a61d2c) (cherry picked from commit 93ecea3)
This means we can systematically pass the environment variables through bwrap(1), even if it is setuid and thus is filtering out security-sensitive environment variables. bwrap itself ends up being run with an empty environment instead. This fixes a regression when CVE-2021-21261 was fixed: before the CVE fixes, LD_LIBRARY_PATH would have been passed through like this and appeared in the `flatpak build` shell, but during the CVE fixes, the special case that protected LD_LIBRARY_PATH was removed in favour of the more general flatpak_bwrap_envp_to_args(). That reasoning only works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere that we run the potentially-setuid bwrap. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: flatpak#4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 9a61d2c) (cherry picked from commit 93ecea3)
This means we can systematically pass the environment variables through bwrap(1), even if it is setuid and thus is filtering out security-sensitive environment variables. bwrap itself ends up being run with an empty environment instead. This fixes a regression when CVE-2021-21261 was fixed: before the CVE fixes, LD_LIBRARY_PATH would have been passed through like this and appeared in the `flatpak build` shell, but during the CVE fixes, the special case that protected LD_LIBRARY_PATH was removed in favour of the more general flatpak_bwrap_envp_to_args(). That reasoning only works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere that we run the potentially-setuid bwrap. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: flatpak#4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 9a61d2c) (cherry picked from commit 93ecea3)
This means we can systematically pass the environment variables through bwrap(1), even if it is setuid and thus is filtering out security-sensitive environment variables. bwrap itself ends up being run with an empty environment instead. This fixes a regression when CVE-2021-21261 was fixed: before the CVE fixes, LD_LIBRARY_PATH would have been passed through like this and appeared in the `flatpak build` shell, but during the CVE fixes, the special case that protected LD_LIBRARY_PATH was removed in favour of the more general flatpak_bwrap_envp_to_args(). That reasoning only works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere that we run the potentially-setuid bwrap. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: flatpak#4080 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 9a61d2c) (cherry picked from commit 93ecea3)
Linux distribution and version
Originally reported for Debian 10, reproduced in Debian unstable (rolling release)
Flatpak version
Originally reported for 1.2.5-0+deb10u2 (basically a271971), reproduced in 1.10.0
Description of the problem
Downstream bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
If you are using a setuid-root
bwrap
, thenflatpak build
does not setLD_LIBRARY_PATH
any more. This means that libraries provided by/app/lib
or an extension are not found.(This is not reproducible if you are not using the setuid-root
bwrap
.)Steps to reproduce
Expected result
Actual result
(no output)
The text was updated successfully, but these errors were encountered: