Add support for Wayland security context

[emersion]

This exposes a reliable way for Wayland compositors to get
identifying information about a client. Compositors can then
apply security policies if desirable.

TODO: bwrap --sync-fd can only be specified once (only the last param is taken into account), but D-Bus already uses it. Any ideas how to address this?

References: https://gitlab.freedesktop.org/wayland/wayland-protocols/-/merge_requests/68

[emersion]

Gentle ping

[swick]

@smcv might also be interested

[jadahl]

I wonder if any of these needs to be added for apply_extra_data() (which is where instance_id can be NULL).

[swick]

Mh, I would even go so far and say it also should not get access to IPC, /dev, dri and shared tmp.

Probably makes sense to separate into a new PR.

[alexlarsson]

Generally these are no-ops due to the passed in run_flags (e.g. with FLATPAK_RUN_FLAG_NO_SESSION_BUS_PROXY, etc), and the empty app_context that apply_extra_data uses.

Do you have any particular place where it gets this wrong?

[alexlarsson]

In fact, is this check even needed? I don't see how sockets & FLATPAK_CONTEXT_SOCKET_WAYLAND would be set in apply_extra_data?

In fact, isn't it a bad idea to not call flatpak_run_add_socket_args_environment()?
We actively do some things like cover-mount /tmp/.X11, etc, if the x11 flag is not set. So maybe this will actually limit our security measures?

[emersion]

I see. So instead, would an assert that the instance is not NULL be welcome when setting up Wayland sockets?

[jadahl]

In the end, what we don't is setting up Wayland socket when we don't have an instance id, which appears to be the case when we arrive here from apply_extra_data().

[jadahl]

I see. So instead, would an assert that the instance is not NULL be welcome when setting up Wayland sockets?

I guess this makes sense. Assert that instance ID is set if sockets & FLATPAK_CONTEXT_SOCKET_WAYLAND.

[swick]

I looked into this as well on Friday and noticed that the run flags are not what makes this work. The context doesn't load metadata from anywhere so none of the sockets will get set up.

The --sandboxed argument to flatpak run was added after the apply_extra_data sandbox and does almost the same but not entirely. It does add FLATPAK_RUN_FLAG_NO_PROC as well and I can't tell why and we don't call flatpak_context_make_sandboxed which is fine because we don't load anything else in the context but might be a good idea to call anyway.

Wanted to test this but a lot of tests are failing for me on main because of #5027.

--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -8328,20 +8328,25 @@ apply_extra_data (FlatpakDir   *self,
                           "--cap-drop", "ALL",
                           NULL);
 
-  /* Might need multiarch in apply_extra (see e.g. #3742).
-   * Should be pretty safe in this limited context */
-  run_flags = (FLATPAK_RUN_FLAG_MULTIARCH |
+  /* Run flags which equal --sandboxed */
+  run_flags = (FLATPAK_RUN_FLAG_SANDBOX |
                FLATPAK_RUN_FLAG_NO_SESSION_HELPER |
-               FLATPAK_RUN_FLAG_NO_PROC |
                FLATPAK_RUN_FLAG_NO_SESSION_BUS_PROXY |
                FLATPAK_RUN_FLAG_NO_SYSTEM_BUS_PROXY |
                FLATPAK_RUN_FLAG_NO_A11Y_BUS_PROXY);
 
+  /* Might need multiarch in apply_extra (see e.g. #3742).
+   * Should be pretty safe in this limited context.
+   * Removing /proc to tighten sandbox even more I guess? */
+  run_flags |= FLATPAK_RUN_FLAG_NO_PROC |
+               FLATPAK_RUN_FLAG_MULTIARCH;
+
   if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_arch,
                                     run_flags, error))
     return FALSE;
 
   app_context = flatpak_context_new ();
+  flatpak_context_make_sandboxed (app_context);
 
   if (!flatpak_run_add_environment_args (bwrap, NULL, run_flags, id,
                                          app_context, NULL, NULL, -1,

[swick]

Created #5466 to maybe discuss this further.

Assert that instance ID is set if sockets & FLATPAK_CONTEXT_SOCKET_WAYLAND

Yeah.

[alexlarsson]

We absolutely don't want NO_PROC. That will break any apps that uses /proc/self/fd, etc which is very common (even used by glibc). And /proc access is not a security problem for regular apps. Only for apply_extra_data() when writing to the system repo. See commit message for cd21428.

And flatpak_context_make_sandboxed() is a complete no-op for the newly created (and thus empty) app_context.

[emersion]

Rebased, added Meson support, made instance ID mandatory.

[davidedmundson]

Can I check that this MR is "acked in principle" and just blocked on the upstream protocol to land?

Obviously it's chicken and egg, but it's also silly to land this in the specs without the most important user of this being officially on-board.

[jadahl]

Can I check that this MR is "acked in principle" and just blocked on the upstream protocol to land?

There has been no explicit ack from a maintainer yet, but it got some initial review from @alexlarsson. Something more would be appreciated no doubt.

[emersion]

Any news about this?

[alexlarsson]

LGTM

[emersion]

Thank you for having a look, @alexlarsson!

[jadahl]

Next steps: release wayland-protocols with the new protocol, and bump the version needed by flatpak if enabled.

[alexlarsson]

Actually, as per the comment above. I think not calling flatpak_run_add_socket_args_environment() is a bad idea.

[jadahl]

Next steps: release wayland-protocols with the new protocol, and bump the version needed by flatpak if enabled.

Can now depend on 1.32 for this.

[emersion]

Added an assert and the wayland-protocols version requirement.

[swick]

LGTM

[emersion]

@alexlarsson, does this look good to you?

[emersion]

@alexlarsson, anything else I need to do or does this look good to you?