Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use new --disable-userns bubblewrap feature when possible #5084

Merged
merged 2 commits into from Mar 24, 2023
Merged

Use new --disable-userns bubblewrap feature when possible #5084

merged 2 commits into from Mar 24, 2023

Conversation

alexlarsson
Copy link
Member

@alexlarsson alexlarsson commented Sep 6, 2022
edited by smcv

[This now depends on #5325. —smcv]

  • build: Require bubblewrap 0.8.0

    From: smcv

    This lets us use its new features unconditionally.

  • Use new --disable-userns bubblewrap feature when possible

    From: alexlarsson

    This feature (added in Add an option to disable nested user namespaces by setting limit to 1 containers/bubblewrap#488)
    allows us to improve the guarantees of disallowing the sandbox to use
    recursive user namespaces (which is a security risk) compared to the
    existing limits that use seccomp.

    [smcv: Move this to flatpak_run_setup_base_argv() so it will apply
    equally in apply_extra_data() and flatpak build; make the compile-time
    check for a setuid bwrap into a runtime check]

    Co-authored-by: smcv

smcv
smcv requested changes Sep 6, 2022
View reviewed changes
configure.ac Outdated Show resolved Hide resolved
@smcv smcv force-pushed the use-bubblewrap-disable-userns branch from d087ed2 to b2d3cd6 Compare December 16, 2022 17:43
@smcv smcv mentioned this pull request Dec 16, 2022
Merged
@smcv smcv requested a review from mwleeds December 16, 2022 17:48
@smcv smcv force-pushed the use-bubblewrap-disable-userns branch 3 times, most recently from 531c843 to e5c7e25 Compare December 16, 2022 18:47
@smcv smcv mentioned this pull request Dec 16, 2022
Merged
@smcv
Copy link
Collaborator

smcv commented Dec 16, 2022

Note to self for testing uninstalled:

$ meson setup _build -Dsystem_dbus_proxy=/usr/bin/xdg-dbus-proxy -Dsystem_bubblewrap= -Dlocalstatedir=/var -Dsysconfdir=/etc -Dprefix=/usr
$ export G_MESSAGES_DEBUG=all FLATPAK=$builddir/app/flatpak FLATPAK_BWRAP=$builddir/subprojects/bubblewrap/flatpak-bwrap
$ $builddir/portal/flatpak-portal -vvr
$ $builddir/app/flatpak run -vv ...

@smcv smcv added enhancement sandbox issue related to sandbox setup ready-for-review labels Dec 16, 2022
@smcv smcv marked this pull request as draft December 16, 2022 18:58
smcv added a commit to smcv/flatpak that referenced this pull request Dec 16, 2022
@smcv
WIP: Add an all-syscalls feature which disables seccomp filtering
6c6e6b1 
Our seccomp filtering necessarily adds overhead to each system call,
which is undesirable for syscall-heavy workloads like graphically
intensive games.

This is currently incomplete. It depends on flatpak#5084, but also needs
solutions to:

- preventing ioctl TIOCSTI (CVE-2017-5226): at the moment this is done
  in a relatively crude way via bwrap --new-session

- preventing access to the kernel keyring (see also flatpak#4281): at the moment
  this is unsolved

Resolves: flatpak#4187
Signed-off-by: Simon McVittie <smcv@collabora.com>
@smcv smcv mentioned this pull request Dec 16, 2022
Draft
@alexlarsson
Copy link
Member Author

I merged the bwrap code now, so we should try to get this in.

@alexlarsson
Copy link
Member Author

Other than the rebase to a released bwrap this PR looks good to me now

@smcv
Copy link
Collaborator

smcv commented Jan 3, 2023

Other than the rebase to a released bwrap this PR looks good to me now

Great, please could you review containers/bubblewrap#545 if you have a chance? I think that one is a bwrap release blocker.

@alexlarsson
Copy link
Member Author

merged that too

smcv added a commit to smcv/flatpak that referenced this pull request Feb 27, 2023
@smcv
Update submodule: bubblewrap 0.8.0
be544d5 
* Improve error message if seccomp is disabled in kernel config
* Add --disable-userns option (needed for flatpak#5084)
* Add --assert-userns-disabled option (needed for flatpak#5084)

Signed-off-by: Simon McVittie <smcv@collabora.com>
@smcv smcv mentioned this pull request Feb 27, 2023
Merged
@smcv smcv marked this pull request as ready for review February 27, 2023 14:13
@smcv smcv force-pushed the use-bubblewrap-disable-userns branch from e5c7e25 to 676f49b Compare February 27, 2023 14:13
@smcv smcv self-requested a review February 27, 2023 14:13
@smcv smcv force-pushed the use-bubblewrap-disable-userns branch from 676f49b to 8da10e9 Compare February 27, 2023 14:15
smcv
smcv approved these changes Feb 27, 2023
View reviewed changes
Copy link
Collaborator

@smcv smcv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy with this if other maintainers are. (@alexlarsson? @mwleeds?)

@smcv smcv changed the title WIP: Use new --disable-userns bubblewrap feature when possible Use new --disable-userns bubblewrap feature when possible Feb 27, 2023
@smcv smcv force-pushed the use-bubblewrap-disable-userns branch from 8da10e9 to dbfbad9 Compare February 27, 2023 14:18
smcv added a commit to smcv/flatpak that referenced this pull request Feb 27, 2023
@smcv
WIP: Add an all-syscalls feature which disables seccomp filtering
6685f77 
Our seccomp filtering necessarily adds overhead to each system call,
which is undesirable for syscall-heavy workloads like graphically
intensive games.

This is currently incomplete. It depends on flatpak#5084, but also needs
solutions to:

- preventing ioctl TIOCSTI (CVE-2017-5226): at the moment this is done
  in a relatively crude way via bwrap --new-session

- preventing access to the kernel keyring (see also flatpak#4281): at the moment
  this is unsolved

Resolves: flatpak#4187
Signed-off-by: Simon McVittie <smcv@collabora.com>
smcv added a commit to smcv/flatpak that referenced this pull request Mar 20, 2023
@smcv
Update submodule: bubblewrap 0.8.0
34638d8 
* Improve error message if seccomp is disabled in kernel config
* Add --disable-userns option (needed for flatpak#5084)
* Add --assert-userns-disabled option (needed for flatpak#5084)

Signed-off-by: Simon McVittie <smcv@collabora.com>
smcv added a commit that referenced this pull request Mar 20, 2023
@smcv
Update submodule: bubblewrap 0.8.0
ec6ca9b 
* Improve error message if seccomp is disabled in kernel config
* Add --disable-userns option (needed for #5084)
* Add --assert-userns-disabled option (needed for #5084)

Signed-off-by: Simon McVittie <smcv@collabora.com>
@smcv smcv force-pushed the use-bubblewrap-disable-userns branch from dbfbad9 to 94005b1 Compare March 20, 2023 12:11
smcv and others added 2 commits March 23, 2023 11:28
@smcv
build: Require bubblewrap 0.8.0
48328ab 
This lets us use its new features unconditionally.

Signed-off-by: Simon McVittie <smcv@collabora.com>
@alexlarsson @smcv
Use new --disable-userns bubblewrap feature when possible
81a2ef8 
This feature (added in containers/bubblewrap#488)
allows us to improve the guarantees of disallowing the sandbox to use
recursive user namespaces (which is a security risk) compared to the
existing limits that use seccomp.

[smcv: Move this to flatpak_run_setup_base_argv() so it will apply
equally in apply_extra_data() and `flatpak build`; make the compile-time
check for a setuid bwrap into a runtime check]

Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
@smcv smcv force-pushed the use-bubblewrap-disable-userns branch from 94005b1 to 81a2ef8 Compare March 23, 2023 11:28
@smcv
Copy link
Collaborator

smcv commented Mar 23, 2023

Last chance for anyone to object to this, otherwise I'll merge after CI finishes.

@smcv smcv merged commit 23ec4ed into flatpak:main Mar 24, 2023
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcv smcv smcv approved these changes

@mwleeds mwleeds Awaiting requested review from mwleeds

Assignees
No one assigned
Labels
enhancement ready-for-review sandbox issue related to sandbox setup
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@alexlarsson @smcv