Use new --disable-userns bubblewrap feature when possible

This feature (added in containers/bubblewrap#488)
allows us to improve the guarantees of disallowing the sandbox to use
recursive user namespaces (which is a security risk) compared to the
existing limits that use seccomp.

[smcv: Move this to flatpak_run_setup_base_argv() so it will apply
equally in apply_extra_data() and `flatpak build`; make the compile-time
check for a setuid bwrap into a runtime check]

Co-authored-by: Simon McVittie <[email protected]>
Signed-off-by: Simon McVittie <[email protected]>

common/flatpak-run.c

@@ -3493,6 +3493,38 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
  gulong pers;
  gid_t gid = getgid ();
  g_autoptr(GFile) etc = NULL;
+ gboolean parent_expose_pids = (flags & FLATPAK_RUN_FLAG_PARENT_EXPOSE_PIDS) != 0;
+ gboolean parent_share_pids = (flags & FLATPAK_RUN_FLAG_PARENT_SHARE_PIDS) != 0;
+ gboolean bwrap_unprivileged = flatpak_bwrap_is_unprivileged ();
+
+ /* Disable recursive userns for all flatpak processes, as we need this
+ * to guarantee that the sandbox can't restructure the filesystem.
+ * Allowing to change e.g. /.flatpak-info would allow sandbox escape
+ * via portals.
+ *
+ * This is also done via seccomp, but here we do it using userns
+ * unsharing in combination with max_user_namespaces.
+ *
+ * If bwrap is setuid, then --disable-userns will not work, which
+ * makes the seccomp filter security-critical.
+ */
+ if (bwrap_unprivileged)
+ {
+ if (parent_expose_pids || parent_share_pids)
+ {
+ /* If we're joining an existing sandbox's user and process
+ * namespaces, then it should already have creation of
+ * nested user namespaces disabled. */
+ flatpak_bwrap_add_arg (bwrap, "--assert-userns-disabled");
+ }
+ else
+ {
+ /* This is a new sandbox, so we need to disable creation of
+ * nested user namespaces. */
+ flatpak_bwrap_add_arg (bwrap, "--unshare-user");
+ flatpak_bwrap_add_arg (bwrap, "--disable-userns");
+ }
+ }
 
  run_dir = g_strdup_printf ("/run/user/%d", getuid ());