From bbab7ed1e672356d1a78b422462b210e8e875931 Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Mon, 15 Apr 2024 16:10:36 +0200
Subject: [PATCH] When starting non-static command using bwrap use "--"

This ensures that the command is not taken to be a bwrap option.

Resolves: CVE-2024-32462
Resolves: GHSA-phv6-cpc2-2fgj
Signed-off-by: Alexander Larsson <alexl@redhat.com>
[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path]
[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct]
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 app/flatpak-builtins-build.c | 3 ++-
 common/flatpak-dir.c         | 1 +
 common/flatpak-run-dbus.c    | 3 +++
 common/flatpak-run.c         | 2 +-
 4 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
index a606544980..585f8f43ba 100644
--- a/app/flatpak-builtins-build.c
+++ b/app/flatpak-builtins-build.c
@@ -589,7 +589,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
     return FALSE;
 
-  flatpak_bwrap_add_args (bwrap, command, NULL);
+  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
+
   flatpak_bwrap_append_argsv (bwrap,
                               &argv[rest_argv_start + 2],
                               rest_argc - 2);
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 3a788469a4..089fb80734 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -7155,6 +7155,7 @@ flatpak_dir_run_triggers (FlatpakDir   *self,
                                   "--proc", "/proc",
                                   "--dev", "/dev",
                                   "--bind", basedir, basedir,
+                                  "--",
                                   NULL);
 #endif
           flatpak_bwrap_add_args (bwrap,
diff --git a/common/flatpak-run-dbus.c b/common/flatpak-run-dbus.c
index 3074549bc9..bb64c15bf0 100644
--- a/common/flatpak-run-dbus.c
+++ b/common/flatpak-run-dbus.c
@@ -104,6 +104,9 @@ add_bwrap_wrapper (FlatpakBwrap *bwrap,
   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
     return FALSE;
 
+  /* End of options: the next argument will be the executable name */
+  flatpak_bwrap_add_arg (bwrap, "--");
+
   return TRUE;
 }
 
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index bd68b4806f..29fe563f36 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -3425,7 +3425,7 @@ flatpak_run_app (FlatpakDecomposed   *app_ref,
   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
     return FALSE;
 
-  flatpak_bwrap_add_arg (bwrap, command);
+  flatpak_bwrap_add_args (bwrap, "--", command, NULL);
 
   if (!add_rest_args (bwrap, app_id,
                       exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0,