Don't expose /proc when running apply_extra

As shown by CVE-2019-5736, it is sometimes possible for the sandbox app to access outside files using /proc/self/exe. This is not typically an issue for flatpak as the sandbox runs as the user which has no permissions to e.g. modify the host files. However, when installing apps using extra-data into the system repo we *do* actually run a sandbox as root. So, in this case we disable mounting /proc in the sandbox, which will neuter attacks like this.
flatpak · Feb 11, 2019 · cd21428 · cd21428
1 parent b85f386
commit cd21428
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h
@@ -46,6 +46,7 @@ typedef enum {
  FLATPAK_RUN_FLAG_BLUETOOTH = (1 << 16),
  FLATPAK_RUN_FLAG_CANBUS = (1 << 17),
  FLATPAK_RUN_FLAG_DO_NOT_REAP = (1 << 18),
+ FLATPAK_RUN_FLAG_NO_PROC = (1 << 19),
 } FlatpakRunFlags;
 
 typedef struct FlatpakDir FlatpakDir;

diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
@@ -6786,7 +6786,7 @@ apply_extra_data (FlatpakDir *self,
  NULL);
 
  if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_ref_parts[2],
- FLATPAK_RUN_FLAG_NO_SESSION_HELPER,
+ FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC,
  error))
  return FALSE;
 

diff --git a/common/flatpak-run.c b/common/flatpak-run.c
@@ -2606,9 +2606,13 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
  "# Disable user pkcs11 config, because the host modules don't work in the runtime\n"
  "user-config: none\n";
 
+ if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0)
+ flatpak_bwrap_add_args (bwrap,
+ "--proc", "/proc",
+ NULL);
+
  flatpak_bwrap_add_args (bwrap,
  "--unshare-pid",
- "--proc", "/proc",
  "--dir", "/tmp",
  "--dir", "/var/tmp",
  "--dir", "/run/host",