dir: Document the apply_extra_data run flags

They are the same as `flatpak run --sandbox` with two exceptions: * `FLATPAK_RUN_FLAG_MULTIARCH` might be required so we just add it always * `FLATPAK_RUN_FLAG_NO_PROC` is added to prevent sandbox escapes via `/proc/self/exe` Signed-off-by: Sebastian Wick <[email protected]>
flatpak · Jul 3, 2023 · fdd0bb5 · fdd0bb5
1 parent 4c6136a
commit fdd0bb5
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
@@ -8328,15 +8328,22 @@ apply_extra_data (FlatpakDir *self,
  "--cap-drop", "ALL",
  NULL);
 
- /* Might need multiarch in apply_extra (see e.g. #3742).
- * Should be pretty safe in this limited context */
- run_flags = (FLATPAK_RUN_FLAG_MULTIARCH |
+ /* Run flags which equal flatpak run --sandbox */
+ run_flags = (FLATPAK_RUN_FLAG_SANDBOX |
  FLATPAK_RUN_FLAG_NO_SESSION_HELPER |
- FLATPAK_RUN_FLAG_NO_PROC |
  FLATPAK_RUN_FLAG_NO_SESSION_BUS_PROXY |
  FLATPAK_RUN_FLAG_NO_SYSTEM_BUS_PROXY |
  FLATPAK_RUN_FLAG_NO_A11Y_BUS_PROXY);
 
+ /* Might need multiarch in apply_extra (see e.g. #3742).
+ * Should be pretty safe in this limited context. */
+ run_flags |= FLATPAK_RUN_FLAG_MULTIARCH;
+
+ /* This sandbox is run as root and /proc/self/exe can sometimes be used to
+ * access outside files (see cd21428).
+ * Disable /proc entirely in this context. */
+ run_flags |= FLATPAK_RUN_FLAG_NO_PROC;
+
  if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_arch,
  run_flags, error))
  return FALSE;