WIP: Add an all-syscalls feature which disables seccomp filtering

Our seccomp filtering necessarily adds overhead to each system call, which is undesirable for syscall-heavy workloads like graphically intensive games. This is currently incomplete. It depends on flatpak#5084, but also needs solutions to: - preventing ioctl TIOCSTI (CVE-2017-5226): at the moment this is done in a relatively crude way via bwrap --new-session - preventing access to the kernel keyring (see also flatpak#4281): at the moment this is unsolved Resolves: flatpak#4187 Signed-off-by: Simon McVittie <[email protected]>
smcv · Feb 27, 2023 · 6685f77 · 6685f77
1 parent dbfbad9
commit 6685f77
Show file tree

Hide file tree

Showing 8 changed files with 75 additions and 7 deletions.
diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h
@@ -49,6 +49,7 @@ typedef enum {
  FLATPAK_RUN_FLAG_NO_PROC = (1 << 19),
  FLATPAK_RUN_FLAG_PARENT_EXPOSE_PIDS = (1 << 20),
  FLATPAK_RUN_FLAG_PARENT_SHARE_PIDS = (1 << 21),
+ FLATPAK_RUN_FLAG_ALL_SYSCALLS = (1 << 22),
 } FlatpakRunFlags;
 
 typedef struct FlatpakDir FlatpakDir;

diff --git a/common/flatpak-context-private.h b/common/flatpak-context-private.h
@@ -65,6 +65,7 @@ typedef enum {
  FLATPAK_CONTEXT_FEATURE_BLUETOOTH = 1 << 2,
  FLATPAK_CONTEXT_FEATURE_CANBUS = 1 << 3,
  FLATPAK_CONTEXT_FEATURE_PER_APP_DEV_SHM = 1 << 4,
+ FLATPAK_CONTEXT_FEATURE_ALL_SYSCALLS = 1 << 5,
 } FlatpakContextFeatures;
 
 struct FlatpakContext

diff --git a/common/flatpak-context.c b/common/flatpak-context.c
@@ -79,6 +79,7 @@ const char *flatpak_context_features[] = {
  "bluetooth",
  "canbus",
  "per-app-dev-shm",
+ "all-syscalls",
  NULL
 };
 
@@ -2765,6 +2766,9 @@ flatpak_context_get_run_flags (FlatpakContext *context)
  if (flatpak_context_allows_features (context, FLATPAK_CONTEXT_FEATURE_CANBUS))
  flags |= FLATPAK_RUN_FLAG_CANBUS;
 
+ if (flatpak_context_allows_features (context, FLATPAK_CONTEXT_FEATURE_ALL_SYSCALLS))
+ flags |= FLATPAK_RUN_FLAG_ALL_SYSCALLS;
+
  return flags;
 }
 

diff --git a/common/flatpak-run.c b/common/flatpak-run.c
@@ -3494,6 +3494,7 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
  gulong pers;
  gid_t gid = getgid ();
  g_autoptr(GFile) etc = NULL;
+ gboolean allow_all_syscalls = (flags & FLATPAK_RUN_FLAG_ALL_SYSCALLS) != 0;
  gboolean parent_expose_pids = (flags & FLATPAK_RUN_FLAG_PARENT_EXPOSE_PIDS) != 0;
  gboolean parent_share_pids = (flags & FLATPAK_RUN_FLAG_PARENT_SHARE_PIDS) != 0;
  gboolean bwrap_unprivileged = flatpak_bwrap_is_unprivileged ();
@@ -3685,7 +3686,23 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
  personality (pers);
 
 #ifdef ENABLE_SECCOMP
- if (!setup_seccomp (bwrap, arch, pers, flags, error))
+ if (allow_all_syscalls && !bwrap_unprivileged)
+ {
+ g_warning ("--allow=all-syscalls is not compatible with a "
+ "setuid-root %s executable", flatpak_get_bwrap ());
+ g_warning ("<https://github.com/flatpak/flatpak/wiki/User-namespace-requirements>");
+ allow_all_syscalls = FALSE;
+ }
+
+ if (allow_all_syscalls)
+ {
+ if (isatty (STDIN_FILENO))
+ g_message ("Note: --allow=all-syscalls does not work well with interactive shells due to how it prevents CVE-2017-5226.");
+
+ flatpak_bwrap_add_args (bwrap, "--new-session", NULL);
+ }
+
+ if (!allow_all_syscalls && !setup_seccomp (bwrap, arch, pers, flags, error))
  return FALSE;
 #endif
 

diff --git a/doc/flatpak-build-finish.xml b/doc/flatpak-build-finish.xml
@@ -185,7 +185,7 @@
  Allow access to a specific feature. This updates
  the [Context] group in the metadata.
  FEATURE must be one of: devel, multiarch, bluetooth, canbus,
- per-app-dev-shm.
+ per-app-dev-shm, all-syscalls.
  This option can be used multiple times.
  </para><para>
  The <code>devel</code> feature allows the application to
@@ -213,6 +213,21 @@
  application, any unrestricted subsandboxes that it creates,
  and any other instances of the application that are
  launched while it is running.
+ </para>
+ <para>
+ The <code>all-syscalls</code> feature disables seccomp
+ filtering of system calls completely, which is a security
+ risk but can be useful for performance-sensitive software.
+ This feature has no effect if Flatpak is using a
+ setuid-root version of the bubblewrap executable
+ <citerefentry><refentrytitle>bwrap</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
+ Allowing this feature has the effect of making several
+ other features available, including
+ <code>bluetooth</code>,
+ <code>canbus</code>,
+ <code>devel</code> and
+ <code>multiarch</code>,
+ even if they would otherwise have been disallowed.
  </para></listitem>
  </varlistentry>
 
@@ -223,8 +238,13 @@
  Disallow access to a specific feature. This updates
  the [Context] group in the metadata.
  FEATURE must be one of: devel, multiarch, bluetooth, canbus,
- per-app-dev-shm.
+ per-app-dev-shm, all-syscalls.
  This option can be used multiple times.
+ </para><para>
+ If the <code>all-syscalls</code> feature is allowed,
+ then several other features will be available even if
+ the <option>--disallow</option> option was used for
+ individual features.
  </para></listitem>
  </varlistentry>
 

diff --git a/doc/flatpak-build.xml b/doc/flatpak-build.xml
@@ -196,7 +196,7 @@
  the [Context] group in the metadata.
  <arg choice="plain">FEATURE</arg> must be one of:
  devel, multiarch, bluetooth, canbus,
- per-app-dev-shm.
+ per-app-dev-shm, all-syscalls.
  This option can be used multiple times.
  </para><para>
  See <citerefentry><refentrytitle>flatpak-build-finish</refentrytitle><manvolnum>1</manvolnum></citerefentry>
@@ -212,7 +212,7 @@
  the [Context] group in the metadata.
  <arg choice="plain">FEATURE</arg> must be one of:
  devel, multiarch, bluetooth, canbus,
- per-app-dev-shm.
+ per-app-dev-shm, all-syscalls.
  This option can be used multiple times.
  </para></listitem>
  </varlistentry>

diff --git a/doc/flatpak-metadata.xml b/doc/flatpak-metadata.xml
@@ -492,11 +492,32 @@
  Available since 1.12.0.
  </para></listitem></varlistentry>
 
+ <varlistentry><term><option>all-syscalls</option></term>
+ <listitem><para>
+ Disable filtering of system calls completely,
+ which is a security risk but can be useful for
+ performance-sensitive software.
+ This feature has no effect if Flatpak is using a
+ setuid-root version of the bubblewrap executable
+ <citerefentry><refentrytitle>bwrap</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
+ Allowing this feature has the effect of making
+ several other features available, including
+ <code>bluetooth</code>,
+ <code>canbus</code>,
+ <code>devel</code> and
+ <code>multiarch</code>,
+ even if they would otherwise have been disallowed.
+ Available since 1.16.0.
+ </para></listitem></varlistentry>
+
  </variablelist>
  A feature can be prefixed with <option>!</option> to
  indicate the absence of that feature, for example
  <option>!devel</option> if development and debugging
  are not allowed.
+ However, if the <code>all-syscalls</code> feature is
+ allowed, then several other features will be available
+ even if syntax like <option>!devel</option> was used.
  </para></listitem>
  </varlistentry>
  <varlistentry>

diff --git a/doc/flatpak-override.xml b/doc/flatpak-override.xml
@@ -181,7 +181,7 @@
  the [Context] group in the metadata.
  <arg choice="plain">FEATURE</arg> must be one of:
  devel, multiarch, bluetooth, canbus,
- per-app-dev-shm.
+ per-app-dev-shm, all-syscalls.
  This option can be used multiple times.
  </para><para>
  See <citerefentry><refentrytitle>flatpak-build-finish</refentrytitle><manvolnum>1</manvolnum></citerefentry>
@@ -197,8 +197,12 @@
  the [Context] group in the metadata.
  <arg choice="plain">FEATURE</arg> must be one of:
  devel, multiarch, bluetooth, canbus,
- per-app-dev-shm.
+ per-app-dev-shm, all-syscalls.
  This option can be used multiple times.
+ If the <code>all-syscalls</code> feature is allowed,
+ then several other features will be available even if
+ the <option>--disallow</option> option was used for
+ individual features.
  </para></listitem>
  </varlistentry>