From 4f1e7f8d1705488e501925255fbe061ac71405fc Mon Sep 17 00:00:00 2001 From: Sebastian Wick Date: Fri, 6 Feb 2026 21:02:47 +0100 Subject: [PATCH] run: Add (ro-)bind fds to flatpak_run_app The flatpak portal allows apps to expose files and folders from within the sandbox to a side-sandbox using flatpak-spawn. So far it has used the --filesystem option to mount those files and folders, but it takes a path. Paths are inherently racy and they allow the app to swap out any component of the path with a symlink after handing it off. If they win the race, flatpak will mount a completely different directory. This adds a new way to mount files and directories based on O_PATH file descriptor that needs to provided when execing the flatpak binary. --- app/flatpak-builtins-run.c | 2 ++ common/flatpak-installation.c | 1 + common/flatpak-run-private.h | 2 ++ common/flatpak-run.c | 36 +++++++++++++++++++++++++++++++++++ 4 files changed, 41 insertions(+) diff --git a/app/flatpak-builtins-run.c b/app/flatpak-builtins-run.c index a2644f89..b14bf056 100644 --- a/app/flatpak-builtins-run.c +++ b/app/flatpak-builtins-run.c @@ -385,6 +385,8 @@ flatpak_builtin_run (int argc, char **argv, GCancellable *cancellable, GError ** opt_instance_id_fd, (const char * const *) run_environ, NULL, + NULL, + NULL, cancellable, error)) return FALSE; diff --git a/common/flatpak-installation.c b/common/flatpak-installation.c index 29250b90..fe5e5757 100644 --- a/common/flatpak-installation.c +++ b/common/flatpak-installation.c @@ -714,6 +714,7 @@ flatpak_installation_launch_full (FlatpakInstallation *self, NULL, 0, -1, (const char * const *) run_environ, &instance_dir, + NULL, NULL, cancellable, error)) return FALSE; diff --git a/common/flatpak-run-private.h b/common/flatpak-run-private.h index 0adbb8af..8c6cc049 100644 --- a/common/flatpak-run-private.h +++ b/common/flatpak-run-private.h @@ -124,6 +124,8 @@ gboolean flatpak_run_app (FlatpakDecomposed *app_ref, int instance_id_fd, const char * const *run_environ, char **instance_dir_out, + GArray *bind_fds, + GArray *ro_bind_fds, GCancellable *cancellable, GError **error); diff --git a/common/flatpak-run.c b/common/flatpak-run.c index 2813d150..055c721d 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -2979,6 +2979,8 @@ flatpak_run_app (FlatpakDecomposed *app_ref, int instance_id_fd, const char * const *run_environ, char **instance_dir_out, + GArray *bind_fds, + GArray *ro_bind_fds, GCancellable *cancellable, GError **error) { @@ -3583,6 +3585,40 @@ flatpak_run_app (FlatpakDecomposed *app_ref, flatpak_bwrap_add_arg_printf (bwrap, "/run/user/%d", getuid ()); } + for (i = 0; bind_fds && i < bind_fds->len; i++) + { + int fd = g_array_index (bind_fds, int, i); + g_autofree char *path = NULL; + + /* We get the path the fd refers to, to determine to mount point + * destination inside the sandbox */ + path = get_path_for_fd (fd, error); + if (!path) + return FALSE; + + if (!flatpak_bwrap_add_args_data_fd_dup (bwrap, + "--bind-fd", fd, path, + error)) + return FALSE; + } + + for (i = 0; ro_bind_fds && i < ro_bind_fds->len; i++) + { + int fd = g_array_index (ro_bind_fds, int, i); + g_autofree char *path = NULL; + + /* We get the path the fd refers to, to determine to mount point + * destination inside the sandbox */ + path = get_path_for_fd (fd, error); + if (!path) + return FALSE; + + if (!flatpak_bwrap_add_args_data_fd_dup (bwrap, + "--ro-bind-fd", fd, path, + error)) + return FALSE; + } + if (!flatpak_run_add_dconf_args (bwrap, app_id, metakey, error)) return FALSE;