persist directories: Pass using new bwrap --bind-fd option

Instead of passing a /proc/self/fd bind mount we use --bind-fd, which has two advantages: * bwrap closes the fd when used, so it doesn't leak into the started app * bwrap ensures that what was mounted was the passed in fd (same dev/ino), as there is a small (required) gap between symlink resolve and mount where the target path could be replaced. Please note that this change requires an updated version of bubblewrap. Resolves: CVE-2024-42472, GHSA-7hgv-f2j8-xw87 [smcv: Make whitespace consistent] Co-authored-by: Simon McVittie <smcv@collabora.com> Signed-off-by: Simon McVittie <smcv@collabora.com>
2026-04-02 14:27:00 -04:00 · 2024-08-14 13:44:30 +01:00
parent 847dfb88ce
commit 7c63e53bb2
1 changed files with 2 additions and 2 deletions
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -2961,10 +2961,10 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext  *context,
              continue;
            }

-          g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd);
+          g_autofree char *src_via_proc = g_strdup_printf ("%d", src_fd);

          flatpak_bwrap_add_fd (bwrap, glnx_steal_fd (&src_fd));
-          flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest);
+          flatpak_bwrap_add_bind_arg (bwrap, "--bind-fd", src_via_proc, dest);
        }
    }