From 7c63e53bb2af0aae9097fd2edfd6a9ba9d453e97 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Wed, 14 Aug 2024 13:44:30 +0100 Subject: [PATCH] persist directories: Pass using new bwrap --bind-fd option Instead of passing a /proc/self/fd bind mount we use --bind-fd, which has two advantages: * bwrap closes the fd when used, so it doesn't leak into the started app * bwrap ensures that what was mounted was the passed in fd (same dev/ino), as there is a small (required) gap between symlink resolve and mount where the target path could be replaced. Please note that this change requires an updated version of bubblewrap. Resolves: CVE-2024-42472, GHSA-7hgv-f2j8-xw87 [smcv: Make whitespace consistent] Co-authored-by: Simon McVittie Signed-off-by: Simon McVittie --- common/flatpak-context.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/common/flatpak-context.c b/common/flatpak-context.c index 38d8dabb..920fd409 100644 --- a/common/flatpak-context.c +++ b/common/flatpak-context.c @@ -2961,10 +2961,10 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context, continue; } - g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd); + g_autofree char *src_via_proc = g_strdup_printf ("%d", src_fd); flatpak_bwrap_add_fd (bwrap, glnx_steal_fd (&src_fd)); - flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest); + flatpak_bwrap_add_bind_arg (bwrap, "--bind-fd", src_via_proc, dest); } }