run: Disallow recently-added mount-manipulation syscalls

If we don't allow mount() then we shouldn't allow these either. Partially fixes GHSA-67h7-w3jq-vh4q. Thanks: an anonymous reporter Signed-off-by: Simon McVittie <smcv@collabora.com>
2026-05-24 16:57:42 -04:00 · 2021-09-01 12:45:54 +01:00
parent a10f52a756
commit 9766ee05b1
1 changed files with 12 additions and 0 deletions
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2951,6 +2951,18 @@ setup_seccomp (FlatpakBwrap   *bwrap,
     * Return ENOSYS so user-space will fall back to clone().
     * (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */
    {SCMP_SYS (clone3), ENOSYS},
+
+    /* New mount manipulation APIs can also change our VFS. There's no
+     * legitimate reason to do these in the sandbox, so block all of them
+     * rather than thinking about which ones might be dangerous.
+     * (GHSA-67h7-w3jq-vh4q) */
+    {SCMP_SYS (open_tree), ENOSYS},
+    {SCMP_SYS (move_mount), ENOSYS},
+    {SCMP_SYS (fsopen), ENOSYS},
+    {SCMP_SYS (fsconfig), ENOSYS},
+    {SCMP_SYS (fsmount), ENOSYS},
+    {SCMP_SYS (fspick), ENOSYS},
+    {SCMP_SYS (mount_setattr), ENOSYS},
  };

  struct