portal: Convert --env in extra-args into --env-fd

This hides overridden variables from the command-line, which means processes running under other uids can't see them in /proc/*/cmdline, which might be important if they contain secrets. Signed-off-by: Simon McVittie <smcv@collabora.com> Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
2026-02-24 02:40:02 -05:00 · 2021-01-12 10:11:51 +00:00
parent 6e5ae7a109
commit aeb6a7ab0a
1 changed files with 49 additions and 1 deletions
--- a/portal/flatpak-portal.c
+++ b/portal/flatpak-portal.c
@@ -257,6 +257,7 @@ typedef struct
  int         instance_id_fd;
  gboolean    set_tty;
  int         tty;
+  int         env_fd;
 } ChildSetupData;

 typedef struct
@@ -485,6 +486,9 @@ child_setup_func (gpointer user_data)
  if (data->instance_id_fd != -1)
    drop_cloexec (data->instance_id_fd);

+  if (data->env_fd != -1)
+    drop_cloexec (data->env_fd);
+
  /* Unblock all signals */
  sigemptyset (&set);
  if (pthread_sigmask (SIG_SETMASK, &set, NULL) == -1)
@@ -782,8 +786,10 @@ handle_spawn (PortalFlatpak         *object,
  gboolean share_pids;
  gboolean notify_start;
  gboolean devel;
+  g_autoptr(GString) env_string = g_string_new ("");

  child_setup_data.instance_id_fd = -1;
+  child_setup_data.env_fd = -1;

  if (fd_list != NULL)
    fds = g_unix_fd_list_peek_fds (fd_list, &fds_len);
@@ -1044,7 +1050,49 @@ handle_spawn (PortalFlatpak         *object,
  else
    {
      for (i = 0; extra_args != NULL && extra_args[i] != NULL; i++)
-        g_ptr_array_add (flatpak_argv, g_strdup (extra_args[i]));
+        {
+          if (g_str_has_prefix (extra_args[i], "--env="))
+            {
+              const char *var_val = extra_args[i] + strlen ("--env=");
+
+              if (var_val[0] == '\0' || var_val[0] == '=')
+                {
+                  g_warning ("Environment variable in extra-args has empty name");
+                  continue;
+                }
+
+              if (strchr (var_val, '=') == NULL)
+                {
+                  g_warning ("Environment variable in extra-args has no value");
+                  continue;
+                }
+
+              g_string_append (env_string, var_val);
+              g_string_append_c (env_string, '\0');
+            }
+          else
+            {
+              g_ptr_array_add (flatpak_argv, g_strdup (extra_args[i]));
+            }
+        }
+    }
+
+  if (env_string->len > 0)
+    {
+      g_auto(GLnxTmpfile) env_tmpf  = { 0, };
+
+      if (!flatpak_buffer_to_sealed_memfd_or_tmpfile (&env_tmpf, "environ",
+                                                      env_string->str,
+                                                      env_string->len, &error))
+        {
+          g_dbus_method_invocation_return_gerror (invocation, error);
+          return G_DBUS_METHOD_INVOCATION_HANDLED;
+        }
+
+      child_setup_data.env_fd = glnx_steal_fd (&env_tmpf.fd);
+      g_ptr_array_add (flatpak_argv,
+                       g_strdup_printf ("--env-fd=%d",
+                                        child_setup_data.env_fd));
    }

  expose_pids = (arg_flags & FLATPAK_SPAWN_FLAGS_EXPOSE_PIDS) != 0;