From bbac52e6afafdd664461f3ca94f5a816afc46282 Mon Sep 17 00:00:00 2001 From: Sebastian Wick Date: Mon, 3 Jul 2023 16:50:44 +0200 Subject: [PATCH] dir: Document the apply_extra_data run flags They are the same as `flatpak run --sandbox` with two exceptions: * `FLATPAK_RUN_FLAG_MULTIARCH` might be required so we just add it always * `FLATPAK_RUN_FLAG_NO_PROC` is added to prevent sandbox escapes via `/proc/self/exe` Signed-off-by: Sebastian Wick --- common/flatpak-dir.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c index 1fc04f32..ba7f3085 100644 --- a/common/flatpak-dir.c +++ b/common/flatpak-dir.c @@ -8328,15 +8328,22 @@ apply_extra_data (FlatpakDir *self, "--cap-drop", "ALL", NULL); - /* Might need multiarch in apply_extra (see e.g. #3742). - * Should be pretty safe in this limited context */ - run_flags = (FLATPAK_RUN_FLAG_MULTIARCH | + /* Run flags which equal flatpak run --sandbox */ + run_flags = (FLATPAK_RUN_FLAG_SANDBOX | FLATPAK_RUN_FLAG_NO_SESSION_HELPER | - FLATPAK_RUN_FLAG_NO_PROC | FLATPAK_RUN_FLAG_NO_SESSION_BUS_PROXY | FLATPAK_RUN_FLAG_NO_SYSTEM_BUS_PROXY | FLATPAK_RUN_FLAG_NO_A11Y_BUS_PROXY); + /* Might need multiarch in apply_extra (see e.g. #3742). + * Should be pretty safe in this limited context. */ + run_flags |= FLATPAK_RUN_FLAG_MULTIARCH; + + /* This sandbox is run as root and /proc/self/exe can sometimes be used to + * access outside files (see cd21428). + * Disable /proc entirely in this context. */ + run_flags |= FLATPAK_RUN_FLAG_NO_PROC; + if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_arch, run_flags, error)) return FALSE;