From e5da98ff4b12a080044d58b4cd2fb4edb4491132 Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Wed, 6 Jan 2021 17:05:21 -0600 Subject: [PATCH] Mount resolved varlink socket in sandbox if network access is allowed If network access is allowed, then we should probably allow name resolution too. This should be enough to make nss-resolve work inside flatpak. However, it cannot be tested with GNOME runtimes, because GNOME runtimes do not contain systemd. It also cannot be tested with the Fedora 33 flatpak runtime, because this runtime contains systemd 246, where nss-resolve uses D-Bus rather than varlink to communicate with systemd-resolved. And there is no rawhide runtime, and will be no Fedora 34 runtime until F34 is branched. So currently it's not possible to actually test this without building a custom runtime, which I have not attempted to do. I have built flatpak myself and verified the resolved socket is mounted properly inside the sandbox, but it would be better to test if it actually works with a runtime that contains systemd 247. Related: https://bugzilla.redhat.com/show_bug.cgi?id=1912131 --- common/flatpak-run.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/common/flatpak-run.c b/common/flatpak-run.c index 8ebec5a9..eefd44be 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -602,6 +602,15 @@ flatpak_run_add_pulseaudio_args (FlatpakBwrap *bwrap) flatpak_bwrap_add_args (bwrap, "--dev-bind", "/dev/snd", "/dev/snd", NULL); } +static void +flatpak_run_add_resolved_args (FlatpakBwrap *bwrap) +{ + const char *resolved_socket = "/run/systemd/resolve/io.systemd.Resolve"; + + if (g_file_test (resolved_socket, G_FILE_TEST_EXISTS)) + flatpak_bwrap_add_args (bwrap, "--bind", resolved_socket, resolved_socket, NULL); +} + static void flatpak_run_add_journal_args (FlatpakBwrap *bwrap) { @@ -3886,6 +3895,9 @@ flatpak_run_app (FlatpakDecomposed *app_ref, &exports, cancellable, error)) return FALSE; + if ((app_context->shares & FLATPAK_CONTEXT_SHARED_NETWORK) != 0) + flatpak_run_add_resolved_args (bwrap); + flatpak_run_add_journal_args (bwrap); add_font_path_args (bwrap); add_icon_path_args (bwrap);