exports: Add host-etc and host-os keywords

These are subsets of the host keyword, which provide access to operating
system files but not to users' personal files.

In particular, the experimental support for namespace-based sandboxes
in the Steam Runtime[1] uses the graphics stack from the host system,
which requires access to the host /usr/libQUAL, /libQUAL (even if the
host OS has undergone the /usr merge, the canonical paths of ELF
interpreters start with /lib), /etc/ld.so.cache, and for some libraries
on Debian-based systems, /etc/alternatives. It will not be possible to
do similar things in Flatpak without either allowing full host
filesystem access (which exposes personal files, and in any case cannot
be done by the Steam app because it is incompatible with --persist=.),
or adding the ability to expose /usr and related directories without
including the rest of the host filesystem.

To the best of my knowledge, host-etc is not necessary for anything;
I've mainly provided it for symmetry, since it's the other significant
thing that we mount in /run/host and cannot get via --filesystem=/path.

Some notes on the security/privacy implications of the new keywords:

- Neither new keyword allows anything that was not already allowed
  by "host".
- Neither new keyword can allow anything that was not already allowed
  to the user outside the sandbox.
- "host-os" allows enumeration of the installed packages on the host
  system, and often their version numbers too. A malicious app could
  use this to look for exploitable security vulnerabilities on the
  host system. An app could also use this for fingerprinting, although
  this is not a regression, because the systemd/D-Bus machine ID,
  MAC addresses, hostname, kernel boot UUID, DMI product ID and many
  other unique or relatively unique properties are already available
  inside the sandbox.
- "host-os" allows read access, and possibly write access (if the user
  has it outside the sandbox, for example members of group 'staff' in
  older Debian installations), to /usr/local.
- "host-etc" allows reading configuration files whose contents might
  be considered sensitive, such as /etc/passwd.

[1] https://steamcommunity.com/app/221410/discussions/0/1638675549018366706/

Signed-off-by: Simon McVittie <smcv@collabora.com>
This commit is contained in:
Simon McVittie
2020-01-23 18:13:08 +00:00
committed by Alexander Larsson
parent 949a3ec479
commit fe2536b844
8 changed files with 166 additions and 24 deletions

View File

@@ -84,6 +84,8 @@ const char *flatpak_context_features[] = {
const char *flatpak_context_special_filesystems[] = {
"home",
"host",
"host-etc",
"host-os",
NULL
};
@@ -765,7 +767,7 @@ flatpak_context_verify_filesystem (const char *filesystem_and_mode,
return TRUE;
g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED,
_("Unknown filesystem location %s, valid locations are: host, home, xdg-*[/…], ~/dir, /dir"), filesystem);
_("Unknown filesystem location %s, valid locations are: host, host-os, host-etc, home, xdg-*[/…], ~/dir, /dir"), filesystem);
return FALSE;
}
@@ -2059,7 +2061,7 @@ flatpak_context_export (FlatpakContext *context,
gboolean *home_access_out)
{
gboolean home_access = FALSE;
FlatpakFilesystemMode fs_mode, home_mode;
FlatpakFilesystemMode fs_mode, os_mode, etc_mode, home_mode;
GHashTableIter iter;
gpointer key, value;
@@ -2089,9 +2091,20 @@ flatpak_context_export (FlatpakContext *context,
closedir (dir);
}
flatpak_exports_add_path_expose (exports, fs_mode, "/run/media");
flatpak_exports_add_host_expose (exports, fs_mode);
}
os_mode = MAX ((FlatpakFilesystemMode) g_hash_table_lookup (context->filesystems, "host-os"),
fs_mode);
if (os_mode != 0)
flatpak_exports_add_host_os_expose (exports, os_mode);
etc_mode = MAX ((FlatpakFilesystemMode) g_hash_table_lookup (context->filesystems, "host-etc"),
fs_mode);
if (etc_mode != 0)
flatpak_exports_add_host_etc_expose (exports, etc_mode);
home_mode = (FlatpakFilesystemMode) g_hash_table_lookup (context->filesystems, "home");
if (home_mode != 0)
{

View File

@@ -37,8 +37,10 @@ void flatpak_exports_free (FlatpakExports *exports);
FlatpakExports *flatpak_exports_new (void);
void flatpak_exports_append_bwrap_args (FlatpakExports *exports,
FlatpakBwrap *bwrap);
void flatpak_exports_add_host_expose (FlatpakExports *exports,
FlatpakFilesystemMode mode);
void flatpak_exports_add_host_etc_expose (FlatpakExports *exports,
FlatpakFilesystemMode mode);
void flatpak_exports_add_host_os_expose (FlatpakExports *exports,
FlatpakFilesystemMode mode);
void flatpak_exports_add_path_expose (FlatpakExports *exports,
FlatpakFilesystemMode mode,
const char *path);

View File

@@ -94,7 +94,8 @@ typedef struct
struct _FlatpakExports
{
GHashTable *hash;
FlatpakFilesystemMode host_fs;
FlatpakFilesystemMode host_etc;
FlatpakFilesystemMode host_os;
};
static void
@@ -221,6 +222,27 @@ path_is_symlink (const char *path)
return S_ISLNK (s.st_mode);
}
/*
* @name: A file or directory below /etc
* @test: How we test whether it is suitable
*
* The paths in /etc that are required if we want to make use of the
* host /usr (and /lib, and so on).
*/
typedef struct
{
const char *name;
GFileTest test;
} LibsNeedEtc;
static const LibsNeedEtc libs_need_etc[] =
{
/* glibc */
{ "ld.so.cache", G_FILE_TEST_IS_REGULAR },
/* Used for executables and a few libraries on e.g. Debian */
{ "alternatives", G_FILE_TEST_IS_DIR }
};
void
flatpak_exports_append_bwrap_args (FlatpakExports *exports,
FlatpakBwrap *bwrap)
@@ -279,17 +301,17 @@ flatpak_exports_append_bwrap_args (FlatpakExports *exports,
}
}
if (exports->host_fs != 0)
if (exports->host_os != 0)
{
const char *host_bind_mode = "--bind";
const char *os_bind_mode = "--bind";
int i;
if (exports->host_fs == FLATPAK_FILESYSTEM_MODE_READ_ONLY)
host_bind_mode = "--ro-bind";
if (exports->host_os == FLATPAK_FILESYSTEM_MODE_READ_ONLY)
os_bind_mode = "--ro-bind";
if (g_file_test ("/usr", G_FILE_TEST_IS_DIR))
flatpak_bwrap_add_args (bwrap,
host_bind_mode, "/usr", "/run/host/usr", NULL);
os_bind_mode, "/usr", "/run/host/usr", NULL);
for (i = 0; flatpak_abs_usrmerged_dirs[i] != NULL; i++)
{
@@ -329,14 +351,49 @@ flatpak_exports_append_bwrap_args (FlatpakExports *exports,
* or is a plain directory because the host OS has not
* undergone the /usr merge; bind-mount the directory instead */
flatpak_bwrap_add_args (bwrap,
host_bind_mode, subdir, run_host_subdir,
os_bind_mode, subdir, run_host_subdir,
NULL);
}
}
if (exports->host_etc == 0)
{
guint i;
/* We are exposing the host /usr (and friends) but not the
* host /etc. Additionally expose just enough of /etc to make
* things that want to read /usr work as expected.
*
* (If exports->host_etc is nonzero, we'll do this as part of
* /etc instead.) */
for (i = 0; i < G_N_ELEMENTS (libs_need_etc); i++)
{
const LibsNeedEtc *item = &libs_need_etc[i];
g_autofree gchar *host_path = g_strconcat ("/etc/", item->name, NULL);
if (g_file_test (host_path, item->test))
{
g_autofree gchar *run_host_path = g_strconcat ("/run/host/etc/", item->name, NULL);
flatpak_bwrap_add_args (bwrap,
os_bind_mode, host_path, run_host_path,
NULL);
}
}
}
}
if (exports->host_etc != 0)
{
const char *etc_bind_mode = "--bind";
if (exports->host_etc == FLATPAK_FILESYSTEM_MODE_READ_ONLY)
etc_bind_mode = "--ro-bind";
if (g_file_test ("/etc", G_FILE_TEST_IS_DIR))
flatpak_bwrap_add_args (bwrap,
host_bind_mode, "/etc", "/run/host/etc", NULL);
etc_bind_mode, "/etc", "/run/host/etc", NULL);
}
}
@@ -677,8 +734,15 @@ flatpak_exports_add_path_dir (FlatpakExports *exports,
}
void
flatpak_exports_add_host_expose (FlatpakExports *exports,
FlatpakFilesystemMode mode)
flatpak_exports_add_host_etc_expose (FlatpakExports *exports,
FlatpakFilesystemMode mode)
{
exports->host_fs = mode;
exports->host_etc = mode;
}
void
flatpak_exports_add_host_os_expose (FlatpakExports *exports,
FlatpakFilesystemMode mode)
{
exports->host_os = mode;
}

View File

@@ -225,7 +225,7 @@
<listitem><para>
Allow the application access to a subset of the filesystem.
This updates the [Context] group in the metadata.
FS can be one of: home, host, xdg-desktop, xdg-documents, xdg-download,
FS can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, xdg-run,
xdg-config, xdg-cache, xdg-data, an absolute path, or a homedir-relative
path like ~/dir or paths relative to the xdg dirs, like xdg-download/subdir.
@@ -245,7 +245,7 @@
Remove access to the specified subset of the filesystem from
the application. This overrides to the Context section from the
application metadata.
FILESYSTEM can be one of: home, host, xdg-desktop, xdg-documents, xdg-download,
FILESYSTEM can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos,
an absolute path, or a homedir-relative path like ~/dir.
This option can be used multiple times.

View File

@@ -219,7 +219,7 @@
<listitem><para>
Allow the application access to a subset of the filesystem.
This overrides to the Context section from the application metadata.
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, xdg-desktop, xdg-documents, xdg-download,
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, xdg-run,
xdg-config, xdg-cache, xdg-data, an absolute path, or a homedir-relative
path like ~/dir or paths relative to the xdg dirs, like xdg-download/subdir.
@@ -239,7 +239,7 @@
Remove access to the specified subset of the filesystem from
the application. This overrides to the Context section from the
application metadata.
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, xdg-desktop, xdg-documents, xdg-download,
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos,
an absolute path, or a homedir-relative path like ~/dir.
This option can be used multiple times.

View File

@@ -231,6 +231,21 @@
shared. This option does not make additional
files in /sys available.
</para>
<para>
Additionally, this keyword provides all of the
same directories in
<filename>/run/host</filename> as the
<option>host-os</option> and
<option>host-etc</option> keywords.
If this keyword is used in conjunction
with one of the <option>host-</option>
keywords, whichever access level is higher
(more permissive) will be used for the
directories in <filename>/run/host</filename>:
for example,
<code>host:rw;host-os:ro;</code> is
equivalent to <code>host:rw;</code>.
</para>
<para>
These other reserved directories are
currently excluded:
@@ -253,6 +268,54 @@
Available since 0.3.
</para></listitem></varlistentry>
<varlistentry><term><option>host-os</option></term>
<listitem><para>
The host operating system's libraries,
executables and static data from
<filename>/usr</filename>
and the related directories
<filename>/bin</filename>,
<filename>/lib</filename>,
<filename>/lib32</filename>,
<filename>/lib64</filename>,
<filename>/sbin</filename>.
Additionally, this keyword provides access
to a subset of <filename>/etc</filename> that
is associated with packaged libraries and
executables, even if the
<option>host-etc</option> keyword
was not used:
<filename>/etc/ld.so.cache</filename>,
(used by the dynamic linker) and
<filename>/etc/alternatives</filename>
(on operating systems that use it, such as
Debian).
</para>
<para>
To avoid conflicting with the Flatpak
runtime, these are mounted in the sandbox
at <filename>/run/host/usr</filename>,
<filename>/run/host/etc/ld.so.cache</filename>
and so on.
</para>
<para>
Available since 1.7.
</para></listitem></varlistentry>
<varlistentry><term><option>host-etc</option></term>
<listitem><para>
The host operating system's configuration from
<filename>/etc</filename>.
</para>
<para>
To avoid conflicting with the Flatpak
runtime, this is mounted in the sandbox
at <filename>/run/host/etc</filename>.
</para>
<para>
Available since 1.7.
</para></listitem></varlistentry>
<varlistentry><term><option>xdg-desktop</option>,
<option>xdg-documents</option>,
<option>xdg-download</option>,

View File

@@ -201,7 +201,7 @@
<listitem><para>
Allow the application access to a subset of the filesystem.
This overrides to the Context section from the application metadata.
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, xdg-desktop, xdg-documents, xdg-download,
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, xdg-run,
xdg-config, xdg-cache, xdg-data,
an absolute path, or a homedir-relative path like ~/dir or paths
@@ -222,7 +222,7 @@
Remove access to the specified subset of the filesystem from
the application. This overrides to the Context section from the
application metadata.
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, xdg-desktop, xdg-documents, xdg-download,
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos,
an absolute path, or a homedir-relative path like ~/dir.
This option can be used multiple times.

View File

@@ -341,7 +341,7 @@
<listitem><para>
Allow the application access to a subset of the filesystem.
This overrides to the Context section from the application metadata.
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, xdg-desktop, xdg-documents, xdg-download,
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos,
xdg-run, xdg-config, xdg-cache, xdg-data,
an absolute path, or a homedir-relative path like ~/dir or paths
@@ -362,7 +362,7 @@
Remove access to the specified subset of the filesystem from
the application. This overrides to the Context section from the
application metadata.
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, xdg-desktop, xdg-documents, xdg-download,
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos,
an absolute path, or a homedir-relative path like ~/dir.
This option can be used multiple times.