mirror of
https://github.com/flatpak/flatpak.git
synced 2026-03-09 02:33:00 -04:00
exports: Add host-etc and host-os keywords
These are subsets of the host keyword, which provide access to operating system files but not to users' personal files. In particular, the experimental support for namespace-based sandboxes in the Steam Runtime[1] uses the graphics stack from the host system, which requires access to the host /usr/libQUAL, /libQUAL (even if the host OS has undergone the /usr merge, the canonical paths of ELF interpreters start with /lib), /etc/ld.so.cache, and for some libraries on Debian-based systems, /etc/alternatives. It will not be possible to do similar things in Flatpak without either allowing full host filesystem access (which exposes personal files, and in any case cannot be done by the Steam app because it is incompatible with --persist=.), or adding the ability to expose /usr and related directories without including the rest of the host filesystem. To the best of my knowledge, host-etc is not necessary for anything; I've mainly provided it for symmetry, since it's the other significant thing that we mount in /run/host and cannot get via --filesystem=/path. Some notes on the security/privacy implications of the new keywords: - Neither new keyword allows anything that was not already allowed by "host". - Neither new keyword can allow anything that was not already allowed to the user outside the sandbox. - "host-os" allows enumeration of the installed packages on the host system, and often their version numbers too. A malicious app could use this to look for exploitable security vulnerabilities on the host system. An app could also use this for fingerprinting, although this is not a regression, because the systemd/D-Bus machine ID, MAC addresses, hostname, kernel boot UUID, DMI product ID and many other unique or relatively unique properties are already available inside the sandbox. - "host-os" allows read access, and possibly write access (if the user has it outside the sandbox, for example members of group 'staff' in older Debian installations), to /usr/local. - "host-etc" allows reading configuration files whose contents might be considered sensitive, such as /etc/passwd. [1] https://steamcommunity.com/app/221410/discussions/0/1638675549018366706/ Signed-off-by: Simon McVittie <smcv@collabora.com>
This commit is contained in:
committed by
Alexander Larsson
parent
949a3ec479
commit
fe2536b844
@@ -84,6 +84,8 @@ const char *flatpak_context_features[] = {
|
||||
const char *flatpak_context_special_filesystems[] = {
|
||||
"home",
|
||||
"host",
|
||||
"host-etc",
|
||||
"host-os",
|
||||
NULL
|
||||
};
|
||||
|
||||
@@ -765,7 +767,7 @@ flatpak_context_verify_filesystem (const char *filesystem_and_mode,
|
||||
return TRUE;
|
||||
|
||||
g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED,
|
||||
_("Unknown filesystem location %s, valid locations are: host, home, xdg-*[/…], ~/dir, /dir"), filesystem);
|
||||
_("Unknown filesystem location %s, valid locations are: host, host-os, host-etc, home, xdg-*[/…], ~/dir, /dir"), filesystem);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
@@ -2059,7 +2061,7 @@ flatpak_context_export (FlatpakContext *context,
|
||||
gboolean *home_access_out)
|
||||
{
|
||||
gboolean home_access = FALSE;
|
||||
FlatpakFilesystemMode fs_mode, home_mode;
|
||||
FlatpakFilesystemMode fs_mode, os_mode, etc_mode, home_mode;
|
||||
GHashTableIter iter;
|
||||
gpointer key, value;
|
||||
|
||||
@@ -2089,9 +2091,20 @@ flatpak_context_export (FlatpakContext *context,
|
||||
closedir (dir);
|
||||
}
|
||||
flatpak_exports_add_path_expose (exports, fs_mode, "/run/media");
|
||||
flatpak_exports_add_host_expose (exports, fs_mode);
|
||||
}
|
||||
|
||||
os_mode = MAX ((FlatpakFilesystemMode) g_hash_table_lookup (context->filesystems, "host-os"),
|
||||
fs_mode);
|
||||
|
||||
if (os_mode != 0)
|
||||
flatpak_exports_add_host_os_expose (exports, os_mode);
|
||||
|
||||
etc_mode = MAX ((FlatpakFilesystemMode) g_hash_table_lookup (context->filesystems, "host-etc"),
|
||||
fs_mode);
|
||||
|
||||
if (etc_mode != 0)
|
||||
flatpak_exports_add_host_etc_expose (exports, etc_mode);
|
||||
|
||||
home_mode = (FlatpakFilesystemMode) g_hash_table_lookup (context->filesystems, "home");
|
||||
if (home_mode != 0)
|
||||
{
|
||||
|
||||
@@ -37,8 +37,10 @@ void flatpak_exports_free (FlatpakExports *exports);
|
||||
FlatpakExports *flatpak_exports_new (void);
|
||||
void flatpak_exports_append_bwrap_args (FlatpakExports *exports,
|
||||
FlatpakBwrap *bwrap);
|
||||
void flatpak_exports_add_host_expose (FlatpakExports *exports,
|
||||
FlatpakFilesystemMode mode);
|
||||
void flatpak_exports_add_host_etc_expose (FlatpakExports *exports,
|
||||
FlatpakFilesystemMode mode);
|
||||
void flatpak_exports_add_host_os_expose (FlatpakExports *exports,
|
||||
FlatpakFilesystemMode mode);
|
||||
void flatpak_exports_add_path_expose (FlatpakExports *exports,
|
||||
FlatpakFilesystemMode mode,
|
||||
const char *path);
|
||||
|
||||
@@ -94,7 +94,8 @@ typedef struct
|
||||
struct _FlatpakExports
|
||||
{
|
||||
GHashTable *hash;
|
||||
FlatpakFilesystemMode host_fs;
|
||||
FlatpakFilesystemMode host_etc;
|
||||
FlatpakFilesystemMode host_os;
|
||||
};
|
||||
|
||||
static void
|
||||
@@ -221,6 +222,27 @@ path_is_symlink (const char *path)
|
||||
return S_ISLNK (s.st_mode);
|
||||
}
|
||||
|
||||
/*
|
||||
* @name: A file or directory below /etc
|
||||
* @test: How we test whether it is suitable
|
||||
*
|
||||
* The paths in /etc that are required if we want to make use of the
|
||||
* host /usr (and /lib, and so on).
|
||||
*/
|
||||
typedef struct
|
||||
{
|
||||
const char *name;
|
||||
GFileTest test;
|
||||
} LibsNeedEtc;
|
||||
|
||||
static const LibsNeedEtc libs_need_etc[] =
|
||||
{
|
||||
/* glibc */
|
||||
{ "ld.so.cache", G_FILE_TEST_IS_REGULAR },
|
||||
/* Used for executables and a few libraries on e.g. Debian */
|
||||
{ "alternatives", G_FILE_TEST_IS_DIR }
|
||||
};
|
||||
|
||||
void
|
||||
flatpak_exports_append_bwrap_args (FlatpakExports *exports,
|
||||
FlatpakBwrap *bwrap)
|
||||
@@ -279,17 +301,17 @@ flatpak_exports_append_bwrap_args (FlatpakExports *exports,
|
||||
}
|
||||
}
|
||||
|
||||
if (exports->host_fs != 0)
|
||||
if (exports->host_os != 0)
|
||||
{
|
||||
const char *host_bind_mode = "--bind";
|
||||
const char *os_bind_mode = "--bind";
|
||||
int i;
|
||||
|
||||
if (exports->host_fs == FLATPAK_FILESYSTEM_MODE_READ_ONLY)
|
||||
host_bind_mode = "--ro-bind";
|
||||
if (exports->host_os == FLATPAK_FILESYSTEM_MODE_READ_ONLY)
|
||||
os_bind_mode = "--ro-bind";
|
||||
|
||||
if (g_file_test ("/usr", G_FILE_TEST_IS_DIR))
|
||||
flatpak_bwrap_add_args (bwrap,
|
||||
host_bind_mode, "/usr", "/run/host/usr", NULL);
|
||||
os_bind_mode, "/usr", "/run/host/usr", NULL);
|
||||
|
||||
for (i = 0; flatpak_abs_usrmerged_dirs[i] != NULL; i++)
|
||||
{
|
||||
@@ -329,14 +351,49 @@ flatpak_exports_append_bwrap_args (FlatpakExports *exports,
|
||||
* or is a plain directory because the host OS has not
|
||||
* undergone the /usr merge; bind-mount the directory instead */
|
||||
flatpak_bwrap_add_args (bwrap,
|
||||
host_bind_mode, subdir, run_host_subdir,
|
||||
os_bind_mode, subdir, run_host_subdir,
|
||||
NULL);
|
||||
}
|
||||
}
|
||||
|
||||
if (exports->host_etc == 0)
|
||||
{
|
||||
guint i;
|
||||
|
||||
/* We are exposing the host /usr (and friends) but not the
|
||||
* host /etc. Additionally expose just enough of /etc to make
|
||||
* things that want to read /usr work as expected.
|
||||
*
|
||||
* (If exports->host_etc is nonzero, we'll do this as part of
|
||||
* /etc instead.) */
|
||||
|
||||
for (i = 0; i < G_N_ELEMENTS (libs_need_etc); i++)
|
||||
{
|
||||
const LibsNeedEtc *item = &libs_need_etc[i];
|
||||
g_autofree gchar *host_path = g_strconcat ("/etc/", item->name, NULL);
|
||||
|
||||
if (g_file_test (host_path, item->test))
|
||||
{
|
||||
g_autofree gchar *run_host_path = g_strconcat ("/run/host/etc/", item->name, NULL);
|
||||
|
||||
flatpak_bwrap_add_args (bwrap,
|
||||
os_bind_mode, host_path, run_host_path,
|
||||
NULL);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (exports->host_etc != 0)
|
||||
{
|
||||
const char *etc_bind_mode = "--bind";
|
||||
|
||||
if (exports->host_etc == FLATPAK_FILESYSTEM_MODE_READ_ONLY)
|
||||
etc_bind_mode = "--ro-bind";
|
||||
|
||||
if (g_file_test ("/etc", G_FILE_TEST_IS_DIR))
|
||||
flatpak_bwrap_add_args (bwrap,
|
||||
host_bind_mode, "/etc", "/run/host/etc", NULL);
|
||||
etc_bind_mode, "/etc", "/run/host/etc", NULL);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -677,8 +734,15 @@ flatpak_exports_add_path_dir (FlatpakExports *exports,
|
||||
}
|
||||
|
||||
void
|
||||
flatpak_exports_add_host_expose (FlatpakExports *exports,
|
||||
FlatpakFilesystemMode mode)
|
||||
flatpak_exports_add_host_etc_expose (FlatpakExports *exports,
|
||||
FlatpakFilesystemMode mode)
|
||||
{
|
||||
exports->host_fs = mode;
|
||||
exports->host_etc = mode;
|
||||
}
|
||||
|
||||
void
|
||||
flatpak_exports_add_host_os_expose (FlatpakExports *exports,
|
||||
FlatpakFilesystemMode mode)
|
||||
{
|
||||
exports->host_os = mode;
|
||||
}
|
||||
|
||||
@@ -225,7 +225,7 @@
|
||||
<listitem><para>
|
||||
Allow the application access to a subset of the filesystem.
|
||||
This updates the [Context] group in the metadata.
|
||||
FS can be one of: home, host, xdg-desktop, xdg-documents, xdg-download,
|
||||
FS can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
|
||||
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, xdg-run,
|
||||
xdg-config, xdg-cache, xdg-data, an absolute path, or a homedir-relative
|
||||
path like ~/dir or paths relative to the xdg dirs, like xdg-download/subdir.
|
||||
@@ -245,7 +245,7 @@
|
||||
Remove access to the specified subset of the filesystem from
|
||||
the application. This overrides to the Context section from the
|
||||
application metadata.
|
||||
FILESYSTEM can be one of: home, host, xdg-desktop, xdg-documents, xdg-download,
|
||||
FILESYSTEM can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
|
||||
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos,
|
||||
an absolute path, or a homedir-relative path like ~/dir.
|
||||
This option can be used multiple times.
|
||||
|
||||
@@ -219,7 +219,7 @@
|
||||
<listitem><para>
|
||||
Allow the application access to a subset of the filesystem.
|
||||
This overrides to the Context section from the application metadata.
|
||||
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, xdg-desktop, xdg-documents, xdg-download,
|
||||
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
|
||||
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, xdg-run,
|
||||
xdg-config, xdg-cache, xdg-data, an absolute path, or a homedir-relative
|
||||
path like ~/dir or paths relative to the xdg dirs, like xdg-download/subdir.
|
||||
@@ -239,7 +239,7 @@
|
||||
Remove access to the specified subset of the filesystem from
|
||||
the application. This overrides to the Context section from the
|
||||
application metadata.
|
||||
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, xdg-desktop, xdg-documents, xdg-download,
|
||||
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
|
||||
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos,
|
||||
an absolute path, or a homedir-relative path like ~/dir.
|
||||
This option can be used multiple times.
|
||||
|
||||
@@ -231,6 +231,21 @@
|
||||
shared. This option does not make additional
|
||||
files in /sys available.
|
||||
</para>
|
||||
<para>
|
||||
Additionally, this keyword provides all of the
|
||||
same directories in
|
||||
<filename>/run/host</filename> as the
|
||||
<option>host-os</option> and
|
||||
<option>host-etc</option> keywords.
|
||||
If this keyword is used in conjunction
|
||||
with one of the <option>host-</option>
|
||||
keywords, whichever access level is higher
|
||||
(more permissive) will be used for the
|
||||
directories in <filename>/run/host</filename>:
|
||||
for example,
|
||||
<code>host:rw;host-os:ro;</code> is
|
||||
equivalent to <code>host:rw;</code>.
|
||||
</para>
|
||||
<para>
|
||||
These other reserved directories are
|
||||
currently excluded:
|
||||
@@ -253,6 +268,54 @@
|
||||
Available since 0.3.
|
||||
</para></listitem></varlistentry>
|
||||
|
||||
<varlistentry><term><option>host-os</option></term>
|
||||
<listitem><para>
|
||||
The host operating system's libraries,
|
||||
executables and static data from
|
||||
<filename>/usr</filename>
|
||||
and the related directories
|
||||
<filename>/bin</filename>,
|
||||
<filename>/lib</filename>,
|
||||
<filename>/lib32</filename>,
|
||||
<filename>/lib64</filename>,
|
||||
<filename>/sbin</filename>.
|
||||
Additionally, this keyword provides access
|
||||
to a subset of <filename>/etc</filename> that
|
||||
is associated with packaged libraries and
|
||||
executables, even if the
|
||||
<option>host-etc</option> keyword
|
||||
was not used:
|
||||
<filename>/etc/ld.so.cache</filename>,
|
||||
(used by the dynamic linker) and
|
||||
<filename>/etc/alternatives</filename>
|
||||
(on operating systems that use it, such as
|
||||
Debian).
|
||||
</para>
|
||||
<para>
|
||||
To avoid conflicting with the Flatpak
|
||||
runtime, these are mounted in the sandbox
|
||||
at <filename>/run/host/usr</filename>,
|
||||
<filename>/run/host/etc/ld.so.cache</filename>
|
||||
and so on.
|
||||
</para>
|
||||
<para>
|
||||
Available since 1.7.
|
||||
</para></listitem></varlistentry>
|
||||
|
||||
<varlistentry><term><option>host-etc</option></term>
|
||||
<listitem><para>
|
||||
The host operating system's configuration from
|
||||
<filename>/etc</filename>.
|
||||
</para>
|
||||
<para>
|
||||
To avoid conflicting with the Flatpak
|
||||
runtime, this is mounted in the sandbox
|
||||
at <filename>/run/host/etc</filename>.
|
||||
</para>
|
||||
<para>
|
||||
Available since 1.7.
|
||||
</para></listitem></varlistentry>
|
||||
|
||||
<varlistentry><term><option>xdg-desktop</option>,
|
||||
<option>xdg-documents</option>,
|
||||
<option>xdg-download</option>,
|
||||
|
||||
@@ -201,7 +201,7 @@
|
||||
<listitem><para>
|
||||
Allow the application access to a subset of the filesystem.
|
||||
This overrides to the Context section from the application metadata.
|
||||
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, xdg-desktop, xdg-documents, xdg-download,
|
||||
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
|
||||
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, xdg-run,
|
||||
xdg-config, xdg-cache, xdg-data,
|
||||
an absolute path, or a homedir-relative path like ~/dir or paths
|
||||
@@ -222,7 +222,7 @@
|
||||
Remove access to the specified subset of the filesystem from
|
||||
the application. This overrides to the Context section from the
|
||||
application metadata.
|
||||
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, xdg-desktop, xdg-documents, xdg-download,
|
||||
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
|
||||
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos,
|
||||
an absolute path, or a homedir-relative path like ~/dir.
|
||||
This option can be used multiple times.
|
||||
|
||||
@@ -341,7 +341,7 @@
|
||||
<listitem><para>
|
||||
Allow the application access to a subset of the filesystem.
|
||||
This overrides to the Context section from the application metadata.
|
||||
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, xdg-desktop, xdg-documents, xdg-download,
|
||||
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
|
||||
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos,
|
||||
xdg-run, xdg-config, xdg-cache, xdg-data,
|
||||
an absolute path, or a homedir-relative path like ~/dir or paths
|
||||
@@ -362,7 +362,7 @@
|
||||
Remove access to the specified subset of the filesystem from
|
||||
the application. This overrides to the Context section from the
|
||||
application metadata.
|
||||
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, xdg-desktop, xdg-documents, xdg-download,
|
||||
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
|
||||
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos,
|
||||
an absolute path, or a homedir-relative path like ~/dir.
|
||||
This option can be used multiple times.
|
||||
|
||||
Reference in New Issue
Block a user