From fe2536b8441858e3b22f6780dca64a516ee4e48c Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 23 Jan 2020 18:13:08 +0000 Subject: [PATCH] exports: Add host-etc and host-os keywords These are subsets of the host keyword, which provide access to operating system files but not to users' personal files. In particular, the experimental support for namespace-based sandboxes in the Steam Runtime[1] uses the graphics stack from the host system, which requires access to the host /usr/libQUAL, /libQUAL (even if the host OS has undergone the /usr merge, the canonical paths of ELF interpreters start with /lib), /etc/ld.so.cache, and for some libraries on Debian-based systems, /etc/alternatives. It will not be possible to do similar things in Flatpak without either allowing full host filesystem access (which exposes personal files, and in any case cannot be done by the Steam app because it is incompatible with --persist=.), or adding the ability to expose /usr and related directories without including the rest of the host filesystem. To the best of my knowledge, host-etc is not necessary for anything; I've mainly provided it for symmetry, since it's the other significant thing that we mount in /run/host and cannot get via --filesystem=/path. Some notes on the security/privacy implications of the new keywords: - Neither new keyword allows anything that was not already allowed by "host". - Neither new keyword can allow anything that was not already allowed to the user outside the sandbox. - "host-os" allows enumeration of the installed packages on the host system, and often their version numbers too. A malicious app could use this to look for exploitable security vulnerabilities on the host system. An app could also use this for fingerprinting, although this is not a regression, because the systemd/D-Bus machine ID, MAC addresses, hostname, kernel boot UUID, DMI product ID and many other unique or relatively unique properties are already available inside the sandbox. - "host-os" allows read access, and possibly write access (if the user has it outside the sandbox, for example members of group 'staff' in older Debian installations), to /usr/local. - "host-etc" allows reading configuration files whose contents might be considered sensitive, such as /etc/passwd. [1] https://steamcommunity.com/app/221410/discussions/0/1638675549018366706/ Signed-off-by: Simon McVittie --- common/flatpak-context.c | 19 +++++-- common/flatpak-exports-private.h | 6 ++- common/flatpak-exports.c | 86 ++++++++++++++++++++++++++++---- doc/flatpak-build-finish.xml | 4 +- doc/flatpak-build.xml | 4 +- doc/flatpak-metadata.xml | 63 +++++++++++++++++++++++ doc/flatpak-override.xml | 4 +- doc/flatpak-run.xml | 4 +- 8 files changed, 166 insertions(+), 24 deletions(-) diff --git a/common/flatpak-context.c b/common/flatpak-context.c index 4ff235b1..04719dcd 100644 --- a/common/flatpak-context.c +++ b/common/flatpak-context.c @@ -84,6 +84,8 @@ const char *flatpak_context_features[] = { const char *flatpak_context_special_filesystems[] = { "home", "host", + "host-etc", + "host-os", NULL }; @@ -765,7 +767,7 @@ flatpak_context_verify_filesystem (const char *filesystem_and_mode, return TRUE; g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED, - _("Unknown filesystem location %s, valid locations are: host, home, xdg-*[/…], ~/dir, /dir"), filesystem); + _("Unknown filesystem location %s, valid locations are: host, host-os, host-etc, home, xdg-*[/…], ~/dir, /dir"), filesystem); return FALSE; } @@ -2059,7 +2061,7 @@ flatpak_context_export (FlatpakContext *context, gboolean *home_access_out) { gboolean home_access = FALSE; - FlatpakFilesystemMode fs_mode, home_mode; + FlatpakFilesystemMode fs_mode, os_mode, etc_mode, home_mode; GHashTableIter iter; gpointer key, value; @@ -2089,9 +2091,20 @@ flatpak_context_export (FlatpakContext *context, closedir (dir); } flatpak_exports_add_path_expose (exports, fs_mode, "/run/media"); - flatpak_exports_add_host_expose (exports, fs_mode); } + os_mode = MAX ((FlatpakFilesystemMode) g_hash_table_lookup (context->filesystems, "host-os"), + fs_mode); + + if (os_mode != 0) + flatpak_exports_add_host_os_expose (exports, os_mode); + + etc_mode = MAX ((FlatpakFilesystemMode) g_hash_table_lookup (context->filesystems, "host-etc"), + fs_mode); + + if (etc_mode != 0) + flatpak_exports_add_host_etc_expose (exports, etc_mode); + home_mode = (FlatpakFilesystemMode) g_hash_table_lookup (context->filesystems, "home"); if (home_mode != 0) { diff --git a/common/flatpak-exports-private.h b/common/flatpak-exports-private.h index 61064d0a..bd335e44 100644 --- a/common/flatpak-exports-private.h +++ b/common/flatpak-exports-private.h @@ -37,8 +37,10 @@ void flatpak_exports_free (FlatpakExports *exports); FlatpakExports *flatpak_exports_new (void); void flatpak_exports_append_bwrap_args (FlatpakExports *exports, FlatpakBwrap *bwrap); -void flatpak_exports_add_host_expose (FlatpakExports *exports, - FlatpakFilesystemMode mode); +void flatpak_exports_add_host_etc_expose (FlatpakExports *exports, + FlatpakFilesystemMode mode); +void flatpak_exports_add_host_os_expose (FlatpakExports *exports, + FlatpakFilesystemMode mode); void flatpak_exports_add_path_expose (FlatpakExports *exports, FlatpakFilesystemMode mode, const char *path); diff --git a/common/flatpak-exports.c b/common/flatpak-exports.c index 9cf223b2..37a93e13 100644 --- a/common/flatpak-exports.c +++ b/common/flatpak-exports.c @@ -94,7 +94,8 @@ typedef struct struct _FlatpakExports { GHashTable *hash; - FlatpakFilesystemMode host_fs; + FlatpakFilesystemMode host_etc; + FlatpakFilesystemMode host_os; }; static void @@ -221,6 +222,27 @@ path_is_symlink (const char *path) return S_ISLNK (s.st_mode); } +/* + * @name: A file or directory below /etc + * @test: How we test whether it is suitable + * + * The paths in /etc that are required if we want to make use of the + * host /usr (and /lib, and so on). + */ +typedef struct +{ + const char *name; + GFileTest test; +} LibsNeedEtc; + +static const LibsNeedEtc libs_need_etc[] = +{ + /* glibc */ + { "ld.so.cache", G_FILE_TEST_IS_REGULAR }, + /* Used for executables and a few libraries on e.g. Debian */ + { "alternatives", G_FILE_TEST_IS_DIR } +}; + void flatpak_exports_append_bwrap_args (FlatpakExports *exports, FlatpakBwrap *bwrap) @@ -279,17 +301,17 @@ flatpak_exports_append_bwrap_args (FlatpakExports *exports, } } - if (exports->host_fs != 0) + if (exports->host_os != 0) { - const char *host_bind_mode = "--bind"; + const char *os_bind_mode = "--bind"; int i; - if (exports->host_fs == FLATPAK_FILESYSTEM_MODE_READ_ONLY) - host_bind_mode = "--ro-bind"; + if (exports->host_os == FLATPAK_FILESYSTEM_MODE_READ_ONLY) + os_bind_mode = "--ro-bind"; if (g_file_test ("/usr", G_FILE_TEST_IS_DIR)) flatpak_bwrap_add_args (bwrap, - host_bind_mode, "/usr", "/run/host/usr", NULL); + os_bind_mode, "/usr", "/run/host/usr", NULL); for (i = 0; flatpak_abs_usrmerged_dirs[i] != NULL; i++) { @@ -329,14 +351,49 @@ flatpak_exports_append_bwrap_args (FlatpakExports *exports, * or is a plain directory because the host OS has not * undergone the /usr merge; bind-mount the directory instead */ flatpak_bwrap_add_args (bwrap, - host_bind_mode, subdir, run_host_subdir, + os_bind_mode, subdir, run_host_subdir, NULL); } } + if (exports->host_etc == 0) + { + guint i; + + /* We are exposing the host /usr (and friends) but not the + * host /etc. Additionally expose just enough of /etc to make + * things that want to read /usr work as expected. + * + * (If exports->host_etc is nonzero, we'll do this as part of + * /etc instead.) */ + + for (i = 0; i < G_N_ELEMENTS (libs_need_etc); i++) + { + const LibsNeedEtc *item = &libs_need_etc[i]; + g_autofree gchar *host_path = g_strconcat ("/etc/", item->name, NULL); + + if (g_file_test (host_path, item->test)) + { + g_autofree gchar *run_host_path = g_strconcat ("/run/host/etc/", item->name, NULL); + + flatpak_bwrap_add_args (bwrap, + os_bind_mode, host_path, run_host_path, + NULL); + } + } + } + } + + if (exports->host_etc != 0) + { + const char *etc_bind_mode = "--bind"; + + if (exports->host_etc == FLATPAK_FILESYSTEM_MODE_READ_ONLY) + etc_bind_mode = "--ro-bind"; + if (g_file_test ("/etc", G_FILE_TEST_IS_DIR)) flatpak_bwrap_add_args (bwrap, - host_bind_mode, "/etc", "/run/host/etc", NULL); + etc_bind_mode, "/etc", "/run/host/etc", NULL); } } @@ -677,8 +734,15 @@ flatpak_exports_add_path_dir (FlatpakExports *exports, } void -flatpak_exports_add_host_expose (FlatpakExports *exports, - FlatpakFilesystemMode mode) +flatpak_exports_add_host_etc_expose (FlatpakExports *exports, + FlatpakFilesystemMode mode) { - exports->host_fs = mode; + exports->host_etc = mode; +} + +void +flatpak_exports_add_host_os_expose (FlatpakExports *exports, + FlatpakFilesystemMode mode) +{ + exports->host_os = mode; } diff --git a/doc/flatpak-build-finish.xml b/doc/flatpak-build-finish.xml index d92eeb4d..e942d39e 100644 --- a/doc/flatpak-build-finish.xml +++ b/doc/flatpak-build-finish.xml @@ -225,7 +225,7 @@ Allow the application access to a subset of the filesystem. This updates the [Context] group in the metadata. - FS can be one of: home, host, xdg-desktop, xdg-documents, xdg-download, + FS can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download, xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, xdg-run, xdg-config, xdg-cache, xdg-data, an absolute path, or a homedir-relative path like ~/dir or paths relative to the xdg dirs, like xdg-download/subdir. @@ -245,7 +245,7 @@ Remove access to the specified subset of the filesystem from the application. This overrides to the Context section from the application metadata. - FILESYSTEM can be one of: home, host, xdg-desktop, xdg-documents, xdg-download, + FILESYSTEM can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download, xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, an absolute path, or a homedir-relative path like ~/dir. This option can be used multiple times. diff --git a/doc/flatpak-build.xml b/doc/flatpak-build.xml index 55e3ec89..4414f144 100644 --- a/doc/flatpak-build.xml +++ b/doc/flatpak-build.xml @@ -219,7 +219,7 @@ Allow the application access to a subset of the filesystem. This overrides to the Context section from the application metadata. - FILESYSTEM can be one of: home, host, xdg-desktop, xdg-documents, xdg-download, + FILESYSTEM can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download, xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, xdg-run, xdg-config, xdg-cache, xdg-data, an absolute path, or a homedir-relative path like ~/dir or paths relative to the xdg dirs, like xdg-download/subdir. @@ -239,7 +239,7 @@ Remove access to the specified subset of the filesystem from the application. This overrides to the Context section from the application metadata. - FILESYSTEM can be one of: home, host, xdg-desktop, xdg-documents, xdg-download, + FILESYSTEM can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download, xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, an absolute path, or a homedir-relative path like ~/dir. This option can be used multiple times. diff --git a/doc/flatpak-metadata.xml b/doc/flatpak-metadata.xml index 7e445ac1..325a381a 100644 --- a/doc/flatpak-metadata.xml +++ b/doc/flatpak-metadata.xml @@ -231,6 +231,21 @@ shared. This option does not make additional files in /sys available. + + Additionally, this keyword provides all of the + same directories in + /run/host as the + and + keywords. + If this keyword is used in conjunction + with one of the + keywords, whichever access level is higher + (more permissive) will be used for the + directories in /run/host: + for example, + host:rw;host-os:ro; is + equivalent to host:rw;. + These other reserved directories are currently excluded: @@ -253,6 +268,54 @@ Available since 0.3. + + + The host operating system's libraries, + executables and static data from + /usr + and the related directories + /bin, + /lib, + /lib32, + /lib64, + /sbin. + Additionally, this keyword provides access + to a subset of /etc that + is associated with packaged libraries and + executables, even if the + keyword + was not used: + /etc/ld.so.cache, + (used by the dynamic linker) and + /etc/alternatives + (on operating systems that use it, such as + Debian). + + + To avoid conflicting with the Flatpak + runtime, these are mounted in the sandbox + at /run/host/usr, + /run/host/etc/ld.so.cache + and so on. + + + Available since 1.7. + + + + + The host operating system's configuration from + /etc. + + + To avoid conflicting with the Flatpak + runtime, this is mounted in the sandbox + at /run/host/etc. + + + Available since 1.7. + + , , , diff --git a/doc/flatpak-override.xml b/doc/flatpak-override.xml index 8f131575..ef941bd8 100644 --- a/doc/flatpak-override.xml +++ b/doc/flatpak-override.xml @@ -201,7 +201,7 @@ Allow the application access to a subset of the filesystem. This overrides to the Context section from the application metadata. - FILESYSTEM can be one of: home, host, xdg-desktop, xdg-documents, xdg-download, + FILESYSTEM can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download, xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, xdg-run, xdg-config, xdg-cache, xdg-data, an absolute path, or a homedir-relative path like ~/dir or paths @@ -222,7 +222,7 @@ Remove access to the specified subset of the filesystem from the application. This overrides to the Context section from the application metadata. - FILESYSTEM can be one of: home, host, xdg-desktop, xdg-documents, xdg-download, + FILESYSTEM can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download, xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, an absolute path, or a homedir-relative path like ~/dir. This option can be used multiple times. diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml index 5077c1a9..815ce23e 100644 --- a/doc/flatpak-run.xml +++ b/doc/flatpak-run.xml @@ -341,7 +341,7 @@ Allow the application access to a subset of the filesystem. This overrides to the Context section from the application metadata. - FILESYSTEM can be one of: home, host, xdg-desktop, xdg-documents, xdg-download, + FILESYSTEM can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download, xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, xdg-run, xdg-config, xdg-cache, xdg-data, an absolute path, or a homedir-relative path like ~/dir or paths @@ -362,7 +362,7 @@ Remove access to the specified subset of the filesystem from the application. This overrides to the Context section from the application metadata. - FILESYSTEM can be one of: home, host, xdg-desktop, xdg-documents, xdg-download, + FILESYSTEM can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download, xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, an absolute path, or a homedir-relative path like ~/dir. This option can be used multiple times.