Commit Graph

7164 Commits

Author SHA1 Message Date
Yuri Chornoivan
84fe927048 Update Ukrainian translation 2021-01-21 14:21:27 +01:00
Simon McVittie
b2b3612148 NEWS: Add CVE reference for CVE-2021-21261
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-01-21 14:20:48 +01:00
AsciiWolf
362c60e089 Update Czech translation 2021-01-21 14:20:01 +01:00
Piotr Drąg
ef825991e1 Update Polish translation 2021-01-21 14:18:45 +01:00
Simon McVittie
d0d5794621 doc: Mention some typical tags
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-01-21 14:18:21 +01:00
Simon McVittie
59a8be5805 run: Remove unused minimal environment
We instantiated this but didn't use it for anything.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-01-21 14:16:44 +01:00
Simon McVittie
baa5affb5e run: Pass environment variables via bwrap --setenv when running ldconfig
This means we can systematically pass the environment variables
through bwrap(1), even if it is setuid and thus is filtering out
security-sensitive environment variables. bwrap ends up being
run with an empty environment instead.

This did not regress in 6d1773d "run: Convert all environment variables
into bwrap arguments", because the LD_LIBRARY_PATH special case in
flatpak_run_add_environment_args() was already not used here; but it's
a bug fix along the same lines as fixing the regression.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-01-21 14:16:44 +01:00
Simon McVittie
fb473cad80 dir: Pass environment via bwrap --setenv when running apply_extra
This means we can systematically pass the environment variables
through bwrap(1), even if it is setuid and thus is filtering out
security-sensitive environment variables. bwrap ends up being
run with an empty environment instead.

As with the previous commit, this regressed while fixing CVE-2021-21261.

Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-01-21 14:16:44 +01:00
Simon McVittie
9a61d2c44f build: Convert environment into a sequence of bwrap arguments
This means we can systematically pass the environment variables
through bwrap(1), even if it is setuid and thus is filtering out
security-sensitive environment variables. bwrap itself ends up being
run with an empty environment instead.

This fixes a regression when CVE-2021-21261 was fixed: before the
CVE fixes, LD_LIBRARY_PATH would have been passed through like this
and appeared in the `flatpak build` shell, but during the CVE fixes,
the special case that protected LD_LIBRARY_PATH was removed in favour
of the more general flatpak_bwrap_envp_to_args(). That reasoning only
works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
that we run the potentially-setuid bwrap.

Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
Resolves: https://github.com/flatpak/flatpak/issues/4080
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-01-21 14:16:44 +01:00
Phaedrus Leeds
06869af68a Merge pull request #4085 from pwithnall/null-subpaths
flatpak-dir: Fix crash on updating app with no deploy data or subpaths
2021-01-20 15:39:30 -08:00
Philip Withnall
8f24958d2a flatpak-dir: Set subpaths when calling Deploy() if not set
This adds `NULL` protection to the `subpaths` argument to
`flatpak_dir_system_helper_call_deploy()`, just like already exists for
other arguments.

It’s a second layer of defence against bugs like fixed in the previous
commit.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2021-01-20 21:44:15 +00:00
Philip Withnall
e274bafc01 flatpak-dir: Fix crash on updating app with no deploy data or subpaths
If an app had no deploy data, and `flatpak_dir_update()` was called with
`opt_subpaths == NULL`, then `arg_subpaths` passed to
`flatpak_dir_system_helper_call_deploy()` would be `NULL`, which causes
an assertion failure from an internal `g_variant_new()` call:
```
g_variant_new_strv: assertion 'length == 0 || strv != NULL' failed
```

Fix that by setting the `subpaths` to an empty array if nothing else is
specified.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2021-01-20 21:40:39 +00:00
Alexander Larsson
b8d8e5bf04 Fix nonliteral string warning in flatpak_invocation_return_error()
We're only forwarding a format string, which we can tell gcc by
adding a G_GNUC_PRINTF marker.
2021-01-14 12:43:46 +01:00
Alexander Larsson
d5de05b608 CI: Use the new --enable-asan 2021-01-14 12:43:46 +01:00
Alexander Larsson
97a153fe0a Add --enable-asan option
This passes -fsanitize=address in the right place.
Passing it this way instead of CFLAGS allows us to strategically
not add sanitize in specific places as needed.
2021-01-14 12:43:46 +01:00
Alexander Larsson
dad9a9c20d Pass AM_CFLAGS to system-helper build (for warnings) 2021-01-14 12:43:46 +01:00
Alexander Larsson
50ee8293cc Fix shadowed variable "error" 2021-01-14 12:43:46 +01:00
Alexander Larsson
649ad5fe49 Update pofiles for release 1.10.0 2021-01-14 10:58:56 +01:00
Alexander Larsson
47a5fa1f56 Bump version to 1.10 2021-01-14 10:47:32 +01:00
Alexander Larsson
67852b0101 Update NEWS for release 2021-01-14 10:47:22 +01:00
Alexander Larsson
c702f92609 Fix tests when installed tests are not enabled
We need a different rpath for libpreload in this case, because
installed_testdir is not set.
2021-01-14 10:32:18 +01:00
Simon McVittie
c4a58d5822 portal: Add the ability to unset environment variables
This is really just syntactic sugar for running `env -u VAR ... COMMAND`,
but env(1) is inconvenient when the form of the COMMAND is not known:
if the COMMAND might contain an equals sign, you end up having to run
`env -u VAR sh -c 'exec "$@"' sh COMMAND`. Let's make this simpler.

This follows up from GHSA-4ppf-fxf6-vxg2 to fix an issue that I noticed
while resolving that vulnerability, but is not required for fixing the
vulnerability.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-01-14 09:33:24 +01:00
Simon McVittie
4108e02245 context: Add --unset-env option and a corresponding override
This follows up from GHSA-4ppf-fxf6-vxg2 to fix missing functionality
that I noticed while resolving that vulnerability, but is not required
for fixing the vulnerability.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-01-14 09:33:24 +01:00
Simon McVittie
b0aea9c053 run: Allow setting environment variables to empty strings
Some consumers of environment variables distinguish between present
with an empty value and absent. For example, if an environment variable
represents a search path like VK_ICD_FILENAMES, unsetting it often
results in use of a default, but setting it to the empty string results
in not searching any locations, which is sometimes what is desired.

The shell syntax "${BAR-unset}" expands to the value of ${BAR} if it
is set to anything (even an empty string), or to "unset" if not.
We can use that in the unit test to check that BAR is set to the
empty string in this case.

This follows up from GHSA-4ppf-fxf6-vxg2 to fix an issue that I noticed
while resolving that vulnerability, but is not required for fixing the
vulnerability.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-01-14 09:33:24 +01:00
Simon McVittie
e2c4ded323 portal: Let --env= and --env-fd= take precedence over extra-args
Previously, if you launched a subsandbox while specifying environment
variable overrides, any environment variable overrides that existed
in the parent Flatpak app would take precedence:

    host$ flatpak run --env=FOO=1 --command=bash example.app
    [📦 example.app ~]$ env | grep FOO
    FOO=1
    [📦 example.app ~]$ flatpak-spawn --env=FOO=x sh -c 'env | grep FOO'
    FOO=1

This does not seem like least-astonishment, and in particular will
cause problems if the app wants to override LD_LIBRARY_PATH in the
subsandbox. Change the precedence so that the environment variables
set by flatpak-spawn will "win":

    host$ flatpak run --env=FOO1=1 --env=FOO2=2 --command=bash example.app
    [📦 example.app ~]$ env | grep FOO
    FOO1=1
    FOO2=2
    [📦 example.app ~]$ flatpak-spawn --env=FOO1=x sh -c 'env | grep FOO'
    FOO1=x
    FOO2=2

This follows up from GHSA-4ppf-fxf6-vxg2 to fix an issue that I noticed
while resolving that vulnerability, but is not required for fixing the
vulnerability.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-01-14 09:33:24 +01:00
Simon McVittie
4ac1106690 portal: Add a note about CLEAR_ENV behaviour
This seems like something to fix later, outside embargo.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-01-14 09:33:24 +01:00
Simon McVittie
d19f6c330a tests: Assert that --env= does not go in flatpak run or bwrap environ
For the portal's use of --env-fd= to be safe, we want the environment
variables that it sets to end up in the environment for the program
that is run by `bwrap` as process 2, but they must not go into the
environment that gets used to run `flatpak run` or `bwrap`. Assert
that this is the case.

For completeness, we're testing both --env= and --env-fd= here,
even though the earlier commit
"portal: Do not use caller-supplied variables in environment"
always uses --env-fd=.

Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-01-14 09:33:24 +01:00
Simon McVittie
cc1401043c portal: Do not use caller-supplied variables in environment
If the caller specifies a variable that can be used to inject arbitrary
code into processes, we must not allow it to enter the environment
block used to run `flatpak run`, which runs unsandboxed.

This change requires the previous commit "context: Add --env-fd option",
which adds infrastructure used here.

To be secure, this change also requires the previous commit
"run: Convert all environment variables into bwrap arguments", which
protects a non-setuid bwrap(1) from the same attack.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
2021-01-14 09:33:24 +01:00
Simon McVittie
39a5621e69 tests: Exercise --env-fd
Signed-off-by: Simon McVittie <smcv@collabora.com>
Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
2021-01-14 09:33:24 +01:00
Simon McVittie
aeb6a7ab0a portal: Convert --env in extra-args into --env-fd
This hides overridden variables from the command-line, which means
processes running under other uids can't see them in /proc/*/cmdline,
which might be important if they contain secrets.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
2021-01-14 09:33:24 +01:00
Simon McVittie
6e5ae7a109 context: Add --env-fd option
This allows environment variables to be added to the context without
making their values visible to processes running under a different uid,
which might be significant if the variable's value is a token or some
other secret value.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
2021-01-14 09:33:24 +01:00
Simon McVittie
821249844b tests: Expand coverage for environment variable overrides
This checks that `flatpak run --env=` takes precedence over
`flatpak override --env=`, and that environment variables don't get
onto the bwrap command-line (which would be information disclosure
if their values are secret).

Signed-off-by: Simon McVittie <smcv@collabora.com>
Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
2021-01-14 09:33:24 +01:00
Simon McVittie
6d1773d2a5 run: Convert all environment variables into bwrap arguments
This avoids some of them being filtered out by a setuid bwrap. It also
means that if they came from an untrusted source, they cannot be used
to inject arbitrary code into a non-setuid bwrap via mechanisms like
LD_PRELOAD.

Because they get bundled into a memfd or temporary file, they do not
actually appear in argv, ensuring that they remain inaccessible to
processes running under a different uid (which is important if their
values are tokens or other secrets).

Signed-off-by: Simon McVittie <smcv@collabora.com>
Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
2021-01-14 09:33:24 +01:00
Philip Withnall
c1561b1ded flatpak-utils-http: Don’t use GMainLoop
Iterate the `GMainContext` manually instead. This makes the exit
condition from the loop much more obvious, and eliminates the potential
class of problems where `g_main_loop_quit()` is called before
`g_main_loop_run()` and has no effect.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2021-01-13 19:32:58 +00:00
Simon McVittie
fe95ef6fad run: More accurately match PulseAudio's logic for finding its socket
On systems with no XDG_RUNTIME_DIR, PulseAudio falls back to creating
a temporary directory in /tmp, then creating a symlink in
legacy directory ~/.pulse or its more modern replacement ~/.config/pulse.
The symlink is named according to the machine ID, falling back to the
hostname.

Resolves: #4058
Might-resolve: #2169
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-01-12 11:02:14 +01:00
Simon McVittie
bbf6debec2 Add an option to share the pid namespace with the parent flatpak
As with flatpak run --parent-expose-pids, this will only work if we have
a working, non-setuid bwrap. Systems where user namespace creation is
restricted and bwrap needs to be setuid (Debian 10, RHEL/CentOS 7,
Arch Linux linux-hardened kernel) will have degraded functionality.

This option is similar to --expose-pids, except that instead of making
the subsandbox use a nested pid namespace inside the parent's, it makes
the subsandbox share the parent's pid namespace as-is, so that process
IDs in the parent and the subsandbox are interchangeable. This will
be useful if the parent and the subsandbox communicate via protocols
that assume a global view of the process ID namespace, for example
passing process IDs across an AF_UNIX socket or in shared memory.

In particular, this will be useful for Steam's pressure-vessel container
tool: the IPC between the Steam client and the "game overlay" loaded into
Steam games uses process IDs, and becomes confused if they don't match up.

This weakens the security boundary between a subsandbox and the parent,
but that's OK in some cases, especially if the subsandbox is being used
as a way to get a different runtime /usr (flatpak-spawn --latest-version
or #4018) rather than as a security boundary.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-01-12 09:55:23 +01:00
Michael Catanzaro
e5da98ff4b Mount resolved varlink socket in sandbox if network access is allowed
If network access is allowed, then we should probably allow name
resolution too.

This should be enough to make nss-resolve work inside flatpak. However,
it cannot be tested with GNOME runtimes, because GNOME runtimes do not
contain systemd. It also cannot be tested with the Fedora 33 flatpak
runtime, because this runtime contains systemd 246, where nss-resolve
uses D-Bus rather than varlink to communicate with systemd-resolved. And
there is no rawhide runtime, and will be no Fedora 34 runtime until F34
is branched. So currently it's not possible to actually test this
without building a custom runtime, which I have not attempted to do. I
have built flatpak myself and verified the resolved socket is mounted
properly inside the sandbox, but it would be better to test if it
actually works with a runtime that contains systemd 247.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1912131
2021-01-12 09:50:40 +01:00
Simon McVittie
eaa65989db run: Try using /var/run/pulse/native as PulseAudio socket
This brings us closer to matching what happens in libpulse.so.0.
This path is the default for a system-wide PulseAudio instance, which
is discouraged on non-embedded systems but is easy to check for.
In particular, SteamOS, an "appliance"-style gaming OS, uses this
socket.

Adapted from Steam's pressure-vessel container tool, which reuses
various Flatpak modules, including this function.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-01-12 09:42:43 +01:00
Simon McVittie
afe7f2bf78 env.d, profile.d: Disable gvfs plugins during login
This avoids gvfs-daemon being started when logging in as root via ssh.

Bug-Debian: https://bugs.debian.org/975710
2021-01-11 11:07:26 +01:00
Mourad De Clerck
f69a35ceec profile.d: Disable gvfs plugins when listing flatpak installations
This avoids gvfs-daemon being started when logging in as root via ssh.

Bug-Debian: https://bugs.debian.org/975710
2021-01-11 11:07:26 +01:00
Michael Catanzaro
9b34768fa7 Fix build with GCC 11
See:
fab561f8d0
2021-01-11 11:05:57 +01:00
Yuri Chornoivan
fe82462276 Update Ukrainian translation 2021-01-11 11:04:54 +01:00
Simon McVittie
8a00d43b22 Skip a test-case if /etc/mtab doesn't exist
fusermount requires /etc/mtab, but not all Debian buildd chroots
have that file, either as a regular file or as a symlink to
/proc/self/mounts.

(This is similar to commit b07b48e2, but for C code.)

Signed-off-by: Simon McVittie <smcv@debian.org>
2020-12-28 08:20:41 +01:00
Philip Withnall
f434508b07 env.d: Port the environment generators to use --print-updated-env
This reduces the amount of shell in use, and the number of subprocesses
spawned by that, so our system environment generator is as fast as
possible when used in the critical startup path.

It adds a new system environment generator so that the system flatpak
installation can be used outside of a user session. In particular, this
allows enumeration of system-installed flatpaks in gnome-initial-setup
in order to set parental controls on them.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2020-12-22 14:21:54 +01:00
Philip Withnall
9411fe2bca flatpak: Add --print-updated-env option to print environment
This is the environment needed to use flatpaks; a following commit will
hook this up to the systemd environment generator.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2020-12-22 14:21:54 +01:00
Philip Withnall
ba612b243e build: Rename a Makefile variable
This introduces no functional changes, but makes following changes a bit
clearer.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2020-12-22 14:21:54 +01:00
Alexander Larsson
ab394ffd0e Update pofiles for release 1.9.3 2020-12-22 14:11:49 +01:00
Alexander Larsson
7ff93b00cf Update version to 1.9.3, including NEWS 2020-12-22 14:05:07 +01:00
Alexander Larsson
ebf01791dc Download the new digested summary index sig if there
We still load the old one as a backup.
2020-12-22 13:49:59 +01:00
Alexander Larsson
f479c0f1a4 update-repo: Create an digested version of the summary index signature
In addition to the old summary.idx.sig we now create an identical file
in `summaries/$DIGEST.idx.sig`, where the digest is of the summary
index itself. This means it will have a unique name and there will
never be issues where downloading the index and signature will race
during an update.

We keep the new and the previous digested sigs every update to avoid
removing the previous one while its in use.

As suggested by simon in https://github.com/flatpak/flatpak/issues/3983
and https://github.com/ostreedev/ostree/issues/2250
2020-12-22 13:49:59 +01:00