Instead of passing a /proc/self/fd bind mount we use --bind-fd, which
has two advantages:
* bwrap closes the fd when used, so it doesn't leak into the started app
* bwrap ensures that what was mounted was the passed in fd (same dev/ino),
as there is a small (required) gap between symlink resolve and mount
where the target path could be replaced.
Please note that this change requires an updated version of bubblewrap.
Resolves: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Make whitespace consistent]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
We need this for the --bind-fd option, which will close a race
condition in our solution to CVE-2024-42472.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This adds three "positive" tests: the common case --persist=.persist, the
deprecated spelling --persist=/.persist, and the less common special case
--persist=. as used by Steam.
It also adds "negative" tests for CVE-2024-42472: if the --persist
directory is a symbolic link or contains path segment "..", we want that
to be rejected.
Reproduces: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Add "positive" tests]
[smcv: Exercise --persist=..]
[smcv: Assert that --persist with a symlink produces expected message]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
These directories are in a location under application control, so we
can't trust them to not be a symlink outside of the files accessibe to
the application.
Continue to treat --persist=/foo as --persist=foo for backwards compat,
since this is how it (accidentally) worked before, but print a warning.
Don't allow ".." elements in persist paths: these would not be useful
anyway, and are unlikely to be in use, however they could potentially
be used to confuse the persist path handling.
This partially addresses CVE-2024-42472. If only one instance of the
malicious or compromised app is run at a time, the vulnerability
is avoided. If two instances can run concurrently, there is a
time-of-check/time-of-use issue remaining, which can only be resolved
with changes to bubblewrap; this will be resolved in a separate commit,
because the bubblewrap dependency might be more difficult to provide in
LTS distributions.
Helps: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Make whitespace consistent]
[smcv: Use g_warning() if unable to create --persist paths]
[smcv: Use stat() to detect symlinks and warn about them]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
We should do a new 1.16.x soon, but after releasing that, we certainly
won't have the resources to backport security fixes beyond 1.14.x.
Signed-off-by: Simon McVittie <smcv@collabora.com>
There are two places where we deliberately leak some memory. There are
some cases which look like leaks in libostree but it's not impossible
that we made a mistake in flatpak.
Two other cases seem like issues in flatpak that I couldn't figure out.
parse_ref_file() cleared all its out params to NULL, with the exception
of collection_id_out. Make sure to clear this one as well to avoid
surprises in the future.
Fixes commit ae7d96037 that added collection ID support to flatpakref.
In some restrictive environments like Whonix, access to /sys/ is blocked by file
permissions (chmod 0700 /sys). Previously, Flatpak would give bwrap a
command-line that will fail altogether in these locked-down environments.
Instead, fall back to running the app with no access to these /sys
subdirectories.
The application will be unable to enumerate game controllers and similar
hardware devices in this situation, but that's the same limited functionality
that would be seen for a non-sandboxed application.
Resolves: https://github.com/flatpak/flatpak/issues/5138
Include flatpak-ref-utils-private.h explicitly in each remaining
module that needs it (mostly for FlatpakDecomposed).
Signed-off-by: Simon McVittie <smcv@collabora.com>
This further reduces circular dependencies: utils no longer has a
circular dependency with repo-utils or xml-utils.
Signed-off-by: Simon McVittie <smcv@collabora.com>
The declaration was already in flatpak-ref-utils-private.h.
Fixes: 5dae1fc6 "Break out ref helper functions to separate file"
Signed-off-by: Simon McVittie <smcv@collabora.com>
This is a step towards removing the libostree dependency from
flatpak-utils, which should be one of the lowest-level components.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This breaks the circular dependency between flatpak-utils and flatpak-dir.
There is still a circular dependency between flatpak-dir and
flatpak-dir-utils, but I don't want to make flatpak-dir even larger.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This is a step towards making flatpak-utils conceptually "smaller"
than all other translation units, with no dependencies beyond GLib and
libglnx. In particular, consolidating all the OCI registry manipulation
into one place means we can build other translation units without
libarchive.
This would also be a step towards being able to provide a build-time
option to build a libostree-only version of Flatpak without the OCI
feature or the direct libarchive dependency, if someone wanted to
implement that.
Signed-off-by: Simon McVittie <smcv@collabora.com>
To include all languages, the languages key must be set to `*all*`, not
`all`. That was apparently intended to provide symmetry with how the
value is represented in the output of `flatpak config`.
These signals can be used by apps to monitor whether they need to emit
signals on the a11y bus or not. This can very significantly reduce
chattery on the a11y bus, and at least WebKit relies on these signals
to be broadcasted in.
The PR https://github.com/flatpak/xdg-dbus-proxy/pull/61 is required
for this changeset to work as expected, but it can land independently
as `--broadcast` is supported by xdg-dbus-proxy.
