mirror of
https://github.com/flatpak/flatpak.git
synced 2026-01-29 18:11:22 -05:00
35598f46a5
When installing a flatpak with extra-data we execute the apply_extra script from the flatpak to extract the extra data files we created. This script runs with very little filesystem acces, but it does have write permissions to the location that will eventually be /app/extra in the finished flatpak. This is especially problematic for the systemwide install case, because the script is then run as root, so it could potentially create a setuid file there. Such a file would not be usable inside the sandbox (because setuid is disabled in the sandbox), but it could potentially be a problem if the user could be tricked into running the file directly on the host. This is the same behaviour as e.g. rpm or deb which both can install setuid files, but we want to guarantee that flatpak is better than that. The fix is to run the script with all capabilities dropped (bwrap --cap-drop ALL) which removes a bunch of possible attack vectors (for instance setting file capabilities). However, even without capabilities, it is possible for a user to make any file setuid to the same user, so we also need to canonicalize the permissions of all files generated by running the script. Additionally, while running the script we set the toplevel directory only be accessible to the user, meaning we will not temporarily leak any potential setuid files to other users. Note, this commit actually goes furthen than that and completely canonicalizes all the file permissions to be the same as those otherwise used by flatpak. For example we fix up cases where the script creates files writable or unreadable by non-root users. Closes: #2323 Approved by: alexlarsson