Files
flatpak/common
Simon McVittie b74dcd136f run: Block clone3() in sandbox
clone3() can be used to implement clone() with CLONE_NEWUSER, allowing
a sandboxed process to get CAP_SYS_ADMIN in a new namespace and
manipulate its root directory. We need to block this so that AF_UNIX-based
socket servers (X11, Wayland, etc.) can rely on
/proc/PID/root/.flatpak-info existing for all Flatpak-sandboxed apps.

Partially fixes GHSA-67h7-w3jq-vh4q.

Thanks: an anonymous reporter
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-10-08 12:25:16 +02:00
..
2019-02-25 18:12:30 +00:00
2021-02-09 09:36:59 +01:00
2021-10-08 12:25:16 +02:00
2021-06-16 10:13:37 +01:00
2018-05-24 11:59:52 +00:00
2018-10-08 08:36:23 +00:00
2020-09-15 08:58:49 +02:00
2019-04-08 12:50:42 +00:00