diff -Nru flatpak-1.10.2/debian/.gitignore flatpak-1.10.2/debian/.gitignore --- flatpak-1.10.2/debian/.gitignore 2021-07-25 19:44:58.000000000 +0000 +++ flatpak-1.10.2/debian/.gitignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,8 +0,0 @@ -/*.debhelper -/*.substvars -/flatpak-tests/ -/flatpak/ -/gir1.2-flatpak-1.0/ -/libflatpak-dev/ -/libflatpak-doc/ -/libflatpak0/ diff -Nru flatpak-1.10.2/debian/changelog flatpak-1.10.2/debian/changelog --- flatpak-1.10.2/debian/changelog 2021-07-25 19:44:58.000000000 +0000 +++ flatpak-1.10.2/debian/changelog 2021-10-12 23:36:35.000000000 +0000 @@ -1,3 +1,20 @@ +flatpak (1.10.2-3ubuntu0.1) impish-security; urgency=medium + + * SECURITY UPDATE: Sandbox bypass via recent VFS-manipulating syscalls (LP: #1946578) + - debian/paches/CVE-2021-41133-1.patch + - debian/paches/CVE-2021-41133-2.patch + - debian/paches/CVE-2021-41133-3.patch + - debian/paches/CVE-2021-41133-4.patch + - debian/paches/CVE-2021-41133-5.patch + - debian/paches/CVE-2021-41133-6.patch + - debian/paches/CVE-2021-41133-7.patch + - debian/paches/CVE-2021-41133-8.patch + - debian/paches/CVE-2021-41133-9.patch + - debian/paches/CVE-2021-41133-10.patch + - CVE-2021-41133 + + -- Andrew Hayzen Wed, 13 Oct 2021 00:36:35 +0100 + flatpak (1.10.2-3) unstable; urgency=medium * d/patches: Align with upstream flatpak-1.10.x branch, making this diff -Nru flatpak-1.10.2/debian/control flatpak-1.10.2/debian/control --- flatpak-1.10.2/debian/control 2021-07-25 19:44:58.000000000 +0000 +++ flatpak-1.10.2/debian/control 2021-10-12 23:36:35.000000000 +0000 @@ -1,7 +1,8 @@ Source: flatpak Section: admin Priority: optional -Maintainer: Utopia Maintenance Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Utopia Maintenance Team Uploaders: Matthias Klumpp , Simon McVittie , diff -Nru flatpak-1.10.2/debian/patches/CVE-2021-41133-1.patch flatpak-1.10.2/debian/patches/CVE-2021-41133-1.patch --- flatpak-1.10.2/debian/patches/CVE-2021-41133-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2021-41133-1.patch 2021-10-12 23:36:35.000000000 +0000 @@ -0,0 +1,150 @@ +From e26ac7586c392b5eb35ff4609fe232c52523b2cf Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 1 Sep 2021 11:53:23 +0100 +Subject: run: Add an errno value to seccomp filters + +At the moment, if we block a syscall we always make it fail with EPERM, +but this is risky: user-space libraries can start to use new replacements +for old syscalls at any time, and will often treat EPERM as a fatal error. +For new syscalls, we should make the syscall fail with ENOSYS, which is +indistinguishable from running on an older kernel and will cause fallback +to an older implementation, for example clone3() to clone(). + +In future we should probably move from EPERM to ENOSYS for some of the +syscalls we already block, but for now keep the status quo. + +This is a prerequisite for fixing the vulnerability tracked as +GHSA-67h7-w3jq-vh4q. + +Signed-off-by: Simon McVittie +--- + common/flatpak-run.c | 62 +++++++++++++++++++++++++------------------- + 1 file changed, 36 insertions(+), 26 deletions(-) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index e93b3d63..7817ff94 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2897,61 +2897,63 @@ setup_seccomp (FlatpakBwrap *bwrap, + struct + { + int scall; ++ int errnum; + struct scmp_arg_cmp *arg; + } syscall_blocklist[] = { + /* Block dmesg */ +- {SCMP_SYS (syslog)}, ++ {SCMP_SYS (syslog), EPERM}, + /* Useless old syscall */ +- {SCMP_SYS (uselib)}, ++ {SCMP_SYS (uselib), EPERM}, + /* Don't allow disabling accounting */ +- {SCMP_SYS (acct)}, ++ {SCMP_SYS (acct), EPERM}, + /* 16-bit code is unnecessary in the sandbox, and modify_ldt is a + historic source of interesting information leaks. */ +- {SCMP_SYS (modify_ldt)}, ++ {SCMP_SYS (modify_ldt), EPERM}, + /* Don't allow reading current quota use */ +- {SCMP_SYS (quotactl)}, ++ {SCMP_SYS (quotactl), EPERM}, + + /* Don't allow access to the kernel keyring */ +- {SCMP_SYS (add_key)}, +- {SCMP_SYS (keyctl)}, +- {SCMP_SYS (request_key)}, ++ {SCMP_SYS (add_key), EPERM}, ++ {SCMP_SYS (keyctl), EPERM}, ++ {SCMP_SYS (request_key), EPERM}, + + /* Scary VM/NUMA ops */ +- {SCMP_SYS (move_pages)}, +- {SCMP_SYS (mbind)}, +- {SCMP_SYS (get_mempolicy)}, +- {SCMP_SYS (set_mempolicy)}, +- {SCMP_SYS (migrate_pages)}, ++ {SCMP_SYS (move_pages), EPERM}, ++ {SCMP_SYS (mbind), EPERM}, ++ {SCMP_SYS (get_mempolicy), EPERM}, ++ {SCMP_SYS (set_mempolicy), EPERM}, ++ {SCMP_SYS (migrate_pages), EPERM}, + + /* Don't allow subnamespace setups: */ +- {SCMP_SYS (unshare)}, +- {SCMP_SYS (mount)}, +- {SCMP_SYS (pivot_root)}, ++ {SCMP_SYS (unshare), EPERM}, ++ {SCMP_SYS (mount), EPERM}, ++ {SCMP_SYS (pivot_root), EPERM}, + #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) + /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack + * and flags arguments are reversed so the flags come second */ +- {SCMP_SYS (clone), &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, ++ {SCMP_SYS (clone), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, + #else + /* Normally the flags come first */ +- {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, ++ {SCMP_SYS (clone), EPERM, &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, + #endif + + /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ +- {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, ++ {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, + }; + + struct + { + int scall; ++ int errnum; + struct scmp_arg_cmp *arg; + } syscall_nondevel_blocklist[] = { + /* Profiling operations; we expect these to be done by tools from outside + * the sandbox. In particular perf has been the source of many CVEs. + */ +- {SCMP_SYS (perf_event_open)}, ++ {SCMP_SYS (perf_event_open), EPERM}, + /* Don't allow you to switch to bsd emulation or whatnot */ +- {SCMP_SYS (personality), &SCMP_A0 (SCMP_CMP_NE, allowed_personality)}, +- {SCMP_SYS (ptrace)} ++ {SCMP_SYS (personality), EPERM, &SCMP_A0 (SCMP_CMP_NE, allowed_personality)}, ++ {SCMP_SYS (ptrace), EPERM} + }; + /* Blocklist all but unix, inet, inet6 and netlink */ + struct +@@ -3035,10 +3037,14 @@ setup_seccomp (FlatpakBwrap *bwrap, + for (i = 0; i < G_N_ELEMENTS (syscall_blocklist); i++) + { + int scall = syscall_blocklist[i].scall; ++ int errnum = syscall_blocklist[i].errnum; ++ ++ g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE); ++ + if (syscall_blocklist[i].arg) +- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 1, *syscall_blocklist[i].arg); ++ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blocklist[i].arg); + else +- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 0); ++ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); + if (r < 0 && r == -EFAULT /* unknown syscall */) + return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); + } +@@ -3048,10 +3054,14 @@ setup_seccomp (FlatpakBwrap *bwrap, + for (i = 0; i < G_N_ELEMENTS (syscall_nondevel_blocklist); i++) + { + int scall = syscall_nondevel_blocklist[i].scall; ++ int errnum = syscall_nondevel_blocklist[i].errnum; ++ ++ g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE); ++ + if (syscall_nondevel_blocklist[i].arg) +- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 1, *syscall_nondevel_blocklist[i].arg); ++ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_nondevel_blocklist[i].arg); + else +- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 0); ++ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); + + if (r < 0 && r == -EFAULT /* unknown syscall */) + return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); +-- +2.25.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2021-41133-10.patch flatpak-1.10.2/debian/patches/CVE-2021-41133-10.patch --- flatpak-1.10.2/debian/patches/CVE-2021-41133-10.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2021-41133-10.patch 2021-10-12 23:36:35.000000000 +0000 @@ -0,0 +1,29 @@ +From 3fc8c672676ae016f8e7cc90481b2feecbad9861 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 8 Oct 2021 19:00:13 +0100 +Subject: Fix handling of syscalls only allowed by --devel + +This was incorrectly looking at errno instead of -r. + +Fixes: 0b38b0f0 "run: Handle unknown syscalls as intended" +Signed-off-by: Simon McVittie +--- + common/flatpak-run.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 3da5f332..feaedc6c 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -3101,7 +3101,7 @@ setup_seccomp (FlatpakBwrap *bwrap, + r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); + + /* See above for the meaning of EFAULT. */ +- if (errno == EFAULT) ++ if (r == -EFAULT) + flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", + scall); + else if (r < 0) +-- +2.25.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2021-41133-2.patch flatpak-1.10.2/debian/patches/CVE-2021-41133-2.patch --- flatpak-1.10.2/debian/patches/CVE-2021-41133-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2021-41133-2.patch 2021-10-12 23:36:35.000000000 +0000 @@ -0,0 +1,28 @@ +From 89ae9fe74c6d445bb1b3a40e568d77cf5de47e48 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 1 Sep 2021 12:44:04 +0100 +Subject: run: Add cross-references for some other seccomp syscall filters + +Signed-off-by: Simon McVittie +--- + common/flatpak-run.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 7817ff94..ff6403d3 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2892,6 +2892,10 @@ setup_seccomp (FlatpakBwrap *bwrap, + * https://git.gnome.org/browse/linux-user-chroot + * in src/setup-seccomp.c + * ++ * Other useful resources: ++ * https://github.com/systemd/systemd/blob/HEAD/src/shared/seccomp-util.c ++ * https://github.com/moby/moby/blob/HEAD/profiles/seccomp/default.json ++ * + **** END NOTE ON CODE SHARING + */ + struct +-- +2.25.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2021-41133-3.patch flatpak-1.10.2/debian/patches/CVE-2021-41133-3.patch --- flatpak-1.10.2/debian/patches/CVE-2021-41133-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2021-41133-3.patch 2021-10-12 23:36:35.000000000 +0000 @@ -0,0 +1,248 @@ +From 26b12484eb8a6219b9e7aa287b298a894b2f34ca Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 1 Sep 2021 14:17:04 +0100 +Subject: common: Add a list of recently-added Linux syscalls + +Historically, syscalls could take arbitrarily-different values on +different architectures, but new syscalls are added with syscall numbers +that align on each architecture. + +Signed-off-by: Simon McVittie +--- + common/Makefile.am.inc | 1 + + common/flatpak-run.c | 2 + + common/flatpak-syscalls-private.h | 197 ++++++++++++++++++++++++++++++ + 3 files changed, 200 insertions(+) + create mode 100644 common/flatpak-syscalls-private.h + +diff --git a/common/Makefile.am.inc b/common/Makefile.am.inc +index d15da089..892ee4ca 100644 +--- a/common/Makefile.am.inc ++++ b/common/Makefile.am.inc +@@ -160,6 +160,7 @@ libflatpak_common_la_SOURCES = \ + common/flatpak-remote.c \ + common/flatpak-run-private.h \ + common/flatpak-run.c \ ++ common/flatpak-syscalls-private.h \ + common/flatpak-transaction-private.h \ + common/flatpak-transaction.c \ + common/flatpak-transaction.h \ +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index ff6403d3..1c827353 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -41,6 +41,8 @@ + #include + #endif + ++#include "flatpak-syscalls-private.h" ++ + #ifdef ENABLE_SECCOMP + #include + #endif +diff --git a/common/flatpak-syscalls-private.h b/common/flatpak-syscalls-private.h +new file mode 100644 +index 00000000..04eb38ce +--- /dev/null ++++ b/common/flatpak-syscalls-private.h +@@ -0,0 +1,197 @@ ++/* ++ * Copyright 2021 Collabora Ltd. ++ * SPDX-License-Identifier: LGPL-2.1-or-later ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library. If not, see . ++ */ ++ ++#pragma once ++ ++#include ++ ++#if defined(_MIPS_SIM) ++# if _MIPS_SIM == _MIPS_SIM_ABI32 ++# define FLATPAK_MISSING_SYSCALL_BASE 4000 ++# elif _MIPS_SIM == _MIPS_SIM_ABI64 ++# define FLATPAK_MISSING_SYSCALL_BASE 5000 ++# elif _MIPS_SIM == _MIPS_SIM_NABI32 ++# define FLATPAK_MISSING_SYSCALL_BASE 6000 ++# else ++# error "Unknown MIPS ABI" ++# endif ++#endif ++ ++#if defined(__ia64__) ++# define FLATPAK_MISSING_SYSCALL_BASE 1024 ++#endif ++ ++#if defined(__alpha__) ++# define FLATPAK_MISSING_SYSCALL_BASE 110 ++#endif ++ ++#if defined(__x86_64__) && defined(__ILP32__) ++# define FLATPAK_MISSING_SYSCALL_BASE 0x40000000 ++#endif ++ ++/* ++ * FLATPAK_MISSING_SYSCALL_BASE: ++ * ++ * Number to add to the syscall numbers of recently-added syscalls ++ * to get the appropriate syscall for the current ABI. ++ */ ++#ifndef FLATPAK_MISSING_SYSCALL_BASE ++# define FLATPAK_MISSING_SYSCALL_BASE 0 ++#endif ++ ++#ifndef __NR_open_tree ++# define __NR_open_tree (FLATPAK_MISSING_SYSCALL_BASE + 428) ++#endif ++#ifndef __SNR_open_tree ++# define __SNR_open_tree __NR_open_tree ++#endif ++ ++#ifndef __NR_move_mount ++# define __NR_move_mount (FLATPAK_MISSING_SYSCALL_BASE + 429) ++#endif ++#ifndef __SNR_move_mount ++# define __SNR_move_mount __NR_move_mount ++#endif ++ ++#ifndef __NR_fsopen ++# define __NR_fsopen (FLATPAK_MISSING_SYSCALL_BASE + 430) ++#endif ++#ifndef __SNR_fsopen ++# define __SNR_fsopen __NR_fsopen ++#endif ++ ++#ifndef __NR_fsconfig ++# define __NR_fsconfig (FLATPAK_MISSING_SYSCALL_BASE + 431) ++#endif ++#ifndef __SNR_fsconfig ++# define __SNR_fsconfig __NR_fsconfig ++#endif ++ ++#ifndef __NR_fsmount ++# define __NR_fsmount (FLATPAK_MISSING_SYSCALL_BASE + 432) ++#endif ++#ifndef __SNR_fsmount ++# define __SNR_fsmount __NR_fsmount ++#endif ++ ++#ifndef __NR_fspick ++# define __NR_fspick (FLATPAK_MISSING_SYSCALL_BASE + 433) ++#endif ++#ifndef __SNR_fspick ++# define __SNR_fspick __NR_fspick ++#endif ++ ++#ifndef __NR_pidfd_open ++# define __NR_pidfd_open (FLATPAK_MISSING_SYSCALL_BASE + 434) ++#endif ++#ifndef __SNR_pidfd_open ++# define __SNR_pidfd_open __NR_pidfd_open ++#endif ++ ++#ifndef __NR_clone3 ++# define __NR_clone3 (FLATPAK_MISSING_SYSCALL_BASE + 435) ++#endif ++#ifndef __SNR_clone3 ++# define __SNR_clone3 __NR_clone3 ++#endif ++ ++#ifndef __NR_close_range ++# define __NR_close_range (FLATPAK_MISSING_SYSCALL_BASE + 436) ++#endif ++#ifndef __SNR_close_range ++# define __SNR_close_range __NR_close_range ++#endif ++ ++#ifndef __NR_openat2 ++# define __NR_openat2 (FLATPAK_MISSING_SYSCALL_BASE + 437) ++#endif ++#ifndef __SNR_openat2 ++# define __SNR_openat2 __NR_openat2 ++#endif ++ ++#ifndef __NR_pidfd_getfd ++# define __NR_pidfd_getfd (FLATPAK_MISSING_SYSCALL_BASE + 438) ++#endif ++#ifndef __SNR_pidfd_getfd ++# define __SNR_pidfd_getfd __NR_pidfd_getfd ++#endif ++ ++#ifndef __NR_faccessat2 ++# define __NR_faccessat2 (FLATPAK_MISSING_SYSCALL_BASE + 439) ++#endif ++#ifndef __SNR_faccessat2 ++# define __SNR_faccessat2 __NR_faccessat2 ++#endif ++ ++#ifndef __NR_process_madvise ++# define __NR_process_madvise (FLATPAK_MISSING_SYSCALL_BASE + 440) ++#endif ++#ifndef __SNR_process_madvise ++# define __SNR_process_madvise __NR_process_madvise ++#endif ++ ++#ifndef __NR_epoll_pwait2 ++# define __NR_epoll_pwait2 (FLATPAK_MISSING_SYSCALL_BASE + 441) ++#endif ++#ifndef __SNR_epoll_pwait2 ++# define __SNR_epoll_pwait2 __NR_epoll_pwait2 ++#endif ++ ++#ifndef __NR_mount_setattr ++# define __NR_mount_setattr (FLATPAK_MISSING_SYSCALL_BASE + 442) ++#endif ++#ifndef __SNR_mount_setattr ++# define __SNR_mount_setattr __NR_mount_setattr ++#endif ++ ++#ifndef __NR_quotactl_fd ++# define __NR_quotactl_fd (FLATPAK_MISSING_SYSCALL_BASE + 443) ++#endif ++#ifndef __SNR_quotactl_fd ++# define __SNR_quotactl_fd __NR_quotactl_fd ++#endif ++ ++#ifndef __NR_landlock_create_ruleset ++# define __NR_landlock_create_ruleset (FLATPAK_MISSING_SYSCALL_BASE + 444) ++#endif ++#ifndef __SNR_landlock_create_ruleset ++# define __SNR_landlock_create_ruleset __NR_landlock_create_ruleset ++#endif ++ ++#ifndef __NR_landlock_add_rule ++# define __NR_landlock_add_rule (FLATPAK_MISSING_SYSCALL_BASE + 445) ++#endif ++#ifndef __SNR_landlock_add_rule ++# define __SNR_landlock_add_rule __NR_landlock_add_rule ++#endif ++ ++#ifndef __NR_landlock_restrict_self ++# define __NR_landlock_restrict_self (FLATPAK_MISSING_SYSCALL_BASE + 446) ++#endif ++#ifndef __SNR_landlock_restrict_self ++# define __SNR_landlock_restrict_self __NR_landlock_restrict_self ++#endif ++ ++#ifndef __NR_memfd_secret ++# define __NR_memfd_secret (FLATPAK_MISSING_SYSCALL_BASE + 447) ++#endif ++#ifndef __SNR_memfd_secret ++# define __SNR_memfd_secret __NR_memfd_secret ++#endif ++ ++/* Last updated: Linux 5.14, syscall numbers < 448 */ +-- +2.25.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2021-41133-4.patch flatpak-1.10.2/debian/patches/CVE-2021-41133-4.patch --- flatpak-1.10.2/debian/patches/CVE-2021-41133-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2021-41133-4.patch 2021-10-12 23:36:35.000000000 +0000 @@ -0,0 +1,39 @@ +From a10f52a7565c549612c92b8e736a6698a53db330 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 1 Sep 2021 11:59:00 +0100 +Subject: run: Block clone3() in sandbox + +clone3() can be used to implement clone() with CLONE_NEWUSER, allowing +a sandboxed process to get CAP_SYS_ADMIN in a new namespace and +manipulate its root directory. We need to block this so that AF_UNIX-based +socket servers (X11, Wayland, etc.) can rely on +/proc/PID/root/.flatpak-info existing for all Flatpak-sandboxed apps. + +Partially fixes GHSA-67h7-w3jq-vh4q. + +Thanks: an anonymous reporter +Signed-off-by: Simon McVittie +--- + common/flatpak-run.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 1c827353..aca50394 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2945,6 +2945,12 @@ setup_seccomp (FlatpakBwrap *bwrap, + + /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ + {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, ++ ++ /* seccomp can't look into clone3()'s struct clone_args to check whether ++ * the flags are OK, so we have no choice but to block clone3(). ++ * Return ENOSYS so user-space will fall back to clone(). ++ * (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */ ++ {SCMP_SYS (clone3), ENOSYS}, + }; + + struct +-- +2.25.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2021-41133-5.patch flatpak-1.10.2/debian/patches/CVE-2021-41133-5.patch --- flatpak-1.10.2/debian/patches/CVE-2021-41133-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2021-41133-5.patch 2021-10-12 23:36:35.000000000 +0000 @@ -0,0 +1,41 @@ +From 9766ee05b1425db397d2cf23afd24c7f6146a69f Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 1 Sep 2021 12:45:54 +0100 +Subject: run: Disallow recently-added mount-manipulation syscalls + +If we don't allow mount() then we shouldn't allow these either. + +Partially fixes GHSA-67h7-w3jq-vh4q. + +Thanks: an anonymous reporter +Signed-off-by: Simon McVittie +--- + common/flatpak-run.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index aca50394..7cbabde0 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2951,6 +2951,18 @@ setup_seccomp (FlatpakBwrap *bwrap, + * Return ENOSYS so user-space will fall back to clone(). + * (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */ + {SCMP_SYS (clone3), ENOSYS}, ++ ++ /* New mount manipulation APIs can also change our VFS. There's no ++ * legitimate reason to do these in the sandbox, so block all of them ++ * rather than thinking about which ones might be dangerous. ++ * (GHSA-67h7-w3jq-vh4q) */ ++ {SCMP_SYS (open_tree), ENOSYS}, ++ {SCMP_SYS (move_mount), ENOSYS}, ++ {SCMP_SYS (fsopen), ENOSYS}, ++ {SCMP_SYS (fsconfig), ENOSYS}, ++ {SCMP_SYS (fsmount), ENOSYS}, ++ {SCMP_SYS (fspick), ENOSYS}, ++ {SCMP_SYS (mount_setattr), ENOSYS}, + }; + + struct +-- +2.25.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2021-41133-6.patch flatpak-1.10.2/debian/patches/CVE-2021-41133-6.patch --- flatpak-1.10.2/debian/patches/CVE-2021-41133-6.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2021-41133-6.patch 2021-10-12 23:36:35.000000000 +0000 @@ -0,0 +1,30 @@ +From 4c34815784e9ffda5733225c7d95824f96375e36 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 1 Sep 2021 14:19:31 +0100 +Subject: run: Block setns() + +If we don't allow unshare() or clone() with CLONE_NEWUSER, we also +shouldn't allow joining an existing (but different) namespace. + +Partially fixes GHSA-67h7-w3jq-vh4q. + +Signed-off-by: Simon McVittie +--- + common/flatpak-run.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 7cbabde0..277f2de3 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2932,6 +2932,7 @@ setup_seccomp (FlatpakBwrap *bwrap, + + /* Don't allow subnamespace setups: */ + {SCMP_SYS (unshare), EPERM}, ++ {SCMP_SYS (setns), EPERM}, + {SCMP_SYS (mount), EPERM}, + {SCMP_SYS (pivot_root), EPERM}, + #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) +-- +2.25.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2021-41133-7.patch flatpak-1.10.2/debian/patches/CVE-2021-41133-7.patch --- flatpak-1.10.2/debian/patches/CVE-2021-41133-7.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2021-41133-7.patch 2021-10-12 23:36:35.000000000 +0000 @@ -0,0 +1,31 @@ +From 1330662f33a55e88bfe18e76de28b7922d91a999 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 1 Sep 2021 14:20:29 +0100 +Subject: run: Don't allow unmounting filesystems + +If we don't allow mounting filesystems, we shouldn't allow unmounting +either. + +Partially fixes GHSA-67h7-w3jq-vh4q. + +Signed-off-by: Simon McVittie +--- + common/flatpak-run.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 277f2de3..a6ef5042 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2934,6 +2934,8 @@ setup_seccomp (FlatpakBwrap *bwrap, + {SCMP_SYS (unshare), EPERM}, + {SCMP_SYS (setns), EPERM}, + {SCMP_SYS (mount), EPERM}, ++ {SCMP_SYS (umount), EPERM}, ++ {SCMP_SYS (umount2), EPERM}, + {SCMP_SYS (pivot_root), EPERM}, + #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) + /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack +-- +2.25.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2021-41133-8.patch flatpak-1.10.2/debian/patches/CVE-2021-41133-8.patch --- flatpak-1.10.2/debian/patches/CVE-2021-41133-8.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2021-41133-8.patch 2021-10-12 23:36:35.000000000 +0000 @@ -0,0 +1,30 @@ +From 462fca2c666e0cd2b60d6d2593a7216a83047aaf Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 1 Sep 2021 14:21:04 +0100 +Subject: run: Don't allow chroot() + +If we don't allow pivot_root() then there seems no reason why we should +allow chroot(). + +Partially fixes GHSA-67h7-w3jq-vh4q. + +Signed-off-by: Simon McVittie +--- + common/flatpak-run.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index a6ef5042..78613437 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2937,6 +2937,7 @@ setup_seccomp (FlatpakBwrap *bwrap, + {SCMP_SYS (umount), EPERM}, + {SCMP_SYS (umount2), EPERM}, + {SCMP_SYS (pivot_root), EPERM}, ++ {SCMP_SYS (chroot), EPERM}, + #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) + /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack + * and flags arguments are reversed so the flags come second */ +-- +2.25.1 + diff -Nru flatpak-1.10.2/debian/patches/CVE-2021-41133-9.patch flatpak-1.10.2/debian/patches/CVE-2021-41133-9.patch --- flatpak-1.10.2/debian/patches/CVE-2021-41133-9.patch 1970-01-01 00:00:00.000000000 +0000 +++ flatpak-1.10.2/debian/patches/CVE-2021-41133-9.patch 2021-10-12 23:36:35.000000000 +0000 @@ -0,0 +1,68 @@ +From d419fa67038370e4f4c3ce8c3b5f672d4876cfc8 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 8 Oct 2021 17:05:07 +0100 +Subject: run: Handle unknown syscalls as intended + +The error-handling here was + + if (r < 0 && r == -EFAULT) + +but Alex says it was almost certainly intended to be + + if (r < 0 && r != -EFAULT) + +so that syscalls not known to libseccomp are not a fatal error. + +Instead of literally making that change, emit a debug message on -EFAULT +so we can see what is going on. + +This temporarily weakens our defence against CVE-2021-41133 +(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed +version of libseccomp does not know about the recently-added syscalls, +but the kernel does, then we will not prevent non-native executables +from using those syscalls. + +Resolves: https://github.com/flatpak/flatpak/issues/4458 +Signed-off-by: Simon McVittie +--- + common/flatpak-run.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 78613437..3da5f332 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -3073,7 +3073,16 @@ setup_seccomp (FlatpakBwrap *bwrap, + r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blocklist[i].arg); + else + r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); +- if (r < 0 && r == -EFAULT /* unknown syscall */) ++ ++ /* EFAULT means "internal libseccomp error", but in practice we get ++ * this for syscall numbers added via flatpak-syscalls-private.h ++ * when trying to filter them on a non-native architecture, because ++ * libseccomp cannot map the syscall number to a name and back to a ++ * number for the non-native architecture. */ ++ if (r == -EFAULT) ++ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", ++ scall); ++ else if (r < 0) + return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); + } + +@@ -3091,7 +3100,11 @@ setup_seccomp (FlatpakBwrap *bwrap, + else + r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); + +- if (r < 0 && r == -EFAULT /* unknown syscall */) ++ /* See above for the meaning of EFAULT. */ ++ if (errno == EFAULT) ++ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", ++ scall); ++ else if (r < 0) + return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); + } + } +-- +2.25.1 + diff -Nru flatpak-1.10.2/debian/patches/series flatpak-1.10.2/debian/patches/series --- flatpak-1.10.2/debian/patches/series 2021-07-25 19:44:58.000000000 +0000 +++ flatpak-1.10.2/debian/patches/series 2021-10-12 23:36:35.000000000 +0000 @@ -5,3 +5,13 @@ portal-Remap-env-fd-into-child-process-s-fd-space.patch tests-Remove-hard-coded-references-to-x86_64.patch system-helper-Fix-deploys-of-local-remotes.patch +CVE-2021-41133-1.patch +CVE-2021-41133-2.patch +CVE-2021-41133-3.patch +CVE-2021-41133-4.patch +CVE-2021-41133-5.patch +CVE-2021-41133-6.patch +CVE-2021-41133-7.patch +CVE-2021-41133-8.patch +CVE-2021-41133-9.patch +CVE-2021-41133-10.patch