Comment 2 for bug 1946578

I think we have the regressions under control now.

https://salsa.debian.org/debian/flatpak/-/commits/wip/1.10.x/ is packaging of 1.10.5 aimed at inclusion in Debian 11, including one post-1.10.5 bug fix https://github.com/flatpak/flatpak/pull/4461 which will hopefully be included in 1.10.6. I'm waiting for an opinion from the Debian security team. For release series that are already based on 1.10.x, I'd recommend basing your releases on that version.

For full effectiveness, you'll want libseccomp 2.5.2, with which we can block all the syscalls we identified as undesired, including `mount_setattr()`.

Failing that, libseccomp 2.5.0 is sufficient to be able to block `clone3()`, which I think should prevent a successful exploit: by preventing creation of new user namespaces, it stops a malicious or compromised Flatpak app from getting CAP_SYS_ADMIN in a new user namespace, which it would need if it wanted to be able to invoke `mount_setattr()`.

For release series that use 1.6.x or 1.0.x, Flatpak upstream does not support those branches any more and will not make new releases. If someone wants to get involved upstream, I'd accept MRs against those branches as a coordination point for "if you're stuck on this branch, here's what other distros are doing...", similar to what I'm doing for 1.2.x on https://github.com/flatpak/flatpak/pull/4455.