"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "common/flatpak-run.c" between
flatpak-1.12.1.tar.xz and flatpak-1.12.2.tar.xz

About: Flatpak is a Linux application sandboxing and distribution framework.

flatpak-run.c  (flatpak-1.12.1.tar.xz):flatpak-run.c  (flatpak-1.12.2.tar.xz)
skipping to change at line 2848 skipping to change at line 2848
*out_mount_path = g_steal_pointer (&doc_mount_path); *out_mount_path = g_steal_pointer (&doc_mount_path);
} }
#ifdef ENABLE_SECCOMP #ifdef ENABLE_SECCOMP
static const uint32_t seccomp_x86_64_extra_arches[] = { SCMP_ARCH_X86, 0, }; static const uint32_t seccomp_x86_64_extra_arches[] = { SCMP_ARCH_X86, 0, };
#ifdef SCMP_ARCH_AARCH64 #ifdef SCMP_ARCH_AARCH64
static const uint32_t seccomp_aarch64_extra_arches[] = { SCMP_ARCH_ARM, 0 }; static const uint32_t seccomp_aarch64_extra_arches[] = { SCMP_ARCH_ARM, 0 };
#endif #endif
/*
* @negative_errno: Result code as returned by libseccomp functions
*
* Translate a libseccomp error code into an error message. libseccomp
* mostly returns negative `errno` values such as `-ENOMEM`, but some
* standard `errno` values are used for non-standard purposes where their
* `strerror()` would be misleading.
*
* Returns: a string version of @negative_errno if possible
*/
static const char *
flatpak_seccomp_strerror (int negative_errno)
{
g_return_val_if_fail (negative_errno < 0, "Non-negative error value from libse
ccomp?");
g_return_val_if_fail (negative_errno > INT_MIN, "Out of range error value from
libseccomp?");
switch (negative_errno)
{
case -EDOM:
return "Architecture specific failure";
case -EFAULT:
return "Internal libseccomp failure (unknown syscall?)";
case -ECANCELED:
return "System failure beyond the control of libseccomp";
}
/* e.g. -ENOMEM: the result of strerror() is good enough */
return g_strerror (-negative_errno);
}
static inline void static inline void
cleanup_seccomp (void *p) cleanup_seccomp (void *p)
{ {
scmp_filter_ctx *pp = (scmp_filter_ctx *) p; scmp_filter_ctx *pp = (scmp_filter_ctx *) p;
if (*pp) if (*pp)
seccomp_release (*pp); seccomp_release (*pp);
} }
static gboolean static gboolean
skipping to change at line 3045 skipping to change at line 3077
* If only one arch is supported the default is fine */ * If only one arch is supported the default is fine */
if (arch_id != 0) if (arch_id != 0)
{ {
/* This *adds* the target arch, instead of replacing the /* This *adds* the target arch, instead of replacing the
native one. This is not ideal, because we'd like to only native one. This is not ideal, because we'd like to only
allow the target arch, but we can't really disallow the allow the target arch, but we can't really disallow the
native arch at this point, because then bubblewrap native arch at this point, because then bubblewrap
couldn't continue running. */ couldn't continue running. */
r = seccomp_arch_add (seccomp, arch_id); r = seccomp_arch_add (seccomp, arch_id);
if (r < 0 && r != -EEXIST) if (r < 0 && r != -EEXIST)
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Fai led to add architecture to seccomp filter")); return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Fai led to add architecture to seccomp filter: %s"), flatpak_seccomp_strerror (r));
if (multiarch && extra_arches != NULL) if (multiarch && extra_arches != NULL)
{ {
for (i = 0; extra_arches[i] != 0; i++) for (i = 0; extra_arches[i] != 0; i++)
{ {
r = seccomp_arch_add (seccomp, extra_arches[i]); r = seccomp_arch_add (seccomp, extra_arches[i]);
if (r < 0 && r != -EEXIST) if (r < 0 && r != -EEXIST)
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED , _("Failed to add multiarch architecture to seccomp filter")); return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED , _("Failed to add multiarch architecture to seccomp filter: %s"), flatpak_secco mp_strerror (r));
} }
} }
} }
} }
/* TODO: Should we filter the kernel keyring syscalls in some way? /* TODO: Should we filter the kernel keyring syscalls in some way?
* We do want them to be used by desktop apps, but they could also perhaps * We do want them to be used by desktop apps, but they could also perhaps
* leak system stuff or secrets from other apps. * leak system stuff or secrets from other apps.
*/ */
skipping to change at line 3085 skipping to change at line 3117
/* EFAULT means "internal libseccomp error", but in practice we get /* EFAULT means "internal libseccomp error", but in practice we get
* this for syscall numbers added via flatpak-syscalls-private.h * this for syscall numbers added via flatpak-syscalls-private.h
* when trying to filter them on a non-native architecture, because * when trying to filter them on a non-native architecture, because
* libseccomp cannot map the syscall number to a name and back to a * libseccomp cannot map the syscall number to a name and back to a
* number for the non-native architecture. */ * number for the non-native architecture. */
if (r == -EFAULT) if (r == -EFAULT)
flatpak_debug2 ("Unable to block syscall %d: syscall not known to libsec comp?", flatpak_debug2 ("Unable to block syscall %d: syscall not known to libsec comp?",
scall); scall);
else if (r < 0) else if (r < 0)
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d: %s"), scall, flatpak_seccomp_strerror (r));
} }
if (!devel) if (!devel)
{ {
for (i = 0; i < G_N_ELEMENTS (syscall_nondevel_blocklist); i++) for (i = 0; i < G_N_ELEMENTS (syscall_nondevel_blocklist); i++)
{ {
int scall = syscall_nondevel_blocklist[i].scall; int scall = syscall_nondevel_blocklist[i].scall;
int errnum = syscall_nondevel_blocklist[i].errnum; int errnum = syscall_nondevel_blocklist[i].errnum;
g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE); g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE);
if (syscall_nondevel_blocklist[i].arg) if (syscall_nondevel_blocklist[i].arg)
r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *s yscall_nondevel_blocklist[i].arg); r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *s yscall_nondevel_blocklist[i].arg);
else else
r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
/* See above for the meaning of EFAULT. */ /* See above for the meaning of EFAULT. */
if (errno == EFAULT) if (r == -EFAULT)
flatpak_debug2 ("Unable to block syscall %d: syscall not known to li bseccomp?", flatpak_debug2 ("Unable to block syscall %d: syscall not known to li bseccomp?",
scall); scall);
else if (r < 0) else if (r < 0)
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Fai led to block syscall %d"), scall); return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Fai led to block syscall %d: %s"), scall, flatpak_seccomp_strerror (r));
} }
} }
/* Socket filtering doesn't work on e.g. i386, so ignore failures here /* Socket filtering doesn't work on e.g. i386, so ignore failures here
* However, we need to user seccomp_rule_add_exact to avoid libseccomp doing * However, we need to user seccomp_rule_add_exact to avoid libseccomp doing
* something else: https://github.com/seccomp/libseccomp/issues/8 */ * something else: https://github.com/seccomp/libseccomp/issues/8 */
last_allowed_family = -1; last_allowed_family = -1;
for (i = 0; i < G_N_ELEMENTS (socket_family_allowlist); i++) for (i = 0; i < G_N_ELEMENTS (socket_family_allowlist); i++)
{ {
int family = socket_family_allowlist[i].family; int family = socket_family_allowlist[i].family;
skipping to change at line 3137 skipping to change at line 3169
seccomp_rule_add_exact (seccomp, SCMP_ACT_ERRNO (EAFNOSUPPORT), SCMP_S YS (socket), 1, SCMP_A0 (SCMP_CMP_EQ, disallowed)); seccomp_rule_add_exact (seccomp, SCMP_ACT_ERRNO (EAFNOSUPPORT), SCMP_S YS (socket), 1, SCMP_A0 (SCMP_CMP_EQ, disallowed));
} }
last_allowed_family = family; last_allowed_family = family;
} }
/* Blocklist the rest */ /* Blocklist the rest */
seccomp_rule_add_exact (seccomp, SCMP_ACT_ERRNO (EAFNOSUPPORT), SCMP_SYS (sock et), 1, SCMP_A0 (SCMP_CMP_GE, last_allowed_family + 1)); seccomp_rule_add_exact (seccomp, SCMP_ACT_ERRNO (EAFNOSUPPORT), SCMP_SYS (sock et), 1, SCMP_A0 (SCMP_CMP_GE, last_allowed_family + 1));
if (!glnx_open_anonymous_tmpfile_full (O_RDWR | O_CLOEXEC, "/tmp", &seccomp_tm pf, error)) if (!glnx_open_anonymous_tmpfile_full (O_RDWR | O_CLOEXEC, "/tmp", &seccomp_tm pf, error))
return FALSE; return FALSE;
if (seccomp_export_bpf (seccomp, seccomp_tmpf.fd) != 0) r = seccomp_export_bpf (seccomp, seccomp_tmpf.fd);
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to e
xport bpf")); if (r != 0)
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to e
xport bpf: %s"), flatpak_seccomp_strerror (r));
lseek (seccomp_tmpf.fd, 0, SEEK_SET); lseek (seccomp_tmpf.fd, 0, SEEK_SET);
flatpak_bwrap_add_args_data_fd (bwrap, flatpak_bwrap_add_args_data_fd (bwrap,
"--seccomp", glnx_steal_fd (&seccomp_tmpf.fd), NULL); "--seccomp", glnx_steal_fd (&seccomp_tmpf.fd), NULL);
return TRUE; return TRUE;
} }
#endif #endif
 End of changes. 7 change blocks. 
8 lines changed or deleted 44 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)