From 40d80034a24f0ecfd7e50022b1c53f0db3bf33b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=99=88=E4=BA=9A=E5=BC=BA?= Date: Fri, 22 Oct 2021 07:33:38 +0000 Subject: [PATCH] add backport-run-Handle-unknown-syscalls-as-intended.patch. --- ...-Handle-unknown-syscalls-as-intended.patch | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 backport-run-Handle-unknown-syscalls-as-intended.patch diff --git a/backport-run-Handle-unknown-syscalls-as-intended.patch b/backport-run-Handle-unknown-syscalls-as-intended.patch new file mode 100644 index 0000000..b3f99f9 --- /dev/null +++ b/backport-run-Handle-unknown-syscalls-as-intended.patch @@ -0,0 +1,72 @@ +From d419fa67038370e4f4c3ce8c3b5f672d4876cfc8 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 8 Oct 2021 17:05:07 +0100 +Subject: [PATCH] run: Handle unknown syscalls as intended + +The error-handling here was + + if (r < 0 && r == -EFAULT) + +but Alex says it was almost certainly intended to be + + if (r < 0 && r != -EFAULT) + +so that syscalls not known to libseccomp are not a fatal error. + +Instead of literally making that change, emit a debug message on -EFAULT +so we can see what is going on. + +This temporarily weakens our defence against CVE-2021-41133 +(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed +version of libseccomp does not know about the recently-added syscalls, +but the kernel does, then we will not prevent non-native executables +from using those syscalls. + +Resolves: https://github.com/flatpak/flatpak/issues/4458 +Signed-off-by: Simon McVittie + +Conflict:NA +Reference:https://github.com/flatpak/flatpak/commit/d419fa67038370e4f4c3ce8c3b5f672d4876cfc8 + + +--- + common/flatpak-run.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index da96465..a416f1b 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2960,7 +2960,16 @@ setup_seccomp (FlatpakBwrap *bwrap, + r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blocklist[i].arg); + else + r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); +- if (r < 0 && r == -EFAULT /* unknown syscall */) ++ ++ /* EFAULT means "internal libseccomp error", but in practice we get ++ * this for syscall numbers added via flatpak-syscalls-private.h ++ * when trying to filter them on a non-native architecture, because ++ * libseccomp cannot map the syscall number to a name and back to a ++ * number for the non-native architecture. */ ++ if (r == -EFAULT) ++ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", ++ scall); ++ else if (r < 0) + return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); + } + +@@ -2978,7 +2987,11 @@ setup_seccomp (FlatpakBwrap *bwrap, + else + r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); + +- if (r < 0 && r == -EFAULT /* unknown syscall */) ++ /* See above for the meaning of EFAULT. */ ++ if (errno == EFAULT) ++ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", ++ scall); ++ else if (r < 0) + return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); + } + } +-- +2.27.0 \ No newline at end of file