From 6c147859c9c5a77f768decb8eb22d5a5d68f8fb1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=99=88=E4=BA=9A=E5=BC=BA?= <chenyaqiang@huawei.com>
Date: Fri, 22 Oct 2021 07:31:03 +0000
Subject: [PATCH] add backport-0006-CVE-2021-41133.patch.

---
 backport-0006-CVE-2021-41133.patch | 33 ++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 backport-0006-CVE-2021-41133.patch

diff --git a/backport-0006-CVE-2021-41133.patch b/backport-0006-CVE-2021-41133.patch
new file mode 100644
index 0000000..1ad4bc7
--- /dev/null
+++ b/backport-0006-CVE-2021-41133.patch
@@ -0,0 +1,33 @@
+From 4c34815784e9ffda5733225c7d95824f96375e36 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Wed, 1 Sep 2021 14:19:31 +0100
+Subject: [PATCH] run: Block setns()
+
+If we don't allow unshare() or clone() with CLONE_NEWUSER, we also
+shouldn't allow joining an existing (but different) namespace.
+
+Partially fixes GHSA-67h7-w3jq-vh4q.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+
+Conflict:NA
+Reference:https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36
+
+---
+ common/flatpak-run.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index 2781694..c266dbe 100644
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -2819,6 +2819,7 @@ setup_seccomp (FlatpakBwrap   *bwrap,
+ 
+     /* Don't allow subnamespace setups: */
+     {SCMP_SYS (unshare), EPERM},
++    {SCMP_SYS (setns), EPERM},
+     {SCMP_SYS (mount), EPERM},
+     {SCMP_SYS (pivot_root), EPERM},
+ #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
+-- 
+2.27.0
\ No newline at end of file