From def3b4a5a207c417a36b7c18634fd9742a35a901 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=99=88=E4=BA=9A=E5=BC=BA?= <chenyaqiang@huawei.com>
Date: Fri, 22 Oct 2021 07:32:24 +0000
Subject: [PATCH] add backport-0008-CVE-2021-41133.patch.

---
 backport-0008-CVE-2021-41133.patch | 33 ++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 backport-0008-CVE-2021-41133.patch

diff --git a/backport-0008-CVE-2021-41133.patch b/backport-0008-CVE-2021-41133.patch
new file mode 100644
index 0000000..f4b1dd7
--- /dev/null
+++ b/backport-0008-CVE-2021-41133.patch
@@ -0,0 +1,33 @@
+From 462fca2c666e0cd2b60d6d2593a7216a83047aaf Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Wed, 1 Sep 2021 14:21:04 +0100
+Subject: [PATCH] run: Don't allow chroot()
+
+If we don't allow pivot_root() then there seems no reason why we should
+allow chroot().
+
+Partially fixes GHSA-67h7-w3jq-vh4q.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+
+Conflict:NA
+Reference:https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf
+
+---
+ common/flatpak-run.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index b1a8db5..da96465 100644
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -2824,6 +2824,7 @@ setup_seccomp (FlatpakBwrap   *bwrap,
+     {SCMP_SYS (umount), EPERM},
+     {SCMP_SYS (umount2), EPERM},
+     {SCMP_SYS (pivot_root), EPERM},
++    {SCMP_SYS (chroot), EPERM},
+ #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
+     /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack
+      * and flags arguments are reversed so the flags come second */
+-- 
+2.27.0
\ No newline at end of file