Sandbox rw mounts: newbie question
Alexander Larsson
alexl at redhat.com
Mon Nov 12 09:41:27 UTC 2018
On Sun, Nov 11, 2018 at 2:20 AM Andrey Butirsky <butirsky at gmail.com> wrote:
>
> Hello,
> from Flatpak wiki https://github.com/flatpak/flatpak/wiki/Sandbox:
> in the sandbox, "all mounts are read-only, except" a few.
>
> But I see a lot of rw mounts in my apps sandboxes. Moreover, they seem
> shared between the apps, so apparently one app can write to
> /etc/profile.d/ and break things for others.
>
> Please, help to understand:
>
> tmpfs on / type tmpfs (rw,nosuid,nodev,relatime,uid=1001,gid=1001)
This is the per-app tmpfs which is the root dir. This needs to be
writable, as it hosts e.g. the sandbox /tmp. However it is not
persistent on disk or shared between apps.
> tmpfs on
> /run/flatpak/ld.so.conf.d/runtime-001-org.freedesktop.Platform.html5-codecs.conf
> type tmpfs (rw,nosuid,nodev,relatime,uid=1001,gid=1001)
> proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
> tmpfs on /etc/passwd type tmpfs (rw,nosuid,nodev,relatime,uid=1001,gid=1001)
> tmpfs on /etc/group type tmpfs (rw,nosuid,nodev,relatime,uid=1001,gid=1001)
> tmpfs on /etc/pkcs11/pkcs11.conf type tmpfs
> (rw,nosuid,nodev,relatime,uid=1001,gid=1001)
These are similar per-app, virtual filesystems that are not really
sensitive. Although I guess it wouldn't hurt if some of these were
readonly even if you can only affect yourself.
> /dev/sdb1 on /etc/geoclue type ext4 (rw,nosuid,nodev,relatime,data=ordered)
> /dev/sdb1 on /etc/issue type ext4 (rw,nosuid,nodev,relatime,data=ordered)
..
> /dev/sdb1 on /etc/nsswitch.conf type ext4
These however, are actually a problem as you say. They are supposed to
be bind-mounts of /usr/etc (which is in the runtime) into /etc, so
that we can get the right paths. These are supposed to be read-only,
like the runtime (/usr) is. I'm pretty sure at some point they were,
but we must have regressed on this. Typically (i.e. for system
installs) they are not modifiable by the user, but for per-user
installs this is actually a problem.
> /dev/sdb1 on /var/cache type ext4 (rw,nosuid,nodev,relatime,data=ordered)
> /dev/sdb1 on /var/data type ext4 (rw,nosuid,nodev,relatime,data=ordered)> /dev/sdb1 on /var/config type ext4 (rw,nosuid,nodev,relatime,data=ordered)
> /dev/sdb1 on /var/tmp type ext4 (rw,nosuid,nodev,relatime,data=ordered)
These are bind-mounts into ~/.var/app/$appid which is supposed to be
writable to the app.
> devtmpfs on /dev/null type devtmpfs
> (rw,nosuid,relatime,size=8192k,nr_inodes=884067,mode=755)
> devtmpfs on /dev/zero type devtmpfs
> (rw,nosuid,relatime,size=8192k,nr_inodes=884067,mode=755)
> devtmpfs on /dev/full type devtmpfs
> (rw,nosuid,relatime,size=8192k,nr_inodes=884067,mode=755)
> devtmpfs on /dev/random type devtmpfs
> (rw,nosuid,relatime,size=8192k,nr_inodes=884067,mode=755)
> devtmpfs on /dev/urandom type devtmpfs
> (rw,nosuid,relatime,size=8192k,nr_inodes=884067,mode=755)
> devtmpfs on /dev/tty type devtmpfs
> (rw,nosuid,relatime,size=8192k,nr_inodes=884067,mode=755)
> devpts on /dev/pts type devpts
> (rw,nosuid,noexec,relatime,mode=620,ptmxmode=666)
> devpts on /dev/console type devpts
> (rw,nosuid,relatime,gid=5,mode=620,ptmxmode=000)
We need to be able to write to these device nodes, but that is not a
security problem.
> /dev/sdb1 on /run/user/1001/app/org.flatpak.Hello type ext4
> (rw,nosuid,nodev,relatime,data=ordered)
This directory is designed to be shared between all instances of the app.
> /dev/sdb1 on /home/bam/.var/app/org.flatpak.Hello type ext4
> (rw,nosuid,nodev,relatime,data=ordered)
This is the primary persistend writable directory for app state.
> tmpfs on /tmp/.X11-unix type tmpfs
> (rw,nosuid,nodev,relatime,mode=755,uid=1001,gid=1001)
> /dev/sdb1 on /run/user/1001/bus type ext4
> (rw,nosuid,nodev,relatime,data=ordered)
> /dev/sdb1 on /run/user/1001/at-spi-bus type ext4
> (rw,nosuid,nodev,relatime,data=ordered)
These are exposing X and dbus to the app.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
alexl at redhat.com alexander.larsson at gmail.com
More information about the Flatpak
mailing list