flatpak CVE-2024-42472: Access to files outside sandbox for apps using persistent= (--persist)
Simon McVittie
smcv at collabora.com
Wed Aug 14 17:13:57 UTC 2024
Flatpak is a system for building, distributing, and running sandboxed
desktop applications on Linux.
Chris Williams discovered an issue with how Flatpak mounts persistent
directories, which can allow an application using them to access host
files.
Advisory: https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87
Affected: all < 1.14.10, 1.15.x < 1.15.10
Fixed: 1.14.x >= 1.14.10, all >= 1.15.10
Impact
======
A malicious or compromised Flatpak app using persistent directories could
read and write files in locations it would not normally have access to,
which is an attack on integrity and confidentiality.
Description
===========
When persistent=subdir is used in the application permissions (represented
as --persist=subdir in the command-line interface), that means that
an application which otherwise doesn't have access to the real user
home directory will see an empty home directory with a writeable
subdirectory `subdir`. Behind the scenes, this directory is actually a
bind mount and the data is stored in the per-application directory as
~/.var/app/$APPID/subdir. This allows existing apps that are not aware of
the per-application directory to still work as intended without general
home directory access.
However, the application does have write access to the application
directory ~/.var/app/$APPID where this directory is stored. If the source
directory for the persistent/--persist option is replaced by a symlink,
then the next time the application is started, the bind mount will follow
the symlink and mount whatever it points to into the sandbox.
For example, org.mozilla.Thunderbird has persistent=.thunderbird, and is
not meant to be able to access ~/.ssh. In this example, % represents a
shell prompt on the host system, and $ represents a shell prompt inside
the app sandbox.
% flatpak run --command=sh org.mozilla.Thunderbird
$ mv ~/.var/app/org.mozilla.Thunderbird/.thunderbird{,.save}
$ ln -s ~/.ssh ~/.var/app/org.mozilla.Thunderbird/.thunderbird
$ exit
% flatpak run --command=sh org.mozilla.Thunderbird
$ ls ~/.thunderbird
{contents of ~/.ssh/}
Patches
=======
This was fixed in Flatpak 1.14.10 (stable release branch) and 1.15.10
(development prerelease branch).
For details of backportable patches suitable
for inclusion in LTS distributions, please see
<https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87>.
Fully resolving this vulnerability requires adding a new --bind-fd option
to bubblewrap (a sandboxing component used by Flatpak) so that Flatpak
can avoid a time-of-check/time-of-use race condition. This feature was
added in bubblewrap 0.10.0, but can be backported. More details are
available via the link above.
Depending how Flatpak was configured at build time, the version of
bubblewrap that needs to be patched might either be separately installed
into the PATH (typically /usr/bin/bwrap from an OS vendor package),
or a bundled convenience copy that is private to Flatpak (typically
installed as /usr/libexec/flatpak-bwrap). The convenience copies that
are included in Flatpak versions 1.14.10 and 1.15.10 have been updated
to include the necessary feature.
Mitigations
===========
If patching bubblewrap is logistically difficult, a mitigation is to apply
only the patch "Don't follow symlinks when mounting persisted directories"
to Flatpak, and then avoid running two instances of the same untrusted
app at the same time; this should prevent the time-of-check/time-of-use
issue from being exploited.
Another mitigation is to avoid installing untrusted apps that have
the "persistent" sandboxing parameter set in their metadata, and also
avoid using `flatpak override --persist ...` to add that parameter to
untrusted apps.
--
Simon McVittie, Collabora Ltd. / Debian
on behalf of the Flatpak maintainers
More information about the Flatpak
mailing list