On Mon, Apr 22, 2024 at 02:33:56PM +0000, Jordan Glover wrote: > On Sunday, April 21st, 2024 at 10:06 PM, Solar Designer <so...@openwall.com> > wrote: > > > In what exact way would nested namespaces bypass the security design of > > Flatpak? Is this about the kernel's attack surface exposed by > > capabilities in a namespace or something else? I guess capabilities are > > also dropped in the nested namespace? > > In flatpak, apps in container communicate with host through portals[1] using > dbus. > Portals identify particular app through unique appid (i.e. > "org.mozilla.firefox" > for firefox) and grant some permissions according to that. appid is read from > /.flatpak-info that exist inside container and is immutable there. If > namespaces > were available inside sandbox then malicious app could leverage mount > namespace > to mount crafted /.flatpak-info containing arbitrary data and lie to the > portal > about appid - it could tell portal that it's org.mozilla.firefox when it > isn't. > > [1] https://github.com/flatpak/xdg-desktop-portal > > Jordan
Why is the appid read from /.flatpak-info, instead of having the flatpak process that spawned the container pass the info to the dbus proxy along with the FD used to communicate with the container? -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
signature.asc
Description: PGP signature
