From 1e9e80da6c703e19694fb5aa8d36cf439dbd366f Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Fri, 8 Oct 2021 17:05:07 +0100 Subject: [PATCH] run: Handle unknown syscalls as intended The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: https://github.com/flatpak/flatpak/issues/4458 Signed-off-by: Simon McVittie (cherry picked from commit d419fa67038370e4f4c3ce8c3b5f672d4876cfc8) (cherry picked from commit 270701f900c8612cf1fc5e6f5a6e2eb6459708c1) (cherry picked from commit a0055e4f849d5bb100f2af7e33f02ef9ac3fbdee) --- common/flatpak-run.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/common/flatpak-run.c b/common/flatpak-run.c index 3845727a2c..a55ec7f84c 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -2761,7 +2761,16 @@ setup_seccomp (FlatpakBwrap *bwrap, r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blocklist[i].arg); else r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); - if (r < 0 && r == -EFAULT /* unknown syscall */) + + /* EFAULT means "internal libseccomp error", but in practice we get + * this for syscall numbers added via flatpak-syscalls-private.h + * when trying to filter them on a non-native architecture, because + * libseccomp cannot map the syscall number to a name and back to a + * number for the non-native architecture. */ + if (r == -EFAULT) + flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", + scall); + else if (r < 0) return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); } @@ -2779,7 +2788,11 @@ setup_seccomp (FlatpakBwrap *bwrap, else r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); - if (r < 0 && r == -EFAULT /* unknown syscall */) + /* See above for the meaning of EFAULT. */ + if (errno == EFAULT) + flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", + scall); + else if (r < 0) return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); } }