代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/flatpak 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From a10f52a7565c549612c92b8e736a6698a53db330 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 11:59:00 +0100
Subject: [PATCH] run: Block clone3() in sandbox
clone3() can be used to implement clone() with CLONE_NEWUSER, allowing
a sandboxed process to get CAP_SYS_ADMIN in a new namespace and
manipulate its root directory. We need to block this so that AF_UNIX-based
socket servers (X11, Wayland, etc.) can rely on
/proc/PID/root/.flatpak-info existing for all Flatpak-sandboxed apps.
Partially fixes GHSA-67h7-w3jq-vh4q.
Thanks: an anonymous reporter
Signed-off-by: Simon McVittie <smcv@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330
---
common/flatpak-run.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 5cf6d2e..dad0cfe 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2832,6 +2832,12 @@ setup_seccomp (FlatpakBwrap *bwrap,
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
{SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
+
+ /* seccomp can't look into clone3()'s struct clone_args to check whether
+ * the flags are OK, so we have no choice but to block clone3().
+ * Return ENOSYS so user-space will fall back to clone().
+ * (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */
+ {SCMP_SYS (clone3), ENOSYS},
};
struct
--
2.27.0
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手
