Re: Linux: Disabling network namespaces

[Demi Marie Obenour <demi () invisiblethingslab com>]

On Mon, Apr 22, 2024 at 02:33:56PM +0000, Jordan Glover wrote:
> On Sunday, April 21st, 2024 at 10:06 PM, Solar Designer <solar () openwall com> wrote:
>
> > In what exact way would nested namespaces bypass the security design of
> > Flatpak? Is this about the kernel's attack surface exposed by
> > capabilities in a namespace or something else? I guess capabilities are
> > also dropped in the nested namespace?
>
> In flatpak, apps in container communicate with host through portals[1] using dbus.
> Portals identify particular app through unique appid (i.e. "org.mozilla.firefox"
> for firefox) and grant some permissions according to that. appid is read from
> /.flatpak-info that exist inside container and is immutable there. If namespaces
> were available inside sandbox then malicious app could leverage mount namespace
> to mount crafted /.flatpak-info containing arbitrary data and lie to the portal
> about appid - it could tell portal that it's org.mozilla.firefox when it isn't.
>
> [1] https://github.com/flatpak/xdg-desktop-portal
>
> Jordan

Why is the appid read from /.flatpak-info, instead of having the flatpak
process that spawned the container pass the info to the dbus proxy along
with the FD used to communicate with the container?
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Attachment: signature.asc
Description: