Permission Denied with Flatpak (/sys/block)

nurmagoz · October 9, 2022, 2:06pm

user@host:~$ flatpak run org.mozilla.firefox
bwrap: Can't find source path /sys/block: Permission denied
user@host:~$

Note: All these hardened features are enabled in my VM:

Patrick · October 11, 2022, 11:27pm

related feature:
https://www.kicksecure.com/wiki/Security-misc#Reduce_Kernel_Information_Leaks

flatpak requires /sys/block it. See this highlighted line:

github.com

flatpak/flatpak/blob/main/common/flatpak-run.c#L3529


      
          
          
if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0)
            flatpak_bwrap_add_args (bwrap,
                                    "--proc", "/proc",
                                    NULL);
          
          
if (!(flags & FLATPAK_RUN_FLAG_PARENT_SHARE_PIDS))
            flatpak_bwrap_add_arg (bwrap, "--unshare-pid");
          
          
flatpak_bwrap_add_args (bwrap,
                                  "--dir", "/tmp",
                                  "--dir", "/var/tmp",
                                  "--dir", "/run/host",
                                  "--perms", "0700", "--dir", run_dir,
                                  "--setenv", "XDG_RUNTIME_DIR", run_dir,
                                  "--symlink", "../run", "/var/run",
                                  "--ro-bind", "/sys/block", "/sys/block",
                                  "--ro-bind", "/sys/bus", "/sys/bus",
                                  "--ro-bind", "/sys/class", "/sys/class",
                                  "--ro-bind", "/sys/dev", "/sys/dev",
                                  "--ro-bind", "/sys/devices", "/sys/devices",

reported upstream:

github.com/flatpak/flatpak

flatpak shouldn't permit unconditional access to `/sys/block` with bwrap for better security

opened 11:21PM - 11 Oct 22 UTC

adrelanos

bug

### Checklist - [X] I agree to follow the [Code of Conduct](https://github.com/…flatpak/flatpak/blob/main/CODE_OF_CONDUCT.md) that this project adheres to. - [X] I have searched the [issue tracker](https://www.github.com/flatpak/flatpak/issues) for a bug that matches the one I want to file, without success. - [X] If this is an issue with a particular app, I have tried filing it in the appropriate issue tracker for the app (e.g. under https://github.com/flathub/) and determined that it is an issue with Flatpak itself. - [X] This issue is not a report of a security vulnerability (see [here](https://github.com/flatpak/flatpak/blob/main/SECURITY.md) if you need to report a security issue). ### Flatpak version 1.10.7 ### What Linux distribution are you using? Debian ### Linux distribution version bullseye ### What architecture are you using? x86_64 ### How to reproduce 1. flatpak while access to `/sys/block` is restricted to root ([`/lib/systemd/system/hide-hardware-info.service`](https://github.com/Kicksecure/security-misc/blob/master/lib/systemd/system/hide-hardware-info.service)) 2. run flatpak ### Expected Behavior flatpak shouldn't unconditionally need access to `/sys/block` because that's dangerous for security. ### Actual Behavior flatpak hardcoded, requires access to `/sys/block`. flatpak run org.mozilla.firefox > bwrap: Can't find source path /sys/block: Permission denied ### Additional Information flatpak in https://github.com/flatpak/flatpak/blob/main/common/flatpak-run.c#L3529 uses: > "--ro-bind", "/sys/block", "/sys/block", What's the purpose of this? It's the block devices. ls /sys/block > xvda xvdb xvdc xvdd I don't see why flatpak needs access to these?

workaround:
https://www.kicksecure.com/wiki/Security-misc#Whitelisting_Applications

nurmagoz · January 30, 2024, 1:25pm

[workstation user ~]% flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
error: Flatpak system operation ConfigureRemote not allowed for user
zsh: exit 1     flatpak remote-add --if-not-exists flathub

Current flatpak running from whonix-ws qubes.

Patrick · February 1, 2024, 11:43am

Caused by:

A) hide hardware information and/or
B) hidepid and/or,
C) otherwise?

nurmagoz · February 1, 2024, 9:19pm

After couple of testing, yeah only A (hide-hardware-info) reproduce it clearly.

nurmagoz · February 6, 2024, 5:39pm

Add to it this as well:

Qubes specific: If user removed qubes-core-agent-passwordless-root he will get this issue.

so to correctly address the issues here:

Issue (1)

bwrap: Can't find source path /sys/block: Permission denied

Due to hide hardware information

Issue (2)

error: Flatpak system operation ConfigureRemote not allowed for user

Due to user removed qubes-core-agent-passwordless-root package from his VM in Qubes.

Note: if both are enabled, it will just show Issue (2)

Patrick · February 19, 2024, 11:24am

Patrick · February 26, 2024, 2:07pm

flatpak: thanks to Make /sys hardening optional and allow access to /sys/fs to make polkit work by DanWin · Pull Request #204 · Kicksecure/security-misc · GitHub this is now fixed. Also discussed here: improve hide-hardware-info.service, make `/sys` hiding optional and enable by default · Issue #172 · Kicksecure/security-misc · GitHub

This is now in the testers repository.

Patrick · March 4, 2024, 10:22am

This is now in the stable repository.