Package: flatpak
Version: 0.8.2-1
Severity: serious
Justification: maintainer says so
Tags: fixed-upstream pending
Portals like the ones in xdg-desktop-portal{,-gtk} need to know the
identity of the confined Flatpak app. They discover this by reading
the special file /proc/$pid/root/flatpak-info.
Unfortunately, when a setuid bwrap is told to use user namespaces even
though they are not strictly necessary (in our case because Debian's
kernels do not allow unprivileged processes to create their own user
namespaces by default), the resulting user namespace is owned by
root. This means user processes outside the container are not allowed
to ptrace it, and the ptrace capability is also what controls the
ability to read and traverse /proc/$pid/root.
Flatpak 0.8.3 fixes this by not explicitly requesting the creation of a
user namespace. If bwrap is not setuid (as in Ubuntu) it will create
a user namespace anyway, because that's a prerequisite for being able to
create its mount namespace. If bwrap is setuid (as in Debian) it will
skip creation of the user namespace, so we can traverse through
/proc/$pid/root as intended.
Not being able to identify confined processes is pretty bad for the
ability to make informed decisions about access control in portals,
which are a key part of what makes Flatpak containers usable, so I'm
considering this to be release-critical.
S
