On Tue, Jul 07, 2026 at 09:09:18PM -0500, Michael Cronenworth wrote:
> On 7/7/26 9:23 AM, Aaron Rainbolt wrote:
> > This does not work. Someone did*exactly* this and I was able to
> > leverage it to escape sandboxes (vuln report is under embargo at the
> > moment). When you use a binfmt-misc handler, then when the sandboxed
> > executable tries to run the program, the kernel runs it*in* the
> > sandbox. When you use a MIME handler that gates access on the
> > executable bit, where the handler executes outside of the sandbox,
> > then when the sandboxed executable calls the MIME handler on a
> > marked-executable file, the file runs outside of (and thus escapes)
> > the sandbox.
> 
> Fedora double-dips. We register both as a binfmt-misc handler (only when you
> have wine-systemd installed) and via the upstream .desktop files.
> 
> I'm watching this thread but I don't have any suggestions at this time. My
> first impression is why does Flatpak change namespace/scope when performing
> MIME operations, but I don't know enough about the architecture to know why.

Is the solution not a matter of making the binfmt-misc handler always
be installed by the core wine RPM, and droppping the .desktop file ?

Upstream quite reasonably wants to use a .desktop file because that
offers greater platform portability. The secrity scenario with flatpaks
sandboxing is only a Linux problem (at least right now). Portability
of .desktop files is not relevant for Fedora though, so surely we can
diverge a little rely on the binfmt-misc file alone and not register
the mime handler ?

With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to