On Wed, Jul 8, 2026 at 1:41 PM Daniel P. Berrangé <[email protected]> wrote: > > On Tue, Jul 07, 2026 at 09:09:18PM -0500, Michael Cronenworth wrote: > > On 7/7/26 9:23 AM, Aaron Rainbolt wrote: > > > This does not work. Someone did*exactly* this and I was able to > > > leverage it to escape sandboxes (vuln report is under embargo at the > > > moment). When you use a binfmt-misc handler, then when the sandboxed > > > executable tries to run the program, the kernel runs it*in* the > > > sandbox. When you use a MIME handler that gates access on the > > > executable bit, where the handler executes outside of the sandbox, > > > then when the sandboxed executable calls the MIME handler on a > > > marked-executable file, the file runs outside of (and thus escapes) > > > the sandbox. > > > > Fedora double-dips. We register both as a binfmt-misc handler (only when you > > have wine-systemd installed) and via the upstream .desktop files. > > > > I'm watching this thread but I don't have any suggestions at this time. My > > first impression is why does Flatpak change namespace/scope when performing > > MIME operations, but I don't know enough about the architecture to know why. > > Is the solution not a matter of making the binfmt-misc handler always > be installed by the core wine RPM, and droppping the .desktop file ?
Correct! > Upstream quite reasonably wants to use a .desktop file because that > offers greater platform portability. The secrity scenario with flatpaks > sandboxing is only a Linux problem (at least right now). Portability Let's not get too focused on flatpak. The entire argument from CS Sushi Man is also that this is all the fault of Flatpak/Portals because it assumes something is safe that never was safe. What wine is doing is and was never safe or right. If you download an exe file in your browser and then click on it, it will run. The same does not happen for ELF and sh files (even ignoring the whole executable bit thing). Windows at least shoves a big warning in your face first. We don't, and we can't with MIME handlers. This has always been absolutely broken and there is no excuse for this. It's just way harder to explain how this is an issue, and people will try to weasel their way out of taking responsibility and argue that users should know which files are executables or something like that. With Flatpak, this is now obviously broken: it provides a sandbox escape. > of .desktop files is not relevant for Fedora though, so surely we can > diverge a little rely on the binfmt-misc file alone and not register > the mime handler ? > > With regards, > Daniel > -- > |: https://berrange.com ~~ https://hachyderm.io/@berrange :| > |: https://libvirt.org ~~ https://entangle-photo.org :| > |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :| > > -- > _______________________________________________ > devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://forge.fedoraproject.org/infra/tickets/issues/new -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
