mirror/flatpak
1
0
Fork 0
mirror of https://github.com/flatpak/flatpak.git synced 2026-05-18 13:52:53 -04:00
Code Issues Packages Projects Releases Wiki Activity

run: Never inherit permissions from the runtime

Browse Source 
We want inherit environment variables, but not actual permissions,
those need to be requested by the app only.

Closes: #1799
Approved by: alexlarsson
This commit is contained in:
Alexander Larsson
2018-06-19 15:37:36 +02:00
committed by Atomic Bot
parent 80a33e6a1b
commit 065053775b
3 changed files with 29 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
common/flatpak-context-private.h
View File

@@ -109,6 +109,7 @@ void flatpak_context_add_bus_filters (FlatpakContext *context,
gboolean flatpak_context_get_needs_session_bus_proxy (FlatpakContext *context);
gboolean flatpak_context_get_needs_system_bus_proxy (FlatpakContext *context);
void flatpak_context_reset_permissions (FlatpakContext *context);
void flatpak_context_make_sandboxed (FlatpakContext *context);
gboolean flatpak_context_allows_features (FlatpakContext *context,

20
common/flatpak-context.c
View File

@@ -1793,6 +1793,26 @@ flatpak_context_add_bus_filters (FlatpakContext *context,
}
}
void
flatpak_context_reset_permissions (FlatpakContext *context)
{
context->shares_valid = 0;
context->sockets_valid = 0;
context->devices_valid = 0;
context->features_valid = 0;
context->shares = 0;
context->sockets = 0;
context->devices = 0;
context->features = 0;
g_hash_table_remove_all (context->persistent);
g_hash_table_remove_all (context->filesystems);
g_hash_table_remove_all (context->session_bus_policy);
g_hash_table_remove_all (context->system_bus_policy);
g_hash_table_remove_all (context->generic_policy);
}
void
flatpak_context_make_sandboxed (FlatpakContext *context)
{

11
common/flatpak-run.c
View File

@@ -1549,9 +1549,14 @@ flatpak_app_compute_permissions (GKeyFile *app_metadata,
app_context = flatpak_context_new ();
if (runtime_metadata != NULL &&
!flatpak_context_load_metadata (app_context, runtime_metadata, error))
return NULL;
if (runtime_metadata != NULL)
{
if (!flatpak_context_load_metadata (app_context, runtime_metadata, error))
return NULL;
/* Don't inherit any permissions from the runtime, only things like env vars. */
flatpak_context_reset_permissions (app_context);
}
if (app_metadata != NULL &&
!flatpak_context_load_metadata (app_context, app_metadata, error))