diff --git a/common/flatpak-context-private.h b/common/flatpak-context-private.h index 18be96b89..ff850147e 100644 --- a/common/flatpak-context-private.h +++ b/common/flatpak-context-private.h @@ -109,6 +109,7 @@ void flatpak_context_add_bus_filters (FlatpakContext *context, gboolean flatpak_context_get_needs_session_bus_proxy (FlatpakContext *context); gboolean flatpak_context_get_needs_system_bus_proxy (FlatpakContext *context); +void flatpak_context_reset_permissions (FlatpakContext *context); void flatpak_context_make_sandboxed (FlatpakContext *context); gboolean flatpak_context_allows_features (FlatpakContext *context, diff --git a/common/flatpak-context.c b/common/flatpak-context.c index a216965ca..241023d9e 100644 --- a/common/flatpak-context.c +++ b/common/flatpak-context.c @@ -1793,6 +1793,26 @@ flatpak_context_add_bus_filters (FlatpakContext *context, } } +void +flatpak_context_reset_permissions (FlatpakContext *context) +{ + context->shares_valid = 0; + context->sockets_valid = 0; + context->devices_valid = 0; + context->features_valid = 0; + + context->shares = 0; + context->sockets = 0; + context->devices = 0; + context->features = 0; + + g_hash_table_remove_all (context->persistent); + g_hash_table_remove_all (context->filesystems); + g_hash_table_remove_all (context->session_bus_policy); + g_hash_table_remove_all (context->system_bus_policy); + g_hash_table_remove_all (context->generic_policy); +} + void flatpak_context_make_sandboxed (FlatpakContext *context) { diff --git a/common/flatpak-run.c b/common/flatpak-run.c index 92926a138..93b101528 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -1549,9 +1549,14 @@ flatpak_app_compute_permissions (GKeyFile *app_metadata, app_context = flatpak_context_new (); - if (runtime_metadata != NULL && - !flatpak_context_load_metadata (app_context, runtime_metadata, error)) - return NULL; + if (runtime_metadata != NULL) + { + if (!flatpak_context_load_metadata (app_context, runtime_metadata, error)) + return NULL; + + /* Don't inherit any permissions from the runtime, only things like env vars. */ + flatpak_context_reset_permissions (app_context); + } if (app_metadata != NULL && !flatpak_context_load_metadata (app_context, app_metadata, error))