From 2ae9cfd95082286c790e3f5b571b2e50f6a01aff Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Tue, 4 Mar 2025 18:11:08 +0000 Subject: [PATCH] dir: Allow app updates without consulting parental controls MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently, app installs and updates are treated the same from the point of view of the parental controls permissions checks. This was intended so that parents have to re-check each app update to make sure it’s still appropriate for their children. In practice, though, parents are not that hands-on, and there are a lot of regular app updates. The tradeoff between app updates (which bring security fixes and features) and not changing so much in apps that a parent’s initial assessment of their suitability for their child is probably skewed the wrong way. We should be preferring updates (in particular, so we get security updates), and assuming that if an app is OK to begin with, it’s probably not going to change so radically as to become unsuitable for a child with an update. As a data point, Google Play’s parental controls will allow apps to be automatically updated even if a child account can’t install new apps. So, implement this by splitting the existing `org.freedesktop.Flatpak.override-parental-controls` polkit action in two: the existing action for _installs_, and a new `org.freedesktop.Flatpak.override-parental-controls-update` action for _updates_. `FlatpakDir` is changed to use the appropriate action depending on whether an app is being installed from scratch or updated. The default policies for the two actions differ. Users/Distros who disagree with the new default policy can provide their own polkit rules to change the behaviour of `override-parental-controls-update` so that it matches `override-parental-controls`, to bring back the old behaviour. Signed-off-by: Philip Withnall Fixes: https://github.com/flatpak/flatpak/issues/5552 --- common/flatpak-dir-private.h | 1 + common/flatpak-dir.c | 13 +++++++-- .../org.freedesktop.Flatpak.policy.in | 28 ++++++++++++++++++- 3 files changed, 38 insertions(+), 4 deletions(-) diff --git a/common/flatpak-dir-private.h b/common/flatpak-dir-private.h index 871f40b6..ca000602 100644 --- a/common/flatpak-dir-private.h +++ b/common/flatpak-dir-private.h @@ -663,6 +663,7 @@ gboolean flatpak_dir_deploy (Fla const char *checksum_or_latest, const char * const *subpaths, const char * const *previous_ids, + const char *parental_controls_action_id, GCancellable *cancellable, GError **error); gboolean flatpak_dir_deploy_update (FlatpakDir *self, diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c index 20463af9..71688ddc 100644 --- a/common/flatpak-dir.c +++ b/common/flatpak-dir.c @@ -8551,6 +8551,7 @@ static gboolean flatpak_dir_check_parental_controls (FlatpakDir *self, const char *ref, GBytes *deploy_data, + const char *action_id, GCancellable *cancellable, GError **error) { @@ -8677,7 +8678,7 @@ flatpak_dir_check_parental_controls (FlatpakDir *self, if (!flatpak_dir_get_no_interaction (self)) polkit_flags |= POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION; result = polkit_authority_check_authorization_sync (authority, subject, - "org.freedesktop.Flatpak.override-parental-controls", + action_id, NULL, polkit_flags, cancellable, error); @@ -8722,6 +8723,7 @@ flatpak_dir_deploy (FlatpakDir *self, const char *checksum_or_latest, const char * const * subpaths, const char * const * previous_ids, + const char *parental_controls_action_id, GCancellable *cancellable, GError **error) { @@ -9103,7 +9105,9 @@ flatpak_dir_deploy (FlatpakDir *self, /* Check the app is actually allowed to be used by this user. This can block * on getting authorisation. */ - if (!flatpak_dir_check_parental_controls (self, flatpak_decomposed_get_ref (ref), deploy_data, cancellable, error)) + if (!flatpak_dir_check_parental_controls (self, flatpak_decomposed_get_ref (ref), + deploy_data, parental_controls_action_id, + cancellable, error)) return FALSE; deploy_data_file = g_file_get_child (checkoutdir, "deploy"); @@ -9238,7 +9242,9 @@ flatpak_dir_deploy_install (FlatpakDir *self, created_deploy_base = TRUE; if (!flatpak_dir_deploy (self, origin, ref, NULL, (const char * const *) subpaths, - previous_ids, cancellable, error)) + previous_ids, + "org.freedesktop.Flatpak.override-parental-controls", + cancellable, error)) goto out; if (flatpak_decomposed_is_app (ref)) @@ -9339,6 +9345,7 @@ flatpak_dir_deploy_update (FlatpakDir *self, checksum_or_latest, opt_subpaths ? opt_subpaths : old_subpaths, (const char * const *) previous_ids_owned, + "org.freedesktop.Flatpak.override-parental-controls-update", cancellable, error)) return FALSE; diff --git a/system-helper/org.freedesktop.Flatpak.policy.in b/system-helper/org.freedesktop.Flatpak.policy.in index ecbaccb5..64eb2e89 100644 --- a/system-helper/org.freedesktop.Flatpak.policy.in +++ b/system-helper/org.freedesktop.Flatpak.policy.in @@ -284,7 +284,7 @@ * Set the malcontent `is-system-installation-allowed` property of all users’ parental controls policies to true. --> - Override parental controls + Override parental controls for installs Authentication is required to install software which is restricted by your parental controls policy package-x-generic @@ -292,6 +292,32 @@ auth_admin auth_admin + org.freedesktop.Flatpak.override-parental-controls-update + + + + + Override parental controls for updates + Authentication is required to update software which is restricted by your parental controls policy + package-x-generic + + auth_admin + auth_admin + yes +