mirror of
https://github.com/flatpak/flatpak.git
synced 2026-03-09 02:33:00 -04:00
run: implement sandbox host os-release interface
If available, always read-only bind-mount /etc/os-release as /run/host/os-release (or /usr/lib/os-release as fallback) as suggested by the os-release specification: https://www.freedesktop.org/software/systemd/man/os-release.html
This commit is contained in:
committed by
Alexander Larsson
parent
1bf5f2ed9e
commit
7872935e12
@@ -395,6 +395,14 @@ flatpak_exports_append_bwrap_args (FlatpakExports *exports,
|
||||
flatpak_bwrap_add_args (bwrap,
|
||||
etc_bind_mode, "/etc", "/run/host/etc", NULL);
|
||||
}
|
||||
|
||||
/* As per the os-release specification https://www.freedesktop.org/software/systemd/man/os-release.html
|
||||
* always read-only bind-mount /etc/os-release if it exists, or /usr/lib/os-release as a fallback from
|
||||
* the host into the application's /run/host */
|
||||
if (g_file_test ("/etc/os-release", G_FILE_TEST_EXISTS))
|
||||
flatpak_bwrap_add_args (bwrap, "--ro-bind", "/etc/os-release", "/run/host/os-release", NULL);
|
||||
else if (g_file_test ("/usr/lib/os-release", G_FILE_TEST_EXISTS))
|
||||
flatpak_bwrap_add_args (bwrap, "--ro-bind", "/usr/lib/os-release", "/run/host/os-release", NULL);
|
||||
}
|
||||
|
||||
/* Returns 0 if not visible */
|
||||
|
||||
@@ -112,6 +112,13 @@
|
||||
Flatpak sets the environment variable <envar>FLATPAK_ID</envar> to the application
|
||||
ID of the running app.
|
||||
</para>
|
||||
<para>
|
||||
Flatpak also bind-mounts as read-only the host's <filename>/etc/os-release</filename>
|
||||
(if available, or <filename>/usr/lib/os-release</filename> as a fallback) to
|
||||
<filename>/run/host/os-release</filename> in accordance with the
|
||||
<ulink url="https://www.freedesktop.org/software/systemd/man/os-release.html">
|
||||
os-release specification</ulink>.
|
||||
</para>
|
||||
<para>
|
||||
If parental controls support is enabled, flatpak will check the
|
||||
current user’s parental controls settings, and will refuse to
|
||||
|
||||
@@ -24,7 +24,7 @@ set -euo pipefail
|
||||
skip_without_bwrap
|
||||
skip_revokefs_without_fuse
|
||||
|
||||
echo "1..16"
|
||||
echo "1..17"
|
||||
|
||||
# Use stable rather than master as the branch so we can test that the run
|
||||
# command automatically finds the branch correctly
|
||||
@@ -80,6 +80,28 @@ assert_file_has_content runtime-fpi "^runtime=runtime/org\.test\.Platform/$ARCH/
|
||||
|
||||
ok "run a runtime"
|
||||
|
||||
if [ -f /etc/os-release ]; then
|
||||
run_sh org.test.Platform cat /run/host/os-release >os-release
|
||||
(cd /etc; md5sum os-release) | md5sum -c
|
||||
|
||||
ARGS="--filesystem=host-etc" run_sh org.test.Platform cat /run/host/os-release >os-release
|
||||
(cd /etc; md5sum os-release) | md5sum -c
|
||||
|
||||
if run_sh org.test.Platform "echo test >> /run/host/os-release"; then exit 1; fi
|
||||
if run_sh org.test.Platform "echo test >> /run/host/os-release"; then exit 1; fi
|
||||
elif [ -f /usr/lib/os-release ]; then
|
||||
run_sh org.test.Platform cat /run/host/os-release >os-release
|
||||
(cd /usr/lib; md5sum os-release) | md5sum -c
|
||||
|
||||
ARGS="--filesystem=host-os" run_sh org.test.Platform cat /run/host/os-release >os-release
|
||||
(cd /usr/lib; md5sum os-release) | md5sum -c
|
||||
|
||||
if run_sh org.test.Platform "echo test >> /run/host/os-release"; then exit 1; fi
|
||||
if run_sh org.test.Platform "echo test >> /run/host/os-release"; then exit 1; fi
|
||||
fi
|
||||
|
||||
ok "host os-release"
|
||||
|
||||
if run org.test.Nonexistent 2> run-error-log; then
|
||||
assert_not_reached "Unexpectedly able to run non-existent runtime"
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user