run: implement sandbox host os-release interface

If available, always read-only bind-mount /etc/os-release as
/run/host/os-release (or /usr/lib/os-release as fallback)
as suggested by the os-release specification:

https://www.freedesktop.org/software/systemd/man/os-release.html
This commit is contained in:
Luca Boccassi
2020-05-27 14:23:03 +01:00
committed by Alexander Larsson
parent 1bf5f2ed9e
commit 7872935e12
3 changed files with 38 additions and 1 deletions

View File

@@ -395,6 +395,14 @@ flatpak_exports_append_bwrap_args (FlatpakExports *exports,
flatpak_bwrap_add_args (bwrap,
etc_bind_mode, "/etc", "/run/host/etc", NULL);
}
/* As per the os-release specification https://www.freedesktop.org/software/systemd/man/os-release.html
* always read-only bind-mount /etc/os-release if it exists, or /usr/lib/os-release as a fallback from
* the host into the application's /run/host */
if (g_file_test ("/etc/os-release", G_FILE_TEST_EXISTS))
flatpak_bwrap_add_args (bwrap, "--ro-bind", "/etc/os-release", "/run/host/os-release", NULL);
else if (g_file_test ("/usr/lib/os-release", G_FILE_TEST_EXISTS))
flatpak_bwrap_add_args (bwrap, "--ro-bind", "/usr/lib/os-release", "/run/host/os-release", NULL);
}
/* Returns 0 if not visible */

View File

@@ -112,6 +112,13 @@
Flatpak sets the environment variable <envar>FLATPAK_ID</envar> to the application
ID of the running app.
</para>
<para>
Flatpak also bind-mounts as read-only the host's <filename>/etc/os-release</filename>
(if available, or <filename>/usr/lib/os-release</filename> as a fallback) to
<filename>/run/host/os-release</filename> in accordance with the
<ulink url="https://www.freedesktop.org/software/systemd/man/os-release.html">
os-release specification</ulink>.
</para>
<para>
If parental controls support is enabled, flatpak will check the
current users parental controls settings, and will refuse to

View File

@@ -24,7 +24,7 @@ set -euo pipefail
skip_without_bwrap
skip_revokefs_without_fuse
echo "1..16"
echo "1..17"
# Use stable rather than master as the branch so we can test that the run
# command automatically finds the branch correctly
@@ -80,6 +80,28 @@ assert_file_has_content runtime-fpi "^runtime=runtime/org\.test\.Platform/$ARCH/
ok "run a runtime"
if [ -f /etc/os-release ]; then
run_sh org.test.Platform cat /run/host/os-release >os-release
(cd /etc; md5sum os-release) | md5sum -c
ARGS="--filesystem=host-etc" run_sh org.test.Platform cat /run/host/os-release >os-release
(cd /etc; md5sum os-release) | md5sum -c
if run_sh org.test.Platform "echo test >> /run/host/os-release"; then exit 1; fi
if run_sh org.test.Platform "echo test >> /run/host/os-release"; then exit 1; fi
elif [ -f /usr/lib/os-release ]; then
run_sh org.test.Platform cat /run/host/os-release >os-release
(cd /usr/lib; md5sum os-release) | md5sum -c
ARGS="--filesystem=host-os" run_sh org.test.Platform cat /run/host/os-release >os-release
(cd /usr/lib; md5sum os-release) | md5sum -c
if run_sh org.test.Platform "echo test >> /run/host/os-release"; then exit 1; fi
if run_sh org.test.Platform "echo test >> /run/host/os-release"; then exit 1; fi
fi
ok "host os-release"
if run org.test.Nonexistent 2> run-error-log; then
assert_not_reached "Unexpectedly able to run non-existent runtime"
fi