run: implement sandbox host os-release interface

If available, always read-only bind-mount /etc/os-release as
/run/host/os-release (or /usr/lib/os-release as fallback)
as suggested by the os-release specification:

https://www.freedesktop.org/software/systemd/man/os-release.html

common/flatpak-exports.c

@@ -395,6 +395,14 @@ flatpak_exports_append_bwrap_args (FlatpakExports *exports,
         flatpak_bwrap_add_args (bwrap,
                                 etc_bind_mode, "/etc", "/run/host/etc", NULL);
     }
+
+  /* As per the os-release specification https://www.freedesktop.org/software/systemd/man/os-release.html
+   * always read-only bind-mount /etc/os-release if it exists, or /usr/lib/os-release as a fallback from
+   * the host into the application's /run/host */
+  if (g_file_test ("/etc/os-release", G_FILE_TEST_EXISTS))
+    flatpak_bwrap_add_args (bwrap, "--ro-bind", "/etc/os-release", "/run/host/os-release", NULL);
+  else if (g_file_test ("/usr/lib/os-release", G_FILE_TEST_EXISTS))
+    flatpak_bwrap_add_args (bwrap, "--ro-bind", "/usr/lib/os-release", "/run/host/os-release", NULL);
 }
 
 /* Returns 0 if not visible */

doc/flatpak-run.xml

@@ -112,6 +112,13 @@
             Flatpak sets the environment variable <envar>FLATPAK_ID</envar> to the application
             ID of the running app.
         </para>
+        <para>
+            Flatpak also bind-mounts as read-only the host's <filename>/etc/os-release</filename>
+            (if available, or <filename>/usr/lib/os-release</filename> as a fallback) to
+            <filename>/run/host/os-release</filename> in accordance with the
+            <ulink url="https://www.freedesktop.org/software/systemd/man/os-release.html">
+            os-release specification</ulink>.
+        </para>
         <para>
             If parental controls support is enabled, flatpak will check the
             current user’s parental controls settings, and will refuse to

tests/test-run.sh

@@ -24,7 +24,7 @@ set -euo pipefail
 skip_without_bwrap
 skip_revokefs_without_fuse
 
-echo "1..16"
+echo "1..17"
 
 # Use stable rather than master as the branch so we can test that the run
 # command automatically finds the branch correctly
@@ -80,6 +80,28 @@ assert_file_has_content runtime-fpi "^runtime=runtime/org\.test\.Platform/$ARCH/
 
 ok "run a runtime"
 
+if [ -f /etc/os-release ]; then
+    run_sh org.test.Platform cat /run/host/os-release >os-release
+    (cd /etc; md5sum os-release) | md5sum -c
+
+    ARGS="--filesystem=host-etc" run_sh org.test.Platform cat /run/host/os-release >os-release
+    (cd /etc; md5sum os-release) | md5sum -c
+
+    if run_sh org.test.Platform "echo test >> /run/host/os-release"; then exit 1; fi
+    if run_sh org.test.Platform "echo test >> /run/host/os-release"; then exit 1; fi
+elif [ -f /usr/lib/os-release ]; then
+    run_sh org.test.Platform cat /run/host/os-release >os-release
+    (cd /usr/lib; md5sum os-release) | md5sum -c
+
+    ARGS="--filesystem=host-os" run_sh org.test.Platform cat /run/host/os-release >os-release
+    (cd /usr/lib; md5sum os-release) | md5sum -c
+
+    if run_sh org.test.Platform "echo test >> /run/host/os-release"; then exit 1; fi
+    if run_sh org.test.Platform "echo test >> /run/host/os-release"; then exit 1; fi
+fi
+
+ok "host os-release"
+
 if run org.test.Nonexistent 2> run-error-log; then
     assert_not_reached "Unexpectedly able to run non-existent runtime"
 fi