From b0a7f8052b9a68a3fe9fbcdc4682e53cdd2b7848 Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Mon, 22 Aug 2016 17:23:32 +0200
Subject: [PATCH] builder: Add --sandbox support

This disables build-args support, which is nice when building things
on e.g. a shared build-machine, where we don't want the build to
be able to break out of the sandbox (by specifying e.g. --share=network).
---
 builder/builder-context.c  | 14 ++++++++++++++
 builder/builder-context.h  |  3 +++
 builder/builder-main.c     |  3 +++
 builder/builder-manifest.c | 11 +++++------
 builder/builder-module.c   |  5 ++++-
 builder/builder-options.c  |  9 ++++++++-
 builder/builder-options.h  |  3 ++-
 doc/flatpak-builder.xml    | 11 +++++++++++
 8 files changed, 50 insertions(+), 9 deletions(-)

diff --git a/builder/builder-context.c b/builder/builder-context.c
index d62854eb..2be2500d 100644
--- a/builder/builder-context.c
+++ b/builder/builder-context.c
@@ -54,6 +54,7 @@ struct BuilderContext
   gboolean        use_ccache;
   gboolean        build_runtime;
   gboolean        separate_locales;
+  gboolean        sandboxed;
 };
 
 typedef struct
@@ -342,6 +343,19 @@ builder_context_get_keep_build_dirs (BuilderContext *self)
   return self->keep_build_dirs;
 }
 
+void
+builder_context_set_sandboxed (BuilderContext *self,
+                               gboolean        sandboxed)
+{
+  self->sandboxed = sandboxed;
+}
+
+gboolean
+builder_context_get_sandboxed (BuilderContext *self)
+{
+  return self->sandboxed;
+}
+
 gboolean
 builder_context_get_build_runtime (BuilderContext *self)
 {
diff --git a/builder/builder-context.h b/builder/builder-context.h
index 3686e2f0..6d59e4a7 100644
--- a/builder/builder-context.h
+++ b/builder/builder-context.h
@@ -53,6 +53,9 @@ int             builder_context_get_n_cpu (BuilderContext *self);
 void            builder_context_set_keep_build_dirs (BuilderContext *self,
                                                      gboolean        keep_build_dirs);
 gboolean        builder_context_get_keep_build_dirs (BuilderContext *self);
+void            builder_context_set_sandboxed (BuilderContext *self,
+                                               gboolean        sandboxed);
+gboolean        builder_context_get_sandboxed (BuilderContext *self);
 void            builder_context_set_global_cleanup (BuilderContext *self,
                                                     const char    **cleanup);
 const char **   builder_context_get_global_cleanup (BuilderContext *self);
diff --git a/builder/builder-main.c b/builder/builder-main.c
index d3779a5d..a7e32d48 100644
--- a/builder/builder-main.c
+++ b/builder/builder-main.c
@@ -43,6 +43,7 @@ static gboolean opt_ccache;
 static gboolean opt_require_changes;
 static gboolean opt_keep_build_dirs;
 static gboolean opt_force_clean;
+static gboolean opt_sandboxed;
 static char *opt_stop_at;
 static char *opt_arch;
 static char *opt_repo;
@@ -70,6 +71,7 @@ static GOptionEntry entries[] = {
   { "gpg-sign", 0, 0, G_OPTION_ARG_STRING_ARRAY, &opt_key_ids, "GPG Key ID to sign the commit with", "KEY-ID"},
   { "gpg-homedir", 0, 0, G_OPTION_ARG_STRING, &opt_gpg_homedir, "GPG Homedir to use when looking for keyrings", "HOMEDIR"},
   { "force-clean", 0, 0, G_OPTION_ARG_NONE, &opt_force_clean, "Erase previous contents of DIRECTORY", NULL },
+  { "sandbox", 0, 0, G_OPTION_ARG_NONE, &opt_sandboxed, "Enforce sandboxing, disabling build-args", NULL },
   { "stop-at", 0, 0, G_OPTION_ARG_STRING, &opt_stop_at, "Stop building at this module (implies --build-only)", "MODULENAME"},
   { NULL }
 };
@@ -282,6 +284,7 @@ main (int    argc,
   build_context = builder_context_new (base_dir, app_dir);
 
   builder_context_set_keep_build_dirs (build_context, opt_keep_build_dirs);
+  builder_context_set_sandboxed (build_context, opt_sandboxed);
 
   if (opt_arch)
     builder_context_set_arch (build_context, opt_arch);
diff --git a/builder/builder-manifest.c b/builder/builder-manifest.c
index b65b362e..4eeb49d8 100644
--- a/builder/builder-manifest.c
+++ b/builder/builder-manifest.c
@@ -2151,13 +2151,12 @@ builder_manifest_run (BuilderManifest *self,
       g_ptr_array_add (args, g_strdup_printf ("--bind-mount=/run/ccache=%s", ccache_dir_path));
     }
 
-  build_args = builder_options_get_build_args (self->build_options, context);
+  build_args = builder_options_get_build_args (self->build_options, context, error);
+  if (build_args == NULL)
+    return FALSE;
 
-  if (build_args)
-    {
-      for (i = 0; build_args[i] != NULL; i++)
-        g_ptr_array_add (args, g_strdup (build_args[i]));
-    }
+  for (i = 0; build_args[i] != NULL; i++)
+    g_ptr_array_add (args, g_strdup (build_args[i]));
 
   env = builder_options_get_env (self->build_options, context);
   if (env)
diff --git a/builder/builder-module.c b/builder/builder-module.c
index d928a4a3..d0fcb1d4 100644
--- a/builder/builder-module.c
+++ b/builder/builder-module.c
@@ -1239,8 +1239,11 @@ builder_module_build (BuilderModule  *self,
       source_subdir = g_object_ref (source_dir);
     }
 
+  build_args = builder_options_get_build_args (self->build_options, context, error);
+  if (build_args == NULL)
+    return FALSE;
+
   env = builder_options_get_env (self->build_options, context);
-  build_args = builder_options_get_build_args (self->build_options, context);
   config_opts = builder_options_get_config_opts (self->build_options, context, self->config_opts);
 
   if (self->cmake)
diff --git a/builder/builder-options.c b/builder/builder-options.c
index 05c233a3..15051843 100644
--- a/builder/builder-options.c
+++ b/builder/builder-options.c
@@ -622,7 +622,8 @@ builder_options_get_env (BuilderOptions *self, BuilderContext *context)
 
 char **
 builder_options_get_build_args (BuilderOptions *self,
-                                BuilderContext *context)
+                                BuilderContext *context,
+                                GError **error)
 {
   g_autoptr(GList) options = get_all_options (self, context);
   GList *l;
@@ -643,6 +644,12 @@ builder_options_get_build_args (BuilderOptions *self,
         }
     }
 
+  if (array->len > 0 && builder_context_get_sandboxed (context))
+    {
+      g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, "Can't specify build-args in sandboxed build");
+      return NULL;
+    }
+
   g_ptr_array_add (array, NULL);
 
   return (char **) g_ptr_array_free (g_steal_pointer (&array), FALSE);
diff --git a/builder/builder-options.h b/builder/builder-options.h
index 977f3c7e..048d65e8 100644
--- a/builder/builder-options.h
+++ b/builder/builder-options.h
@@ -47,7 +47,8 @@ const char *builder_options_get_prefix (BuilderOptions *self,
 char **     builder_options_get_env (BuilderOptions *self,
                                      BuilderContext *context);
 char **     builder_options_get_build_args (BuilderOptions *self,
-                                            BuilderContext *context);
+                                            BuilderContext *context,
+                                            GError **error);
 char **     builder_options_get_config_opts (BuilderOptions *self,
                                              BuilderContext *context,
                                              char          **base_opts);
diff --git a/doc/flatpak-builder.xml b/doc/flatpak-builder.xml
index 5b19f0ad..029ec695 100644
--- a/doc/flatpak-builder.xml
+++ b/doc/flatpak-builder.xml
@@ -739,6 +739,17 @@
                 </para></listitem>
             </varlistentry>
 
+            <varlistentry>
+                <term><option>--sandbox</option></term>
+
+                <listitem><para>
+                    Disable the possibility to specify build-args that
+                    are passed to flatpak build. This means the build
+                    process can't break out of its sandbox, and is
+                    useful when building less trusted software.
+                </para></listitem>
+            </varlistentry>
+
           </variablelist>
     </refsect1>