Commit Graph

7164 Commits

Author SHA1 Message Date
Simon McVittie
dc8227ea8b autogen.sh: Use command -v to check whether commands exist
which(1) is not standardized by POSIX, and has different implementations
and behaviour on different distributions. The behaviour and exit status
of command -v is standardized by POSIX.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-25 10:07:03 +01:00
Philip Withnall
994accceb7 flatpak-transaction: Tidy up property implementation
Remove a redundant `PROP_0` member and add a type for the property IDs
so that the `switch` cases can be checked by `-Wswitch-enum`.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2022-01-25 10:03:41 +01:00
Philip Withnall
bd4a52e959 flatpak-transaction: Add no-interaction property
This bundles up `{get,set}_no_interaction()` in a way which can be bound
or exposed to bindings.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2022-01-25 10:03:41 +01:00
Philip Withnall
733835d818 flatpak-transaction: Add get_no_interaction() method
This complements `flatpak_transaction_set_no_interaction()` and allows
calling code to see if a given transaction is interactive.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2022-01-25 10:03:41 +01:00
Patrick Griffis
49a829cc0b Add have-kernel-module conditional
This is useful for extensions that apply to specific hardware.
2022-01-22 07:39:00 -06:00
Alexander Larsson
7bec38c9d1 flatpak-context: Properly flatten filesystem permissions
When generating flattened permissions (i.e. for --show-permissions or
for the /.flatpak-info file) we're currently flattening the permissions
i.e. don't show things that would only affect layering the permissions).

However, the code doesn't currently do this for the filesystem key, so
implement that. This means we only display the permissions that are
in effect, and don't display "negative" permissions like !host which
are not meaningful in this context.
2022-01-21 13:47:33 +01:00
Simon McVittie
924a7d29c5 Merge NEWS from tag '1.12.4', ignoring changes in po/
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-19 12:55:33 +00:00
Simon McVittie
103ed5c02c Regenerate translation files for release
Signed-off-by: Simon McVittie <smcv@collabora.com>
1.12.4
2022-01-18 17:38:36 +00:00
Simon McVittie
d19ed758f9 Release v1.12.4
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-18 17:34:01 +00:00
Simon McVittie
617494c63f NEWS: Describe what is intended to appear in 1.12.4
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-18 16:35:28 +00:00
Simon McVittie
61927c7af7 NEWS: Mention CVE-2022-21682
At the time we wrote the NEWS for 1.12.3, this CVE ID had not yet been
issued.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-18 16:35:28 +00:00
Simon McVittie
f9ce3433e0 test-override: Exercise --nofilesystem=host:reset
Signed-off-by: Simon McVittie <smcv@collabora.com>
Co-authored-by: Alexander Larsson <alexl@redhat.com>
(cherry picked from commit 4aa70d2d72)
2022-01-18 16:35:28 +00:00
Simon McVittie
a16efca8ec test-context: Exercise some corner cases for merging filesystems
Signed-off-by: Simon McVittie <smcv@collabora.com>
Co-authored-by: Alexander Larsson <alexl@redhat.com>
(cherry picked from commit fab0f8ed7c)
2022-01-18 16:35:28 +00:00
Simon McVittie
0e2e9a5583 test-exports: Exercise host:reset and related filesystem tokens
Signed-off-by: Simon McVittie <smcv@collabora.com>
Co-authored-by: Alexander Larsson <alexl@redhat.com>
(cherry picked from commit f3d12dc793)
2022-01-18 16:35:28 +00:00
Simon McVittie
4eb3c2addd context: Introduce new --nofilesystem=host:reset
This reintroduces the special case that existed in Flatpak 1.12.3, but
under a different name, so that it will be backwards-compatible. With
this change, flatpak-builder will be able to resolve CVE-2022-21682 by
using --filesystem=host:reset.

We want to implement this as a suffix rather than as a new keyword,
because unknown suffixes are ignored with a warning, rather than causing
a fatal error. This means that the new version of flatpak-builder will
be able to run against older versions of flatpak: it will still be
vulnerable to CVE-2022-21682 in that situation, but at least it will run.

Co-authored-by: Alexander Larsson <alexl@redhat.com>
(cherry picked from commit 5709f1aaed)
2022-01-18 16:35:28 +00:00
Simon McVittie
47247b0987 test-override: Assert that --nofilesystem with suffix yields a warning
This was added as part of implementing the :reset suffix.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit ab0169ee39)
2022-01-18 16:35:28 +00:00
Simon McVittie
ecaabf5e9d test-override: Assert pre-1.12.3 behaviour of --nofilesystem=home, host
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 813e1f0b3b)
2022-01-18 16:35:28 +00:00
Simon McVittie
4a93202fc8 run, override: Clarify the effect of --nofilesystem
There are two reasonable interpretations for --nofilesystem=home:
either it revokes a previous --filesystem=home (as in Flatpak 1.12.2 and
older versions), or it completely forbids access to the home directory
(as in Flatpak 1.12.3). Clarify the man pages to indicate that it only
revokes a previous --filesystem=home. This will hopefully reduce
mismatches between the design and what users expect to happen, as
in flatpak#4654.

A subsequent commit will introduce a way to get the Flatpak 1.12.3
behaviour in a way that is more backwards-compatible with Flatpak 1.12.2
and older versions.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 7bbeed2b87)
2022-01-18 16:35:28 +00:00
Simon McVittie
a4291cd8e0 Revert "Make --nofilesystem=host/home remove access to subdirs of those"
This caused regressions for some previously-working use cases. For
example, some Flatpak users previously used a global
`flatpak override --nofilesystem=home` or
`flatpak override --nofilesystem=host`, but expected that individual apps
would still be able to have finer-grained filesystem access granted by the
app manifest, such as Zoom's `--filesystem=~/Documents/Zoom:create`. With
the changes in 1.12.3, this no longer has the desired result, because
`--nofilesystem=home` was special-cased to disallow inheriting the
finer-grained `--filesystem`.

This reverts commit 445bddeee6.

This reverts the initial solution to CVE-2022-21682, which we intend to
resolve differently, by introducing a new feature in Flatpak and making
use of it in a new flatpak-builder version.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 917a7f5870)
2022-01-18 16:35:28 +00:00
Simon McVittie
59dc5f783e Revert "manpages: Document the new details of --nofilesystem behaviour."
The new behaviour caused regressions in some situations that previously
worked, and will be reverted.

This reverts commit 4d11f77aa7.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit dfe868d628)
2022-01-18 16:35:28 +00:00
Simon McVittie
4aa70d2d72 test-override: Exercise --nofilesystem=host:reset
Signed-off-by: Simon McVittie <smcv@collabora.com>
Co-authored-by: Alexander Larsson <alexl@redhat.com>
2022-01-18 15:30:12 +00:00
Simon McVittie
fab0f8ed7c test-context: Exercise some corner cases for merging filesystems
Signed-off-by: Simon McVittie <smcv@collabora.com>
Co-authored-by: Alexander Larsson <alexl@redhat.com>
2022-01-18 15:30:12 +00:00
Simon McVittie
f3d12dc793 test-exports: Exercise host:reset and related filesystem tokens
Signed-off-by: Simon McVittie <smcv@collabora.com>
Co-authored-by: Alexander Larsson <alexl@redhat.com>
2022-01-18 15:30:12 +00:00
Simon McVittie
5709f1aaed context: Introduce new --nofilesystem=host:reset
This reintroduces the special case that existed in Flatpak 1.12.3, but
under a different name, so that it will be backwards-compatible. With
this change, flatpak-builder will be able to resolve CVE-2022-21682 by
using --filesystem=host:reset.

We want to implement this as a suffix rather than as a new keyword,
because unknown suffixes are ignored with a warning, rather than causing
a fatal error. This means that the new version of flatpak-builder will
be able to run against older versions of flatpak: it will still be
vulnerable to CVE-2022-21682 in that situation, but at least it will run.

Co-authored-by: Alexander Larsson <alexl@redhat.com>
2022-01-18 15:30:12 +00:00
Simon McVittie
ab0169ee39 test-override: Assert that --nofilesystem with suffix yields a warning
This was added as part of implementing the :reset suffix.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-18 15:30:12 +00:00
Simon McVittie
813e1f0b3b test-override: Assert pre-1.12.3 behaviour of --nofilesystem=home, host
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-18 15:30:12 +00:00
Simon McVittie
7bbeed2b87 run, override: Clarify the effect of --nofilesystem
There are two reasonable interpretations for --nofilesystem=home:
either it revokes a previous --filesystem=home (as in Flatpak 1.12.2 and
older versions), or it completely forbids access to the home directory
(as in Flatpak 1.12.3). Clarify the man pages to indicate that it only
revokes a previous --filesystem=home. This will hopefully reduce
mismatches between the design and what users expect to happen, as
in flatpak#4654.

A subsequent commit will introduce a way to get the Flatpak 1.12.3
behaviour in a way that is more backwards-compatible with Flatpak 1.12.2
and older versions.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-18 15:30:12 +00:00
Simon McVittie
917a7f5870 Revert "Make --nofilesystem=host/home remove access to subdirs of those"
This caused regressions for some previously-working use cases. For
example, some Flatpak users previously used a global
`flatpak override --nofilesystem=home` or
`flatpak override --nofilesystem=host`, but expected that individual apps
would still be able to have finer-grained filesystem access granted by the
app manifest, such as Zoom's `--filesystem=~/Documents/Zoom:create`. With
the changes in 1.12.3, this no longer has the desired result, because
`--nofilesystem=home` was special-cased to disallow inheriting the
finer-grained `--filesystem`.

This reverts commit 445bddeee6.

This reverts the initial solution to CVE-2022-21682, which we intend to
resolve differently, by introducing a new feature in Flatpak and making
use of it in a new flatpak-builder version.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-18 15:30:12 +00:00
Simon McVittie
dfe868d628 Revert "manpages: Document the new details of --nofilesystem behaviour."
The new behaviour caused regressions in some situations that previously
worked, and will be reverted.

This reverts commit 4d11f77aa7.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-18 15:30:12 +00:00
Simon McVittie
5dc5b1bb07 test-override: Assert that unimplemented suffix is ignored with a warning
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 8a44df04c8)
2022-01-17 16:03:25 +00:00
Simon McVittie
9bb041f457 test-override: Assert that only the expected term is negated
We weren't distinguishing here between overrides that should have been
negated (xdg-documents) and overrides that should not have been negated
(everything else).

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 4e3d1d8b7b)
2022-01-17 16:03:25 +00:00
Simon McVittie
88a928ea62 run: Avoid execve() when measuring test coverage
Normally, we want to save a process and get better signal handling
by replacing the `flatpak run` process with bubblewrap.

However, when we're doing profiling or measuring coverage, we want to
exit cleanly so that profiling data can be recorded, which is done in
an atexit() hook. In this situation, bypass the execve() optimization;
instead, start bubblewrap in the background, immediately wait for it,
and propagate its exit status.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-17 11:43:21 +01:00
Yuri Chornoivan
d567a1af88 Update Ukrainian translation 2022-01-17 11:40:46 +01:00
Anders Jonsson
32024b38d9 Update Swedish translation 2022-01-17 11:40:27 +01:00
Simon McVittie
8a44df04c8 test-override: Assert that unimplemented suffix is ignored with a warning
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-17 11:39:34 +01:00
Simon McVittie
4e3d1d8b7b test-override: Assert that only the expected term is negated
We weren't distinguishing here between overrides that should have been
negated (xdg-documents) and overrides that should not have been negated
(everything else).

Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-17 11:39:34 +01:00
Simon McVittie
6780cbdcb7 Don't rely on AS_BUNDLE_KIND_FLATPAK existing
The appstream-glib in Ubuntu 16.04 didn't have this.

Signed-off-by: Simon McVittie <smcv@debian.org>
(cherry picked from commit 97db30f38d)
2022-01-13 09:35:05 +00:00
Simon McVittie
97db30f38d Don't rely on AS_BUNDLE_KIND_FLATPAK existing
The appstream-glib in Ubuntu 16.04 didn't have this.

Signed-off-by: Simon McVittie <smcv@debian.org>
2022-01-12 13:55:49 -08:00
Phaedrus Leeds
a626003d6d dir: Fix typo of bundle 2022-01-12 11:23:36 -08:00
Alexander Larsson
38621b439e Fix 1.12.3 version reference in NEWS 2022-01-12 19:59:36 +01:00
Alexander Larsson
4d11f77aa7 manpages: Document the new details of --nofilesystem behaviour. 2022-01-12 19:48:34 +01:00
Alexander Larsson
445bddeee6 Make --nofilesystem=host/home remove access to subdirs of those
Previously --nofilesystem=host only removed specifically access to the
`host` permissions, and not necessarily other filesystems (like `home`
or `/some/path`). This isn't very useful to limit access because you
don't know what other filesystems the app may have access too.

We change this to mean that `--nofilesystem=host` removes *all* filesystem
access from the parent layer, and `--nofilesystem=home` removes all
file access to the homedir and paths inside it.

The available layers are, in order:

 * app permissions
 * overrides
 * commandline args

This allows you to start from scratch with the filesystem permissions
in the overrides or the commandline. This is a small change in
behaviour, but not a lot of things use --nofilesystem, and the ones
that do probably expects this behaviour.
2022-01-12 19:48:34 +01:00
Phaedrus Leeds
54ec1a482d Add test for metadata validation
This tests for invalid metadata, missing xa.metadata and mismatched
values in xa.metadata and the real metadata, including the embedded
null leading to the hidden permissions of CVE-2021-43860.
2022-01-12 19:48:16 +01:00
Alexander Larsson
65cbfac982 Ensure that bundles have metadata on install
If we have a bundle without metadata we wouldn't properly present
the permissions in the transaction.
2022-01-12 19:48:16 +01:00
Alexander Larsson
93357d3571 Require metadata in commit also for OCI remotes
This was disables a long time ago because the fedora remotes didn't
contain metadata, but that has been added since then. Requiring fixes
a security concern where an app claims to require no permissions (by
having no metadata in commit) but then actually requires permissions
in the installed app.
2022-01-12 19:48:16 +01:00
Alexander Larsson
d9a8f9d8cc Transaction: Fail the resolve if xa.metadata invalid or missing
If we fail to parse xa.metadata from the summary cache or the commit
xa.metadata we fail the resolve.

If xa.metadata is missing in the commit we fail the resolve (it is
always set in the summary cache, because summary update converts
missing xa.metadata to "", so we either get that, or cache miss which
leads to resolving from the commit.

This means that op->resolved_metadata is always set during install and
updates, which means we will show the app permissions. The transaction
will also always make sure that this data actually matches what gets
deployed.

Before this change an invalid metadata in the summary cache could lead
to a NULL resolved_metadata, which means we wouldn't print the app
permissions, yet we would still deploy some metadata file that could
have permissions. (NOTE: It would fail to deploy unless the
xa.metadata in the commit matched the metadata file, but in this
corner case we would't compare the summary and commit metadata, so
they may differ.)
2022-01-12 19:48:16 +01:00
Ryan Gonzalez
ba818f504c Fix metadata file contents after null terminators being ignored
In particular, if a null terminator is placed inside the metadata file,
Flatpak will only compare the text *before* it to the value of
xa.metadata, but the full file will be parsed when permissions are set
at runtime. This means that any app can include a null terminator in its
permissions metadata, and Flatpak will only show the user the
permissions *preceding* the terminator during install, but the
permissions *after* the terminator are applied at runtime.

Fixes GHSA-qpjc-vq3c-572j / CVE-2021-43860

Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
2022-01-12 19:48:16 +01:00
Alexander Larsson
e528dcf196 Update pofiles for release 1.12.3 2022-01-12 13:13:24 +01:00
Alexander Larsson
08cf080287 Update NEWS for 1.12.3 2022-01-12 12:42:33 +01:00
Alexander Larsson
8573fdc54f Bump version to 1.12.3 2022-01-12 11:53:58 +01:00