As pointed out in review, '-' has a risk of being ambiguous,
since it is allowed in the APP_ID.
Update the docs and provide some more guidance on suitable
COMMAND names.
Add and --export-command=COMMAND option to the
build-finish command, export it under the exported-commands
key in the metadata file, and generate
APPID-command shell wrappers for each of them.
This fixes the possible situation where an eol-rebase app can be
uninstalled and the new version not correctly installed (due to, for
example, the install op failing due to a lack of disk space).
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Fixes: #3991
This mostly replaces `flatpak_transaction_add_rebase()`. It’s necessary
because the uninstall op for an eol-rebased app needs to be linked to
the install/update op for the rebased app, otherwise one op can proceed
after the other has failed (or they can be run in the wrong order) and
result in the old app being uninstalled but the new one not installed.
The following commit will port the internal flatpak `FlatpakTransaction`
subclasses to use it. Other consumers of `FlatpakTransaction` (such as
gnome-software) will have to be ported as well.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Fixes: #3991
This will be used in the next commit to simplify some new code.
Currently, this introduces no functional changes.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #3991
As with commit 43085c0e "dir: Consistently initialize g_autofree
variables", this is currently harmless because we never actually
early-return or goto out of the region between declaration and
initialization, but some compiler versions log a warning here anyway.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This feature (added in https://github.com/containers/bubblewrap/pull/488)
allows us to improve the guarantees of disallowing the sandbox to use
recursive user namespaces (which is a security risk) compared to the
existing limits that use seccomp.
[smcv: Move this to flatpak_run_setup_base_argv() so it will apply
equally in apply_extra_data() and `flatpak build`; make the compile-time
check for a setuid bwrap into a runtime check]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
rest_argv_start is initialized whenever rest_argc != 0, so the previous
code was in fact safe; but this wasn't obvious to either a human reader
or the compiler, and some gcc versions warn here.
Signed-off-by: Simon McVittie <smcv@collabora.com>
All g_autofree and g_autoptr variables should be initialized, either
with a value or NULL, and some gcc versions warn if they are not.
This particular instance was harmless, because we initialized regexp
to either NULL or a valid non-NULL value as the first statement of the
function, so there was no way to return before regexp was initialized;
but if we introduced an early-return such as a g_return_val_if_fail
before the current first statement, then that early return would have
caused uninitialized stack contents to be freed, likely resulting in a
crash.
Signed-off-by: Simon McVittie <smcv@collabora.com>
* Improve error message if seccomp is disabled in kernel config
* Add --disable-userns option (needed for #5084)
* Add --assert-userns-disabled option (needed for #5084)
Signed-off-by: Simon McVittie <smcv@collabora.com>
The checksum here can leak if `flatpak_dir_remote_load_cached_summary()`
returns false at least once.
Spotted by asan while running gnome-software:
```
Direct leak of 2925 byte(s) in 45 object(s) allocated from:
#0 0x7f44774ba6af in __interceptor_malloc (/lib64/libasan.so.8+0xba6af)
#1 0x7f44764c941a in g_malloc ../../source/glib/glib/gmem.c:130
#2 0x7f445bc860e7 in ostree_checksum_from_bytes src/libostree/ostree-core.c:1599
#3 0x7f445bdbea82 in flatpak_dir_remote_fetch_indexed_summary /opt/gnome/source/flatpak/common/flatpak-dir.c:12563
#4 0x7f445bd9932e in flatpak_remote_state_ensure_subsummary /opt/gnome/source/flatpak/common/flatpak-dir.c:577
#5 0x7f445bdbfd42 in _flatpak_dir_get_remote_state /opt/gnome/source/flatpak/common/flatpak-dir.c:12872
#6 0x7f445bdc006c in flatpak_dir_get_remote_state_optional /opt/gnome/source/flatpak/common/flatpak-dir.c:12953
#7 0x7f445be07886 in flatpak_transaction_ensure_remote_state /opt/gnome/source/flatpak/common/flatpak-transaction.c:2057
#8 0x7f445be095c7 in flatpak_transaction_add_ref /opt/gnome/source/flatpak/common/flatpak-transaction.c:2732
#9 0x7f445be09c37 in flatpak_transaction_add_update /opt/gnome/source/flatpak/common/flatpak-transaction.c:2940
#10 0x7f445bdd202c in flatpak_installation_list_installed_refs_for_update /opt/gnome/source/flatpak/common/flatpak-installation.c:1103
#11 0x7f445bf07824 in gs_flatpak_add_updates ../../source/gnome-software/plugins/flatpak/gs-flatpak.c:2082
#12 0x7f445bf2e2b9 in gs_plugin_add_updates ../../source/gnome-software/plugins/flatpak/gs-plugin-flatpak.c:484
#13 0x7f44770533b2 in gs_plugin_loader_call_vfunc ../../source/gnome-software/lib/gs-plugin-loader.c:620
#14 0x7f447705430f in gs_plugin_loader_run_results ../../source/gnome-software/lib/gs-plugin-loader.c:748
#15 0x7f447706cb03 in gs_plugin_loader_process_thread_cb ../../source/gnome-software/lib/gs-plugin-loader.c:3110
#16 0x7f44769967ed in g_task_thread_pool_thread ../../source/glib/gio/gtask.c:1531
#17 0x7f447650e760 in g_thread_pool_thread_proxy ../../source/glib/glib/gthreadpool.c:350
#18 0x7f447650dd02 in g_thread_proxy ../../source/glib/glib/gthread.c:831
```
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
g_test_init() is meant to be called before any other use of GTest APIs,
and isolated_test_dir_global_setup() can call g_test_message(). GLib
2.76 makes this more of a practical problem.
(isolated_test_dir_global_setup() is essentially a reimplementation of
G_TEST_OPTION_ISOLATE_DIRS, since we don't depend on GLib 2.60.)
Alternative to https://github.com/flatpak/flatpak/pull/5355.
Signed-off-by: Simon McVittie <smcv@collabora.com>
We have too many branches and too few maintainers to be able to treat
old-stable branches as fully supported.
Helps: #5352
Signed-off-by: Simon McVittie <smcv@collabora.com>
The TIOCLINUX ioctl is only available on Linux virtual consoles such as
/dev/tty1. It has several Linux-specific functions, one of which is a
copy/paste operation which can be used for attacks similar to TIOCSTI.
This vulnerability does not affect typical graphical terminal emulators
such as xterm, gnome-terminal and Konsole, and Flatpak is primarily
designed to be run from a Wayland or X11 graphical environment, so this
is relatively unlikely to be a practical problem.
CVE-2023-28100, GHSA-7qpw-3vjv-xrqp
Resolves: https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp
Signed-off-by: Simon McVittie <smcv@debian.org>
There isn't much in the way of legit reasons for this, but it's a
potential security footgun when displaying the text.
CVE-2023-28101, GHSA-h43h-fwqx-mpp8
Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
Co-authored-by: Simon McVittie <smcv@collabora.com>
This prevents someone from placing special characters in order to
manipulate the appearance of the permissions list.
CVE-2023-28101, GHSA-h43h-fwqx-mpp8
Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
The Meson project name is more like Autotools PACKAGE_TARNAME, and in
particular is used in the name of the dist tarball.
Signed-off-by: Simon McVittie <smcv@collabora.com>
