We don't need to check for GLib 2.44 (the first release with g_autoptr()
support) since Flatpak requires that version in configure.ac.
Fixes https://github.com/flatpak/flatpak/issues/3403
We can only support this if the host bwrap is not setuid (at least for
now). This allows callers to detect this case ahead of time. We also
detect this case when called and return a better error code that
can be detected.
This uses the new bwrap feature via flatpak run --parent-expose-pids to
make new new sandbox pid namespace be a child of the callers sandbox.
Pretty obvious, the only weird thing is that we can't get the peer pid
directly from the caller (as it goes via the dbus proxy) so we have
to look that up from the instance data.
We were using i instead of handle to index the file descriptors, which
is likely to be the same (due to ordering) but not really
correct. Also rename the variables to make this code easier to read.
Also, add some bounds check on the handles wrt the fd list.
This allows you to open up things (if the calling app has access) for
the sandboxed child.
Rather than duplicating all possible sandboxing technical details we
specify things at a higher level. We just assume you want the same
access as the caller (i.e. x11[-fallback] and/or wayland), as this is
easier to use for the caller and more flexible for us to later add new
technical details as needed.
Allow overriding $datadir/xdg-desktop-portal/portals using the
$XDG_DESKTOP_PORTAL_DIR env var. We will need this in the test suite when
we want to pass in our own (faked) portal implementation.
We add socat to the test runtime, and then we use that to run a
test app outside the sandbox as if it was inside.
The testcase connects creates a monitor and ensure we properly get signals
for updates.
This allows an application to request it to be updated to the latest version.
The updates are done out-of-process by re-spawning the portal (via
/proc/self/exe) and proxying the relevant events over a socket pair, in
order to avoid any long term stability or memory requirements from
running the update operation.
As per https://gitlab.gnome.org/GNOME/glib/merge_requests/490
there is a bug in glib < 2.60 where g_spawn_* can sometimes deadlock
due to using malloc in the child func to close fds.
We work around this in places where the code is (potentially) threaded
by passing glib flags to leave fds alone and then do a very naive
(but safe) fd cloexec loop ourselves.
If the buffer is too small, readlink() returns the number of bytes that
would have been stored if the buffer had been large enough.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #2873
Approved by: matthiasclasen
Uncrustify has an option "nl_func_var_def_blk" which is supposed to
ensure there's a newline character between the block of variable
definitions and the rest of the function body, but it gets confused and
thinks that the first instance of "g_autoptr" or "g_auto" being used on
a variable is the start of the function body. So this commit removes
those extra newline characters and removes that option in uncrustify.cfg
so they don't get re-added the next time uncrustify is run.
Here's the command I used:
perl -0777 -i -pe 's/\n(\n\s*g_auto\()/\1/g' `git ls-tree --name-only
-r HEAD | grep \\\.[ch]$ | grep -v common/valgrind-private.h |
grep -v app/flatpak-polkit-agent-text-listener\\\.[ch]`
I ran it again with "g_autoptr" in place of "g_auto", and made a few
manual edits to add back the newline when the g_auto* was in the middle
of a function body rather than at the top.
Closes: #2715
Approved by: matthiasclasen
These services were not generating coverage data
because they always get ended by GDBus raising
SIGTERM when the bus goes away. Prevent this by
telling GDBus not to do that, and let the services
exit regularly, on their own terms.
This makes the system helper code show up in the
coverage statistics.
Closes: #2530
Approved by: matthiasclasen
The first argument of the Spawn portal call is the cwd
for the command to use inside the new sandbox. The portal
was mistakenly using it as cwd when running flatpak
on the host, which leads to errors. Fix this by
passing the cwd to flatpak via the new --cwdd option.
Closes: #2418Closes: #2443
Approved by: alexlarsson
Portals need to validate all their arguments.
We were not validating flags at all, and were not
very careful with some of the other arguments
either.
Closes: #2439
Approved by: alexlarsson
A symbol from this (flatpak_portal_error_quark) was leaked to libflatpak
due to being marked FLATPAK_EXTERN, so to keep ABI we move it back.
Fixes https://github.com/flatpak/flatpak/issues/1613Closes: #1616
Approved by: alexlarsson
This way we never get confused about which part of the argument
is the permission suffix, which could be exploitable if you can
control the --filesystem calls such as with sandboxed Spawns.
This listens to org.freedesktop.portal.Flatpak and lets flatpak
sandboxes do flatpak specific things.
Initially this only allows access to "Spawn", which lets you start a
new copy of the current or latest version of the calling app,
optionally with sandboxing.
This allows the app to re-start itself with the latest version after
an update, and the sandboxing is useful for apps that want to manually
sandbox part of themselves.
You can also expose one or more subdirectories of
~/.var/app/$appid/sandbox/ to the app, read-write or read-only. This is
useful to communicate with the sandbox.
