Commit Graph

6713 Commits

Author SHA1 Message Date
Phaedrus Leeds
07e8ceefe1 Update NEWS for release 2022-02-21 16:53:11 -08:00
Simon McVittie
841429b1f6 test-history: Skip test if we cannot read from the Journal
In some OS configurations, unprivileged users cannot read back messages
that they have written to the system log. This test cannot succeed if that
happens, so skip it.

In particular, if the Journal is only in-memory rather than persisted
to disk (as it was by default in Debian 10), then there are no per-user
Journal files, only a single system-wide Journal which requires privileges
to read.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Fixes: 8b05f6b3 "Add a unit test for the history command"
(cherry picked from commit 0deb80efa8)
2022-02-21 16:44:44 -06:00
Phaedrus Leeds
0956357de1 dir: Add some precondition checks to repo_pull()
(cherry picked from commit af04ea669a)
2022-02-21 16:44:44 -06:00
Phaedrus Leeds
2700b43210 dir: Work around libostree partial pull bug
All the details of the bug are in:
https://github.com/ostreedev/ostree/pull/2549
https://github.com/flatpak/flatpak/issues/3479

This patch works around it by marking the commit we're about to pull
partial, so that if the .commit object exists in a staging directory
from a previous failed pull, it will not be erroneously considered a
complete commit, even by affected versions of libostree that don't have
the above patch. If for some reason the commit in the staging dir is
complete, libostree should harmlessly verify that and pull it in.

Usually the commit we are pulling does not already exist in the local
repo, but add a check anyway so we don't risk marking a complete commit
as partial, and so this works on the code path from
"flatpak install --reinstall ..."

Fixes #3479

(cherry picked from commit 11158c2481)
2022-02-21 16:44:44 -06:00
Phaedrus Leeds
4afbd893d0 dir: Fix inaccurate nullable annotation
(cherry picked from commit 9de49e6dad)
2022-02-21 16:44:44 -06:00
Patrick Griffis
03ae8f28b5 Fix reliability of detecting GTK theme
Looking up the schema recursively fixes false negatives.

(cherry picked from commit 361ec3bc8c)
2022-02-21 16:44:44 -06:00
Matheus Barbosa
48ce81adaa Update Brazilian Portuguese translation
Signed-off-by: Rafael Fontenelle <rffontenelle@gmail.com>
2022-02-16 14:37:55 +00:00
Simon McVittie
a8765b14eb NEWS: Improve release notes for 1.12.5
- Fix a typo
- Add some bug numbers
2022-02-13 11:04:40 +00:00
Alexander Larsson
42b9bb578f Update pofiles 1.12.5 2022-02-11 17:51:09 +01:00
Alexander Larsson
0bcfcffa7e Bump version to 1.12.5 2022-02-11 16:20:49 +01:00
Alexander Larsson
72b16394e6 Update NEWS for release 2022-02-11 16:20:40 +01:00
Alexander Larsson
4050c810f6 appstream deploy: Delete old tmpfiles
Due to previous bugs we were leaving a lot of temp files around
in the appstream deploy dirs, which could add up to using a lot of
space. So, lets find and delete these on updates.

This check only happens on a successful update to a new appstream,
which isn't that often, so the cost of this check is unlikely to be a
problem.

(cherry picked from commit d4a9f3ba23)
2022-02-11 16:18:19 +01:00
Alexander Larsson
66f3cc462c appstream deploy: Clean up temporary files on error
If during appstream deploy there is an error, the temporary files were
not deleted, resulting in leaked files in /var/lib/flatpak/appstream.
Over time these could add up to a significant size. In particular this
happes if several deploys happen in parallel, because then the final
move into place will fail with EEXIST.

This fixes the cleanup of both the temporary directory and the temporary
link on any error.

Fixes https://github.com/flatpak/flatpak/issues/4735

(cherry picked from commit 61f9297cbc)
2022-02-11 16:18:19 +01:00
Bastien Nocera
dcd79527a1 run: Don't propagate GStreamer variables to the sandbox
Trying to run sandboxed GStreamer applications from within jhbuild, for
example, would make those applications fail to find their plugins.

$ LANG=C flatpak run org.gnome.Totem.Devel
** (totem:2): WARNING **: 19:32:06.406: Element 'gtkglsink' is missing, verify your installation
** (totem:2): WARNING **: 19:32:06.406: Element 'glsinkbin' is missing, verify your installation

Don't propagate those GStreamer environment variables to within the
sandbox to avoid that problem.

See https://gitlab.gnome.org/GNOME/totem/-/issues/504

(cherry picked from commit 4470bf1425)
2022-02-11 16:18:19 +01:00
Simon McVittie
8feef258f0 Update changelog so far
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-02-09 16:43:40 +00:00
Simon McVittie
62cc8a4717 NEWS: Correct release date for 1.12.4 2022-02-09 16:33:03 +00:00
Phaedrus Leeds
6c57af648b test-history.sh: Fix flakiness by moving sleep
The history test fails sometimes in the CI due to the remote add
operation being missing from the history command's output:

+ diff history-log -
0a1
> add remote			system (history-installation)	test-repo

Presumably this is due to that operation happening in the same second
that is passed to --since, so move the sleep statement to make sure a
second passes before we do anything.
2022-02-08 10:12:24 -08:00
Phaedrus Leeds
0a4491aed7 app: Don't use polkit agent in history command
There's no need to use polkit in the history command, so don't start the
agent in flatpak-main.c. This means we can avoid a test failure in
test-history.sh which was caused by old versions of valgrind being
unaware of syscall sched_getattr, which is used in g_bus_get_sync(),
itself called by install_polkit_agent().

(cherry picked from commit dd9fe19066)
2022-02-08 10:12:24 -08:00
Phaedrus Leeds
3e1f661654 Add a unit test for the history command
(cherry picked from commit 1b6de2518b)
2022-02-08 10:12:24 -08:00
Phaedrus Leeds
77303bd41d history: Fix exclusion of temp repos
Without this change there are history entries showing pulls into
temporary repos which we don't want.

(cherry picked from commit e18df8379a)
2022-02-08 10:12:24 -08:00
Phaedrus Leeds
2cfce0f1fd history: Omit entries for appstream refs
Currently we include entries in the output of the history command for
pulls of appstream refs, e.g. "appstream2/x86_64". However since they
don't have an application ID the Application column shows up blank and
it seems like a pull of nothing which is confusing. These are basically
an implementation detail like the temp repo pulls we already exclude, so
I think it makes sense to exclude them from the output.

It would also make sense to exclude pulls of ostree-metadata refs, but
for some reason I don't see those in practice, even with a collection ID
set on the remote.

(cherry picked from commit fbad9641b7)
2022-02-08 10:12:24 -08:00
Phaedrus Leeds
4b37f88c68 history: Fix printing refs
The history command seems to have been broken since it was changed to
use FlatpakDecomposed, since that type only works for app or runtime
refs, resulting in errors such as:
$ flatpak history
error: appstream2/x86_64 is not application or runtime

Fix this by making the logic a bit smarter, and don't let any one
invalid ref entry prevent the whole command from working.

Fixes #4332
(cherry picked from commit e44b54856e)
2022-02-08 10:12:24 -08:00
Piotr Drąg
1810377649 Update Polish translation 2022-02-05 09:05:49 -08:00
Phaedrus Leeds
786f64dc5b dir: Fix typo of bundle
(cherry picked from commit a626003d6d)
2022-01-19 12:52:13 +00:00
Simon McVittie
103ed5c02c Regenerate translation files for release
Signed-off-by: Simon McVittie <smcv@collabora.com>
1.12.4
2022-01-18 17:38:36 +00:00
Simon McVittie
d19ed758f9 Release v1.12.4
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-18 17:34:01 +00:00
Simon McVittie
617494c63f NEWS: Describe what is intended to appear in 1.12.4
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-18 16:35:28 +00:00
Simon McVittie
61927c7af7 NEWS: Mention CVE-2022-21682
At the time we wrote the NEWS for 1.12.3, this CVE ID had not yet been
issued.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-18 16:35:28 +00:00
Simon McVittie
f9ce3433e0 test-override: Exercise --nofilesystem=host:reset
Signed-off-by: Simon McVittie <smcv@collabora.com>
Co-authored-by: Alexander Larsson <alexl@redhat.com>
(cherry picked from commit 4aa70d2d72)
2022-01-18 16:35:28 +00:00
Simon McVittie
a16efca8ec test-context: Exercise some corner cases for merging filesystems
Signed-off-by: Simon McVittie <smcv@collabora.com>
Co-authored-by: Alexander Larsson <alexl@redhat.com>
(cherry picked from commit fab0f8ed7c)
2022-01-18 16:35:28 +00:00
Simon McVittie
0e2e9a5583 test-exports: Exercise host:reset and related filesystem tokens
Signed-off-by: Simon McVittie <smcv@collabora.com>
Co-authored-by: Alexander Larsson <alexl@redhat.com>
(cherry picked from commit f3d12dc793)
2022-01-18 16:35:28 +00:00
Simon McVittie
4eb3c2addd context: Introduce new --nofilesystem=host:reset
This reintroduces the special case that existed in Flatpak 1.12.3, but
under a different name, so that it will be backwards-compatible. With
this change, flatpak-builder will be able to resolve CVE-2022-21682 by
using --filesystem=host:reset.

We want to implement this as a suffix rather than as a new keyword,
because unknown suffixes are ignored with a warning, rather than causing
a fatal error. This means that the new version of flatpak-builder will
be able to run against older versions of flatpak: it will still be
vulnerable to CVE-2022-21682 in that situation, but at least it will run.

Co-authored-by: Alexander Larsson <alexl@redhat.com>
(cherry picked from commit 5709f1aaed)
2022-01-18 16:35:28 +00:00
Simon McVittie
47247b0987 test-override: Assert that --nofilesystem with suffix yields a warning
This was added as part of implementing the :reset suffix.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit ab0169ee39)
2022-01-18 16:35:28 +00:00
Simon McVittie
ecaabf5e9d test-override: Assert pre-1.12.3 behaviour of --nofilesystem=home, host
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 813e1f0b3b)
2022-01-18 16:35:28 +00:00
Simon McVittie
4a93202fc8 run, override: Clarify the effect of --nofilesystem
There are two reasonable interpretations for --nofilesystem=home:
either it revokes a previous --filesystem=home (as in Flatpak 1.12.2 and
older versions), or it completely forbids access to the home directory
(as in Flatpak 1.12.3). Clarify the man pages to indicate that it only
revokes a previous --filesystem=home. This will hopefully reduce
mismatches between the design and what users expect to happen, as
in flatpak#4654.

A subsequent commit will introduce a way to get the Flatpak 1.12.3
behaviour in a way that is more backwards-compatible with Flatpak 1.12.2
and older versions.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 7bbeed2b87)
2022-01-18 16:35:28 +00:00
Simon McVittie
a4291cd8e0 Revert "Make --nofilesystem=host/home remove access to subdirs of those"
This caused regressions for some previously-working use cases. For
example, some Flatpak users previously used a global
`flatpak override --nofilesystem=home` or
`flatpak override --nofilesystem=host`, but expected that individual apps
would still be able to have finer-grained filesystem access granted by the
app manifest, such as Zoom's `--filesystem=~/Documents/Zoom:create`. With
the changes in 1.12.3, this no longer has the desired result, because
`--nofilesystem=home` was special-cased to disallow inheriting the
finer-grained `--filesystem`.

This reverts commit 445bddeee6.

This reverts the initial solution to CVE-2022-21682, which we intend to
resolve differently, by introducing a new feature in Flatpak and making
use of it in a new flatpak-builder version.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 917a7f5870)
2022-01-18 16:35:28 +00:00
Simon McVittie
59dc5f783e Revert "manpages: Document the new details of --nofilesystem behaviour."
The new behaviour caused regressions in some situations that previously
worked, and will be reverted.

This reverts commit 4d11f77aa7.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit dfe868d628)
2022-01-18 16:35:28 +00:00
Simon McVittie
5dc5b1bb07 test-override: Assert that unimplemented suffix is ignored with a warning
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 8a44df04c8)
2022-01-17 16:03:25 +00:00
Simon McVittie
9bb041f457 test-override: Assert that only the expected term is negated
We weren't distinguishing here between overrides that should have been
negated (xdg-documents) and overrides that should not have been negated
(everything else).

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 4e3d1d8b7b)
2022-01-17 16:03:25 +00:00
Simon McVittie
6780cbdcb7 Don't rely on AS_BUNDLE_KIND_FLATPAK existing
The appstream-glib in Ubuntu 16.04 didn't have this.

Signed-off-by: Simon McVittie <smcv@debian.org>
(cherry picked from commit 97db30f38d)
2022-01-13 09:35:05 +00:00
Alexander Larsson
38621b439e Fix 1.12.3 version reference in NEWS 2022-01-12 19:59:36 +01:00
Alexander Larsson
e528dcf196 Update pofiles for release 1.12.3 2022-01-12 13:13:24 +01:00
Alexander Larsson
08cf080287 Update NEWS for 1.12.3 2022-01-12 12:42:33 +01:00
Alexander Larsson
8573fdc54f Bump version to 1.12.3 2022-01-12 11:53:58 +01:00
Alexander Larsson
dfa079604c manpages: Document the new details of --nofilesystem behaviour.
(cherry picked from commit da3e12b319094158c2afa3df380bc45a7626928c)
2022-01-12 11:53:14 +01:00
Alexander Larsson
d36382dd4d Make --nofilesystem=host/home remove access to subdirs of those
Previously --nofilesystem=host only removed specifically access to the
`host` permissions, and not necessarily other filesystems (like `home`
or `/some/path`). This isn't very useful to limit access because you
don't know what other filesystems the app may have access too.

We change this to mean that `--nofilesystem=host` removes *all* filesystem
access from the parent layer, and `--nofilesystem=home` removes all
file access to the homedir and paths inside it.

The available layers are, in order:

 * app permissions
 * overrides
 * commandline args

This allows you to start from scratch with the filesystem permissions
in the overrides or the commandline. This is a small change in
behaviour, but not a lot of things use --nofilesystem, and the ones
that do probably expects this behaviour.

(cherry picked from commit e2c8863fb62301cb05c64bbb32b04446e88ce11a)
2022-01-12 11:53:08 +01:00
Phaedrus Leeds
b0e0bba79a Add test for metadata validation
This tests for invalid metadata, missing xa.metadata and mismatched
values in xa.metadata and the real metadata, including the embedded
null leading to the hidden permissions of CVE-2021-43860.

(cherry picked from commit 2c2ce58c54b3e6c62f9c21c15efa0ba22f4bc09b)
2022-01-12 11:52:39 +01:00
Alexander Larsson
426aac432b Ensure that bundles have metadata on install
If we have a bundle without metadata we wouldn't properly present
the permissions in the transaction.

(cherry picked from commit b250541302187ff2209b0bb1295e8223d0af860f)
2022-01-12 11:52:34 +01:00
Alexander Larsson
e9455b7a7f Require metadata in commit also for OCI remotes
This was disables a long time ago because the fedora remotes didn't
contain metadata, but that has been added since then. Requiring fixes
a security concern where an app claims to require no permissions (by
having no metadata in commit) but then actually requires permissions
in the installed app.

(cherry picked from commit f0f3a35f404b5bd533186095db055f8b3d135576)
2022-01-12 11:52:28 +01:00
Alexander Larsson
927c2b0318 Transaction: Fail the resolve if xa.metadata invalid or missing
If we fail to parse xa.metadata from the summary cache or the commit
xa.metadata we fail the resolve.

If xa.metadata is missing in the commit we fail the resolve (it is
always set in the summary cache, because summary update converts
missing xa.metadata to "", so we either get that, or cache miss which
leads to resolving from the commit.

This means that op->resolved_metadata is always set during install and
updates, which means we will show the app permissions. The transaction
will also always make sure that this data actually matches what gets
deployed.

Before this change an invalid metadata in the summary cache could lead
to a NULL resolved_metadata, which means we wouldn't print the app
permissions, yet we would still deploy some metadata file that could
have permissions. (NOTE: It would fail to deploy unless the
xa.metadata in the commit matched the metadata file, but in this
corner case we would't compare the summary and commit metadata, so
they may differ.)

(cherry picked from commit 5036bca4214d5b77e884dec42e36496a06e74081)
2022-01-12 11:52:21 +01:00