Commit Graph

201 Commits

Author SHA1 Message Date
Philip Withnall
9c059def69 app: Port to libappstream
libappstream-glib is mostly unmaintained, and libappstream is more
actively developed (and up to date with the AppStream specification).

Port from libappstream-glib to libappstream. Handily, a lot of the APIs
are exactly the same. The main changes are:
 * `AsApp` → `AsComponent`
 * `AsStore` → `AsMetadata`

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

(Mostly done by Philip, then Phaedrus finished this)
2022-02-17 08:29:20 -06:00
Phaedrus Leeds
6f5bb3597e Change how automatic pinning is implemented
This commit re-works how we automatically "pin" runtimes that are
explicitly installed, to prevent them from being removed automatically.
In this implementation we do the update to the config as part of the
deploy, which has the following advantages:
(1) It ensures that there's never a confusing polkit prompt about
configuring the software installation when the user asked for a runtime
to be installed (https://github.com/flatpak/flatpak/issues/4200)
(2) It means we don't have to rely on the code on the error path of
flatpak_transaction_real_run() to un-pin the runtime in case something
went wrong with the installation, since we pin it almost atomically with
the deploy.

Fixes #4200
2021-11-15 11:10:27 -08:00
Simon McVittie
f508cf1767 system-helper: Move D-Bus names and paths to a header file
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-04-15 18:05:16 +02:00
Philip Withnall
0a07d2122b system-helper: Set interactivity on the FlatpakDir from D-Bus call flags
The system helper was already correctly using the `NO_INTERACTION` flag
in the D-Bus call flags to determine whether polkit calls from
`flatpak_authorize_method_handler()` should allow interactivity.

However, the system helper was not setting the no-interaction property
on the `FlatpakDir` used in the subsequent operation. When parental
controls are enabled, this sometimes results in polkit allowing
interaction when prompting for the `override-parental-controls` action,
even if the D-Bus call which activated the system helper specified the
`NO_INTERACTION` flag.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2021-04-06 10:18:45 +02:00
Alexander Larsson
49e8bfcea5 system-helper: Fix deploys of local remotes
For updates in remotes with a local (file:) uri we just do a deploy
with a LOCAL_PULL flag set and an empty arg_repo_path. However, our
arg_repo_path checking at some point seemed to stop properly handling
the case where it is empty. I got it to report "No such file" wich
broke the tests.
2021-03-19 10:59:04 +01:00
Alexander Larsson
b8d8e5bf04 Fix nonliteral string warning in flatpak_invocation_return_error()
We're only forwarding a format string, which we can tell gcc by
adding a G_GNUC_PRINTF marker.
2021-01-14 12:43:46 +01:00
Alexander Larsson
dad9a9c20d Pass AM_CFLAGS to system-helper build (for warnings) 2021-01-14 12:43:46 +01:00
Alexander Larsson
50ee8293cc Fix shadowed variable "error" 2021-01-14 12:43:46 +01:00
Simon McVittie
86dd000dd1 system-helper: Return G_DBUS_METHOD_INVOCATION_HANDLED where appropriate
Signed-off-by: Simon McVittie <smcv@collabora.com>
2020-12-09 08:34:19 +01:00
Alexander Larsson
5496c4e4ef appstream: Pull the right branch if the remote has a subset configured 2020-11-13 10:32:19 +01:00
Alexander Larsson
7ab62ac3fb decomposed: Convert some more FlatpakDir apis to FlatpakDecomposed 2020-11-10 14:32:13 +01:00
Alexander Larsson
674cc1a60a decomposed: Convert more FlatpakDir APIs to use FlatpakDecomposed 2020-11-10 14:32:13 +01:00
Alexander Larsson
c5b2c60609 decompose: Convert more FlatpakDir functions to use FlatpakDecomposed 2020-11-10 14:32:13 +01:00
Alexander Larsson
a3a2dcb2c5 decomposed: Remove _decomposed prefix on functions
We now converted most of these and removed the non-prefixed functions,
so rename them back.
2020-11-10 14:32:13 +01:00
Alexander Larsson
97767f1a69 decomposed: Pass decomposed to flatpak_dir_deploy_install/update 2020-11-10 14:32:13 +01:00
Alexander Larsson
d61721022d Change the last user of flatpak_dir_list_all_remote_refs to use _decomposed
This will let us remove the non-decomposed one.
2020-11-03 12:57:37 +01:00
Phaedrus Leeds
2486961014 system-helper: Check for errors getting installation
I don't think this error code path will really be hit in practice,
except perhaps for a maliciously crafted D-Bus message trying to get the
system helper to crash.
2020-11-02 09:23:49 +01:00
Phaedrus Leeds
c9cb2752ee system-helper: Make uninstall auth message friendlier
Currently when a polkit prompt is created for an app uninstallation, the
message is something like "Authentication is required to uninstall
app/us.zoom.Zoom/x86_64/stable" which is not very friendly for
non-technical users. Change it to "Authentication is required to
uninstall Zoom".

For many of the other polkit actions used by the system-helper, we just
say "software" rather than specifying the app/runtime, since we use the
authorization from one action for others via imply annotations, so the
user is really authorizing several things at once in some cases. In the
case of app-uninstall actions, the only implied action is
runtime-uninstall, and runtimes aren't something users should generally
have to worry about anyway, so it seems alright to specify the app. I
presume that was why commit 21f845c1a didn't remove the ref from the
app-uninstall action message.
2020-11-02 09:23:49 +01:00
Alexander Larsson
57954e2efc summary: Enable use of indexed summaries in the client
We first try to download the index, then fall back to the old format.
2020-10-29 15:30:35 +01:00
Matthew Leeds
d2d5397cc1 Add pin command to keep unused runtimes
As discussed here [1], we want a way to mark runtimes to be kept even
when they are unused by any apps and we are removing such runtimes.
Currently this is a command that can be run manually; a subsequent
commit will pin runtimes automatically if they are installed
independently of any app.

A unit test is included.

[1] https://github.com/flatpak/flatpak/issues/2639#issuecomment-662311756
2020-08-31 16:29:03 +02:00
Matthew Leeds
73644b00c9 system-helper: Support setting 'masked' config key
This fixes the following error when the "flatpak mask" command is used
with the system-helper: "error: Unsupported key: masked"
2020-08-10 15:25:55 +02:00
Matthew Leeds
9caf664fab Add systemd units to sideload from hotplugged USBs
Currently with the sideload implementation of offline updates you have
to manually create a symlink to your USB drive to sideload from it,
which is a regression compared to the previous implementation which
scanned all mounted filesystems in OstreeRepoFinderMount in libostree.
So this commit adds a few systemd units and a bash script so that any
time a USB drive is plugged in and automatically mounted by udisks, a
symlink to it is created in /run/flatpak/sideload-repos. When the drive
is unplugged the symlink is removed.

However this solution still has a lot of moving parts, so we may want to
instead have libflatpak use GVolumeMonitor and find the mounted
filesystems itself; see https://github.com/flatpak/flatpak/issues/3705

Fixes https://github.com/flatpak/flatpak/issues/3490
2020-06-23 09:37:10 +02:00
Alexander Larsson
b042abc71c oci: Handle io.github.containers.DeltaUrl in index
If the magical io.github.containers.DeltaUrl label is set in the
index, then try to download this to use as the delta manifest for the
image. This allows servers to store deltas outside the registry
itself. The label is propagated to the xa.delta-url metadata in the
generated "fake summary" for the remote, and read back on pull.

Note that the delta manifest layers descriptor will need to have a
"urls" key where it references the blobs if the blobs are also not
stored on the registry.

If the specified manifest doesn't exist or doesn't apply to the target
image we fall back to resolving via the _deltaindex tag.
2020-06-05 09:35:30 +02:00
Alexander Larsson
47daa077c2 OCI: Support (and use) alternative urls specified in OCI descriptors 2020-06-05 09:35:30 +02:00
Alexander Larsson
0fce4c6d7f oci: Pass FlatpakPullFlags to pull_from_oci()
We want to handle FLATPAK_PULL_FLAGS_NO_STATIC_DELTAS
2020-06-05 09:35:30 +02:00
Valentin David
4df019063b Add sysusers.d configuration file
This will make systemd create the system-helper user if it is missing.
2020-04-23 09:58:34 +02:00
Alexander Larsson
b28271bb5e Merge pull request #3498 from alexlarsson/use-symlinks-for-sideload-config
Use symlinks instead of xa.sideload-repos config option
2020-03-30 16:03:54 +02:00
Alexander Larsson
4ef12c5bc9 FlatpakProgress: No need to allocate FlatpakMainContext
We store it on the stack instead and free with
G_DEFINE_AUTO_CLEANUP_CLEAR_FUNC.
2020-03-27 14:44:00 +01:00
Abderrahim Kitouni
192d31d315 Add a FlatpakProgress object
To avoid the complexities of passing (and chaining) OstreeAsyncProgress
objects around, we only create one just before calling to ostree.
The rest of flatpak only ever uses the new FlatpakProgress object.

Co-authored by: Philip Chimento <philip@endlessm.com>
2020-03-26 21:09:19 +01:00
Alexander Larsson
76be5db46d Revert "config: Support setting sideload-repos option"
This reverts commit 1d1819840e.
2020-03-26 10:10:45 +01:00
Alexander Larsson
9208913664 Migrate config: Always enable gpg-verify-summary if collection id is set
This used to not be set for collection-id remotes as we used the
ostree-metadata branch for resolving. However, we now use the summary
always when doing a remote install (and not ostree-metadata for local
sideloads), so we still want to verify summary.

The signature on the summary is a nice security feature, but it is also
a very efficient small file to download to verify that no new summary
needs to be downloaded in the no-op update case.
2020-03-23 17:58:04 +01:00
Alexander Larsson
1d1819840e config: Support setting sideload-repos option 2020-03-23 17:58:04 +01:00
Alexander Larsson
124b0be92e Drop more collection_id use
Most code that looks for a regular collection id set on the remote is
removed, as these should never happen in flatpak repo setups now.

Some is replaces with looking at xa.sideload-collection-id:
 * The libflatpak FlatpakRef::collection-id property now comes comes from the sideload id
 * Various CLI commands showing or changing the collection-id for a remote now uses the sideload id
 * Collection id deploy in update now sets the sideload-collection-id instead
 * Setting the collection id for a remote in libflatpak now sets the sideload id

Additionally we now delete the code that allows unsigned summaries
when there is a collection id (because there is none).

create-usb now uses the sideload id as as collection id source when exporting.

The direct repo operations (export, bundle, commit-from) still support
collection ids, because on the server we do want to set it so that we
can sideload.
2020-03-23 17:58:04 +01:00
Alexander Larsson
336a127f55 Support sideloaded repos
This adds a xa.sideload-collection-id option to the remote
configuration and a global xa.sideload-repos option (which is a list
of paths to local repos).

When resolving or listing refs, if we fail to download the real remote
summary (i.e. we're offline) then we instead look into the configured
sideloaded repos for refs that match ref and the sideloaded collection
id for the remote.

For the transaction to resolve the ref we need more metadata. In the
regular summary case we use the metadata from the summary, but that
is not available in the (partial) summary in the sideload repo, so
there we load the actual commit object and use the data from there.
(The ostree-metadata branch is not used/needed.)

This actually also fixes a longstanding issue when you "flatpak update
--checksum=XYZ" because we now handle this correctly by downloading
the commit object from the remote. Before we used the metadata in the
summary which is not right for non-HEAD commits.

To handle the sideloading we record the path to the sideload repo
when sideloading and pass the url to the repo as the remote name
when pulling, which will do a direct local pull.

We avoid using sideloaded refs when offline if the timestamp in the
commits is older than what is already installed locally.
2020-03-23 17:58:04 +01:00
Alexander Larsson
116a8b8487 transaction: Ensure the metadata in the pulled commit matches what we resolved
We're using the metadata from the summary, ostree-metadata or available
commit when making security sensitive decisions, so lets verify this
matches what we get in the actual commit we pulled.

We already did check that this then actually also matches what gets deployed,
so the new check shares code with that.

Note, we don't do this for OCI installs, because it seems the current
fedora flatpaks don't have this set, and we don't want to break
existing remotes.
2020-03-23 17:58:04 +01:00
Alexander Larsson
7c4fd8891e Convert deploy data to use variant schemas 2020-02-17 16:10:50 +01:00
Alexander Larsson
087ba2d23f system-helper: Support -vv and --ostree-verbose 2020-02-13 14:47:00 +01:00
Alexander Larsson
30636a508d system-helper: Change debug prefix from F to FH
This makes it easier to see what message comes from where.
2020-02-13 14:47:00 +01:00
Alexander Larsson
c322cbdbb6 Add and use OstreeAsyncProgressFinish helper
This is a g_autoptr version of OstreeAsyncProgress that also
calls ostree_async_progress_finish() before being freed.

This should be used in all "leaf" functions that creates an asyncprogress
to avoid leaking any idle change idle sources. Using a auto* means
some code can be cleaned up to avoid goto out style handling for this.

Also, this adds a missing finish() in
_flatpak_dir_fetch_remote_state_metadata_branch().
2019-12-17 14:55:13 +01:00
Philip Chimento
0da49895ab Alphabetize and standardize some header includes
Cleanup commit, doesn't change functionality, but we'll be adding some
files to these lists in a subsequent commit.
2019-12-06 13:26:49 -08:00
Alexander Larsson
86ccfd9b99 Add support for bearer tokens to flatpak_dir_install/update
Anything passed in here will be added as a bearer token for all http
requests in the operation.
2019-11-26 16:37:01 +01:00
Matthew Leeds
eabc52456a Clean up duplicated mirror refs
Due to bug #3215 some systems have refs in refs/mirrors/ in addition to
the usual refs/remotes/ location. The remote refs are always at least as
new as the mirror ones since the repo_pull() invocation in
flatpak_dir_pull() which does not use OSTREE_PULL_FLAGS_MIRROR happened
after the one that did. Cleaning up these mirror refs is important since
otherwise when the remote ref is either updated or removed (by an
uninstall) disk space will be leaked since the mirror ref will point to
a no longer needed commit.

So, remove (almost) all mirror refs during flatpak repair, uninstall,
or update operations. And for the uninstall and update operations do it
in FlatpakDir so that it happens regardless of if the CLI of libflatpak
are used.

Also, add a unit test for this.

Fixes https://github.com/flatpak/flatpak/issues/3222
2019-11-20 13:17:27 +01:00
Will Thompson
8bdb2fa004 system-helper: fix busyloop in revokefs writer process
After an unprivileged client calls GetRevokefsFd(), the `revokefs-fuse
--backend` process busyloops as follows:

    poll([{fd=3, events=POLLIN}, {fd=4, events=POLLIN}], 2, -1) = 1 ([{fd=4, revents=POLLIN}])

Here is the command line for this process:

    revokefs-fuse --backend --socket=3 --exit-with-fd=4 /var/lib/flatpak/repo/tmp/flatpak-cache-JBUHB0

The intention here is to poll() until fd 3 is readable (at which
point the writer process serves a client request and writes back a
response, synchronously) or fd 4 encounters an error. fd 4 is meant to
be one side of a pipe that the system helper holds the other end of;
when the pipe is broken, the system helper must have gone away, and the
`revokefs-fuse --backend` process treats this as a signal to exit.

However, fd 4 is not a pipe. In fact, it is the dirfd for the target directory:

    root@camille:/var/roothome# ls -l /proc/31717/fd
    total 0
    lr-x------ 1 wjt wjt 64 Nov 19 21:21 0 -> /dev/null
    lrwx------ 1 wjt wjt 64 Nov 19 21:21 1 -> /dev/pts/1
    lrwx------ 1 wjt wjt 64 Nov 19 21:21 2 -> /dev/pts/1
    lrwx------ 1 wjt wjt 64 Nov 19 21:21 3 -> 'socket:[2558007]'
    lr-x------ 1 wjt wjt 64 Nov 19 21:21 4 -> /var/lib/flatpak/repo/tmp/flatpak-cache-JBUHB0

This is because revokefs_fuse_backend_child_setup() erroneously closes
fd 4 before the `revokefs-fuse --backend` process is exec()d. This
regressed in d91660fe2a.

Fix this by only closing fds 5 and above. With this change, we see the
expected set of open file descriptors:

    root@camille:/var/roothome# ls -l /proc/32493/fd
    total 0
    lr-x------ 1 wjt wjt 64 Nov 19 21:24 0 -> /dev/null
    lrwx------ 1 wjt wjt 64 Nov 19 21:24 1 -> /dev/pts/1
    lrwx------ 1 wjt wjt 64 Nov 19 21:24 2 -> /dev/pts/1
    lrwx------ 1 wjt wjt 64 Nov 19 21:24 3 -> 'socket:[2552594]'
    lr-x------ 1 wjt wjt 64 Nov 19 21:24 4 -> 'pipe:[2552596]'
    lr-x------ 1 wjt wjt 64 Nov 19 21:24 5 -> /var/lib/flatpak/repo/tmp/flatpak-cache-JBUHB0

Fixes #2882.
2019-11-19 21:34:38 +00:00
Philip Withnall
7c9d609399 system-helper: Tweak documentation for parental controls
Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-03 13:54:37 +02:00
Philip Withnall
9758968cc4 dir: Support filtering app installs/upgrades by user’s OARS settings
Use the user’s OARS filter to prevent installation or upgrade of
apps which have more extreme content than the user is allowed to see.

This uses libmalcontent to load the user’s enforced OARS filter, which
describes the extremeness of each type of content the user is allowed to
see. If an app they are trying to install exceeds the filter value in
any OARS section, installation is disallowed and an error is returned.

libmalcontent stores the parental controls policy per-user in
accountsservice, which enforces access control on the policies.

The app filter is also allowed to prevent app installation entirely,
which overrides the OARS values. This is independent from the app-install
polkit action, which determines whether an unprivileged user may install
an app system-wide. Being stored in accountsservice, the new boolean is
also easier to set per-user without having to programmatically write a
polkit JS policy file which handles multiple users (and parse it back
again).

The parental controls checks are done at deploy time, either in the
`flatpak` process (for user repositories) or in the
`flatpak-system-helper` (for system repositories). The checks use
content rating data extracted from the app’s AppData XML and stored in
the `FlatpakDeploy` cache. The checks are passed through polkit (even
for user repositories) so that users can get an admin override to
install apps which would otherwise be too extreme. This uses the new
`org.freedesktop.Flatpak.parental-controls` polkit rule.

The checks have to be done at deploy time, as that’s when the AppData
XML for the app is parsed. The downside of this arrangement is that an
app must be entirely downloaded before the parental checks can be done.
This won’t be much of an issue on normal desktops, however, since we can
assume that gnome-software will check an app’s appropriateness before
showing it to the user in the first place.

Parental controls are not enforced for non-apps/runtimes, which includes
the ostree-metadata and appstream/* refs.

One thorny issue is that flatpak unit tests may be run in an environment
with no system D-Bus available to connect to (a Jenkins instance, for
example), which means the call to `mct_manager_get_app_filter()` in
`flatpak_dir_check_parental_controls()` fails.

So this commit skips the parental controls check if the system bus is
unavailable and the environment variable
`FLATPAK_SYSTEM_HELPER_ON_SESSION` is set, since the testlibrary already
sets that variable so that the system-helper will be started on the
session bus.

The feature can be tested using something like:
```
   $ malcontent-client set philip \
       violence-realistic=none app/org.freedesktop.Bustle/x86_64/stable
   App filter for user 1000 set
   $ flatpak run org.freedesktop.Bustle
   error: Running app/org.freedesktop.Bustle/x86_64/stable is not allowed by the policy set by your administrator
   $ flatpak --user install flathub io.github.FreeDM
   error: Failed to install io.github.FreeDM: Installing app/io.github.FreeDM/x86_64/stable is not allowed by the policy set by your administrator
```

Includes work by André Magalhães and Umang Jain.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-03 10:42:04 +02:00
Alexander Larsson
d91660fe2a Work around deadlocks in g_spawn by manually clo-exec:ing fds
As per https://gitlab.gnome.org/GNOME/glib/merge_requests/490
there is a bug in glib < 2.60 where g_spawn_* can sometimes deadlock
due to using malloc in the child func to close fds.

We work around this in places where the code is (potentially) threaded
by passing glib flags to leave fds alone and then do a very naive
(but safe) fd cloexec loop ourselves.
2019-09-30 12:15:36 +02:00
Matthew Leeds
d647bc105e installation: Make fetching remote refs work offline
Currently flatpak_installation_fetch_remote_ref_sync() does not work
offline. It returns an error when it fails to fetch the remote's summary
in flatpak_dir_get_remote_state(). This is a problem since GNOME
Software (or at least the Endless fork) uses this library function to
display apps it finds on a USB drive (see gs_plugin_refine_item_origin()
in gs-flatpak.c) and that's something that should work even offline.

So this commit changes flatpak_dir_get_remote_state_optional() so that
it accepts the only_cached option, and updates the call sites. Also have
fetch_remote_ref_sync() use flatpak_dir_get_remote_state_optional(),
which means that when we're offline we will use the xa.cache data in the
ostree-metadata ref as a list of refs list instead of using a summary.
However since the commit checksums are not in xa.cache, we don't have
enough information to form a FlatpakRemoteRef. So also call
ostree_repo_find_remotes_async() to get the commit from any LAN or USB
sources that may be available. This may not be very performant but at
least it only happens if the ref wasn't found in a remote summary; see
https://github.com/flatpak/flatpak/issues/1862

It's sad this code is so long-winded but it's difficult to break out a
helper function that could be shared with
list_remotes_for_configured_remote() above. Longer term we could improve
the ostree_repo_find_remotes_async() API and add options to remove the
need to manually handle OstreeRepoFinder objects.

Closes: #3114
Approved by: alexlarsson
2019-09-19 15:20:15 +00:00
Matthew Leeds
13279af129 Merge pull request #3058 from mazen-asef/add_default_languages_key
Add extra-languages config key
2019-09-13 13:19:08 -07:00
Mazen Asef
a0666034db app: Add new extra-languages key
If xa.languages is set, use these, and no others. Otherwise, take the union
of xa.extra-languages, and the system default locales for system repos;
xa.extra-languages for user repo and the langs based on the user's locale

Fixes https://github.com/flatpak/flatpak/issues/3043
2019-09-13 15:31:14 -03:00
Alexander Larsson
58d9a257aa OCI: Use labels as commit metadata source as well as annotations
We now pull the image config as well as the manifest and fall
back on the labels field if the keys we're looking for are not
in the annotations field.

This lets us support docker manifests too, which don't have
annotations (but do have labels).

Closes: #2978
Approved by: alexlarsson
2019-09-06 12:49:40 +00:00