Commit Graph

255 Commits

Author SHA1 Message Date
Philip Withnall
36c8fdb4a4 common/dir: Support updating collection-id from remote configuration
To allow staged deployment of collection-ID-based repositories,
introduce the code to update a local repository configuration to add a
collection ID to it, based on updated metadata from the remote (as is
currently supported for other configuration keys).

As a security measure, this only allows updating the collection ID from
an empty to a non-empty value. We do not allow collection IDs to be
renamed (or a malicious repository owner could bypass the user’s manual
verification of the collection ID by changing it after the user has
configured an unrelated remote).

The idea is that most repositories should remain without collection IDs
for now, and use this mechanism to set their collection IDs in future,
once the functionality is more stable.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-08-18 14:23:03 +02:00
Philip Withnall
d3f1dccae2 common/dir: Drop an unnecessary wrapper function
This introduces no functional changes.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-08-18 14:23:03 +02:00
Philip Withnall
e972201061 common/dir: Propagate errors from invalid configurations
Rather than silently ignoring them. Note that invalid configurations
are distinct from missing configuration keys.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-08-18 14:23:03 +02:00
Philip Withnall
358e204fb3 common/dir: Handle NULL out parameter correctly when getting config
ostree_repo_get_remote_option() requires the out parameter to be
non-NULL.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-08-18 14:23:03 +02:00
Philip Withnall
bc0f90764e common/dir: Fix error handling for flatpak_dir_lookup_repo_metadata()
It can return FALSE with an error set, or FALSE without one set, which
indicates the key was not found.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-08-18 14:23:03 +02:00
Philip Withnall
bc46274ae4 common/dir: Verify commit bindings when pulling from an untrusted repo
When pulling from a local, untrusted repo (i.e. one which the user
downloaded into, and we want to pull into the trusted system repo),
verify the collection ID and ref bindings in the commit metadata for
each commit.

This is something which is normally done by libostree, but since we’re
rewriting the commit manually, we’re bypassing that part of the pull()
code path.

This is an inlined version of the check from verify_bindings() in
libostree.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-08-18 14:23:03 +02:00
Philip Withnall
c4819af5a0 common: Support collection IDs for related refs and extensions
Add support for collection IDs to the code which finds and pulls
related refs and other extensions.

Currently, related refs must have the same collection ID as the parent
ref — this is the most likely scenario anyway. In future, it should be
possible to extend the code to support pulling related refs from other
collections.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-08-18 14:23:03 +02:00
Philip Withnall
b9986a7979 common/dir: Add some FIXMEs for future improvements to collections
Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-08-18 14:23:03 +02:00
Philip Withnall
e9765b82cf common/dir: Remove an unused method
Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-08-18 14:23:03 +02:00
Philip Withnall
2143e5984a common/dir: Factor out a helper function to get a remote’s collection ID
We need to consistently handle the case where the collection ID is set
to the empty string (and treat it the same as if it were unset). Best
done in a helper function.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-08-18 14:23:03 +02:00
Philip Withnall
024d835460 common: Support unsigned summary files and separate repo metadata
In order to eliminate some race conditions around updating the
summary{,.sig} file on the server, and to decouple signing the summary
from signing commits, and to support peer to peer mirrors of content
from multiple upstream collections: add support for unsigned summary
files.

This relaxes the requirement for gpg-verify-summary=true iff
collection-id is set in a remote’s local configuration. It depends on
some pending libostree changes to verify the ref for each commit using
the commit’s signed metadata. See
https://github.com/ostreedev/ostree/issues/983.

Metadata storage has moved from the summary file to a new
ostree-metadata well-known branch on each repository, since this can be
signed for each update and for each collection separately. If the
collection-id is set in a remote’s local configuration, flatpak will
retrieve all repository metadata from this branch rather than from the
summary file. If collection-id is unset, it will ignore this branch and
continue to use the summary file, which will continue to be updated (and
externally signed as summary.sig) for backwards compatibility.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-08-18 14:23:03 +02:00
Philip Withnall
ae7d960372 common: Support collection IDs in flatpak{ref,repo} and bundle files
These are loaded from the ref/repo/bundle metadata and added to the new
remote configuration.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-08-18 14:23:03 +02:00
Philip Withnall
30a5cf8136 common: Support collections in check_for_updates() and forward the results
Search for updates on peer to peer sources as well as the internet in
check_for_updates(), and pass the resulting OstreeRepoFinderResult array
to the pull() calls, so a consistent set of checksums are pulled.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-08-18 14:23:03 +02:00
Philip Withnall
0d6455aa5f common/dir: Support new experimental libostree API for finding remotes
This adds support in flatpak-dir.c for using the new libostree API for
finding remotes dynamically for a given set of refs, if flatpak is
configured with --enable-p2p.

The new code paths are only taken if the repository is configured with
a collection ID set.

These changes by themselves aren’t sufficient for full P2P support, as
all the infrastructure for downloading summary files and finding refs
needs to be modified in the following commits.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-08-18 14:23:03 +02:00
Philip Withnall
cd2a555675 common/dir: Clarify the nullability of some variables
flatpak_decompose_ref() can fail, but in this situation we know it won’t
since find_matching_refs() checks it for us and hence guarantees that it
only returns decomposable refs. Add some assertions to make this clearer
and to shut Coverity up.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-08-15 12:28:28 +01:00
Philip Withnall
c157719616 common/dir: Avoid a potential NULL pointer dereference
Everywhere else that index->manifests is used, it’s checked for being
NULL beforehand, which probably means that, sometimes, it might be NULL.
Let’s check that here too.

Coverity issue: 1452432

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-08-15 12:27:28 +01:00
Matthias Clasen
2082b50871 Merge pull request #910 from matthiasclasen/language-config
Allow setting the locale subpaths in repo config
2017-08-04 01:57:06 +01:00
Matthias Clasen
ed08538f92 Merge pull request #900 from pwithnall/lan-and-usb-preparation
LAN/USB preparation refactoring
2017-07-08 20:54:28 -04:00
Matthias Clasen
0d633babac Only do locale subsetting in per-user installs
If xa.languages is not explicitly set, only use the current locale
if we are installing something per-user. For system-wide installs,
default to installing all locales.
2017-07-08 14:02:00 -04:00
Matthias Clasen
3874a29d74 Allow setting the locale subpaths in repo config
Read an xa.languages key from the [core] section of
the repo config to determine which subpaths to install
for Locales. This lets us maintain a list of system
languages without inventing a new file in /etc, and
will also work for alternative install locations.
2017-07-07 23:32:50 -04:00
Philip Withnall
81301f0ef4 general: Remove trailing \n from GLib log messages
The GLib logging framework automatically appends a \n to messages, so it
doesn’t need to be added by callers.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-07-07 17:18:24 +01:00
Simon McVittie
489bfddfb3 common: Add and use constants for flatpak-metadata(5) groups and keys
This makes it easier to avoid typos, and also makes it easier to see
what groups and keys are in use. In the header file, they are
clustered according to the group in which the keys are used.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2017-07-07 16:06:21 +01:00
Philip Withnall
7d286a6dce common/dir: Move progress reporting setup higher in flatpak_dir_pull()
This will slightly simplify some later refactoring. It makes no real
difference to the function’s behaviour at the moment.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-07-06 14:41:01 +01:00
Philip Withnall
c6011083a2 common/dir: Drop unused variable
This was accidentally introduced in a8ad3927 in advance of the LAN/USB
changes from PR #884 which will actually use it.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-07-04 13:43:26 +01:00
Philip Withnall
55ca5a9662 common/dir: Factor out body of update_remote_configuration_for_summary()
This will make it easier to add another version in upcoming commits
which gets the updated configuration from another source (an
ostree-metadata branch).

This commit introduces no functional changes.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-06-30 16:06:50 +02:00
Philip Withnall
07607e3e00 common/dir: Factor out common code to get and load the summary file
There was already a convenience method for this,
fetch_remote_summary_file(), but it wasn’t used uniformly throughout the
file. This introduces no functional changes.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-06-30 16:06:50 +02:00
Philip Withnall
a8ad392750 common/dir: Factor out common code for getting repo metadata
There are several places which query keys in the metadata in the summary
file. Factor out a common function to do that, and write it in such a
way that it could be extended to read the metadata from somewhere else
in future (the plan being that metadata will move to an ostree-metadata
branch rather than the summary file).

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-06-30 16:06:50 +02:00
Philip Withnall
c0837b8179 common: Split out self and repo arguments for a static function
This introduces no functional changes; it will simplify upcoming
commits.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-06-30 10:17:34 +02:00
Philip Withnall
e3cac586bb common: Use bulk OstreeAsyncProgress API for setting keys
This results in one ‘changed’ signal emission rather than several at
once.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-06-26 16:42:54 +02:00
Alexander Larsson
821851dcb2 flatpak_dir_read_latest: Return NULL, not FALSE on error 2017-06-21 10:23:20 +02:00
Alexander Larsson
67ffd9a0b6 Manually copy summary for update and appdata too 2017-06-19 15:01:19 +02:00
Joaquim Rocha
00802cc710 Re-create the cache repo if it is not bare-user
We need to re-create the cache repo if it has not been previously
configured as bare-user, so it avoids permissions related issues.
2017-06-19 14:34:43 +02:00
Joaquim Rocha
bfea681ad1 Force the cache repo to use the bare-user mode
Unless forced by the FLATPAK_OSTREE_REPO_MODE env var, we default cache
repos to bare-user mode. Otherwise it can lead to permissions problems
because, e.g. if the system repo is configured as a "bare" repo, then
the cache repo will be too and this will lead to fchown calls even if
the user is non-privileged.
2017-06-19 14:34:43 +02:00
Alexander Larsson
e987d92ad0 install: Manually save summary[.sig] in cache repo
With the latest ostree, pull --mirror does not mirror the
summary for partial pulls, so system-wide installs fail. We
fix it by manually updating the summary.
2017-06-19 13:09:33 +02:00
Alexander Larsson
87081cc47d Unless forced via FLATPAK_OSTREE_REPO_MODE user bare-user for cache repo
This way we don't break if some commit is not canonical when we
import to the system repo.
2017-06-19 12:56:02 +02:00
Alexander Larsson
66e60be49d Default to bare-user-only repo
This means we work on systems without xattrs
Old installations keep using bare-user, and you can use
FLATPAK_OSTREE_REPO_MODE=user to force it.
2017-06-16 12:20:49 +02:00
Colin Walters
1e07f79b57 Use new libostree APIs to reject world-writable/suid content
This uses the new libostree APIs that landed recently to ensure
that we reject any files with mode outside of `0775` for system
helper pulls, and we also mask directory modes during checkout.

However, this does *not* fix up any already downloaded content.
For that, one could uninstall/reinstall; or a future patch could
do a one-time fixup pass.

Note that I am not aware of a way for flatpak applications to escalate their
privileges directly with this flaw; the bubblewrap `PR_SET_NO_NEW_PRIVS` turns
of setuid. However, in combination with code execution on the host via another
mechanism (e.g. unsandboxed app), a setuid app injected could be used to gain
full host privileges.

At this time we're not aware of any flatpak content exploiting this issue.

Closes: https://github.com/flatpak/flatpak/issues/845
2017-06-15 16:40:17 +02:00
Colin Walters
daf36ba2af dir: Ensure ~/.local/share/flatpak is 0700
This goes into a big old topic about Unix homedir permissions; it's not uncommon
for general purpose OS vendors to have homedirs be 0755. In that case,
applications need to ensure confidentiality for data requiring it (classically
e.g. `~/.ssh`) by making the dirs `0700`.

While most of the data in the flatpak per-user dir probably isn't confidential
(debatably) we have a different issue; if container content includes suid or
world-writable files/dirs, then having that data accessible to other users
is obviously problematic.

We're going to fix flatpak/ostree to not create files with those modes
to begin with, but this simple fix closes off the attack route for
the per-user directory.

A different fix will be necessary for the system-wide repo.

See: https://github.com/flatpak/flatpak/pull/837
2017-06-08 17:00:20 +02:00
Colin Walters
4714f55ebd dir: Ensure we return on pull error to avoid error-overwrites
Looking at the git history, this code originally retried on
some cases for pull, then stopped doing so, then a later commit
added code after it, which made it incorrect.

Just do an early return again and drop the `res` variable.
2017-06-08 09:42:40 +02:00
Philip Withnall
a664fd136a dir: Fix a minor memory leak
Signed-off-by: Philip Withnall <withnall@endlessm.com>
2017-06-06 19:42:54 +01:00
Alexander Larsson
d8000183f6 extra-data: Print exit status if apply_extra_data script fails 2017-05-30 11:12:37 +02:00
Alexander Larsson
e75cff6bb5 export: Store the app id in the X-Flatpak key
We need this, because it may not correspond 100% to
the desktop file id, as flatpak allows suffixes if you
want multiple desktop files in one app.
2017-05-24 12:02:42 +02:00
Alexander Larsson
71408adbb3 Don't error out when updating metadata for disabled remotes 2017-05-24 11:42:18 +02:00
Alexander Larsson
e89facde7f deploy: Ensure xa.ref, if set, is correct 2017-05-23 11:41:58 +02:00
Alexander Larsson
c8659e4530 progress: Update at 300msec on the CLI
Writing things on the console every 100msec doesn't really
make any sense, the progress bar is not finegrained enough
and you can't read the text that fast anyway.
2017-05-23 10:18:35 +02:00
Alexander Larsson
67a9d9dfec OCI: Properly initialize all used progress fields
Its not a fatal error to try to read uninitialized ones
so this needs to be done.
2017-05-19 11:51:00 +02:00
Alexander Larsson
05aa9e4eb3 Remove unused variable 2017-05-19 09:24:51 +02:00
Alexander Larsson
fbd5452aac progress: Use the new atomic progress API
We read everything at once, which means we will not
race against the download thread possibly updating the
values.
2017-05-18 12:28:57 +02:00
Georges Basile Stavracas Neto
222c525910 dir: Report progress more frequently
Flatpak relies on OSTree to report the progress, and
OSTree's progress report frequency fallbacks to 1 second.

Recently, however, OSTree received support for setting
custom update frequencies. Since it relies on GVariant
options, if the user has an older OSTree, it'll simply
be ignored.

This patch, then, makes Flatpak report progress every
100ms rather than the default value of 1 second.

flatpak/flatpak#609
2017-05-12 16:16:03 +02:00
Alexander Larsson
3e9bc8ba7a Rewrite exported mimetype files
We only allow globs, not magic matches, and we drop the glob
priority to a very low level (weight=5) which means that its
hard for app-installed mimetypes to override the system installed
ones. That should make exporting mimetypes pretty safe.
2017-05-11 18:16:13 +02:00