libostree attempts to strip the setuid and setgid bits from file
permissions in user-mode checkouts, which, if successful, would make
Flatpak's check for setuid ineffective and unnecessary. In versions
older than 2017.7 this was not consistently applied, making commits
2c8e241 and 02a299f necessary to defeat CVE-2017-9780 (see #845).
libostree 2017.7 removes setuid and setgid bits more thoroughly
as a result of fixing https://github.com/ostreedev/ostree/issues/633
in PR https://github.com/ostreedev/ostree/pull/903, which means that
this test fails when linking flatpak 0.8.x to libostree 2017.7.
Signed-off-by: Simon McVittie <smcv@debian.org>
This makes the ostree trivial-httpd --autoexit feature work better,
because it seems to exit whenever the root directory changes (i.e. not
only when its deleted).
This means the root dir can't be the repo (because then we can't
update the repo), or the base testdir (because we create files there
too), so instead we make the repo $testdir/repos/test and
$testdir/repos as the httpd root.
Use FLATPAK_TESTS_VALGRIND_LEAKS to check for leaks.
We're not currently passing the leak checks, so this helps letting
us make valgrind checks useful.
This catches regressions in the fix in the previous commit, where old
stale .py[oc] files can wrongly become "unstale" when we change the
.py file mtime to 1.
dbus-launch is X11-specific and contains a lot of legacy code to
support X11 autolaunching. It should not be part of the Wayland
(and/or Mir) future.
Start a dbus-daemon directly instead.
Otherwise, service activation will start a new xdg-document-portal
(because we're using a private DBUS_SESSION_BUS_ADDRESS), but because
XDG_RUNTIME_DIR is shared with the real system, it won't be able to
mount its filesystem.
We need to unmount the document portal before removing the private
XDG_RUNTIME_DIR.
Signed-off-by: Simon McVittie <smcv@debian.org>
Distribution autobuilders are often more locked-down than the
environment in which the distribution binaries actually run.
Signed-off-by: Simon McVittie <smcv@debian.org>
