This makes it easier to avoid typos, and also makes it easier to see
what groups and keys are in use. In the header file, they are
clustered according to the group in which the keys are used.
Signed-off-by: Simon McVittie <smcv@collabora.com>
For example, add $(AM_CFLAGS) to mumble_CFLAGS. Since $(WARN_CFLAGS) is
only added to $(AM_CFLAGS), this fixes the lack of inclusion of the
compiler warning flags in the compilation of half of flatpak.
Note that $(AM_*) variables are only used by automake if a more specific
(per-target) special variable is not defined instead. So if you define
mumble_CFLAGS, AM_CFLAGS will not be used for that target unless
explicitly included in mumble_CFLAGS.
See
https://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html.
Do the same for $(AM_LIBADD), $(AM_LDFLAGS), etc. These are not
currently defined, but it’s good practice to include them in
mumble_LIBADD (etc.) just in case they’re defined in future. Hopefully
their inclusions will be cargo-culted to any new targets which are
added, retaining full coverage of the code base.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
This was accidentally introduced in a8ad3927 in advance of the LAN/USB
changes from PR #884 which will actually use it.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Changes to the Makefile could include changes to the options passed
to gdbus-codegen, which would invalidate the output.
Signed-off-by: Simon McVittie <smcv@collabora.com>
A rule of the form
foo.c foo.h: foo.in
some-generator --output=foo foo.in
is essentially equivalent to writing the same rule once for each target:
foo.c: foo.in
some-generator --output=foo foo.in
foo.h: foo.in
some-generator --output=foo foo.in
In a parallel build, this can result in some-generator being run more
than once with the same inputs and outputs, leading to unpredictable
results if the outputs are overwritten in-place by two parallel copies
(particularly if the generator does not use the standard atomic-writing
trick of writing out a temporary file and renaming it over the top of
the intended name, which gdbus-codegen does not).
gdbus-codegen happens to write the .h file before the .c file, so
use the real build rules to generate the .c file, and consider the
.h file to be a side-effect.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This will make it easier to add another version in upcoming commits
which gets the updated configuration from another source (an
ostree-metadata branch).
This commit introduces no functional changes.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
There was already a convenience method for this,
fetch_remote_summary_file(), but it wasn’t used uniformly throughout the
file. This introduces no functional changes.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
There are several places which query keys in the metadata in the summary
file. Factor out a common function to do that, and write it in such a
way that it could be extended to read the metadata from somewhere else
in future (the plan being that metadata will move to an ostree-metadata
branch rather than the summary file).
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Unless forced by the FLATPAK_OSTREE_REPO_MODE env var, we default cache
repos to bare-user mode. Otherwise it can lead to permissions problems
because, e.g. if the system repo is configured as a "bare" repo, then
the cache repo will be too and this will lead to fchown calls even if
the user is non-privileged.
With the latest ostree, pull --mirror does not mirror the
summary for partial pulls, so system-wide installs fail. We
fix it by manually updating the summary.
This uses the new libostree APIs that landed recently to ensure
that we reject any files with mode outside of `0775` for system
helper pulls, and we also mask directory modes during checkout.
However, this does *not* fix up any already downloaded content.
For that, one could uninstall/reinstall; or a future patch could
do a one-time fixup pass.
Note that I am not aware of a way for flatpak applications to escalate their
privileges directly with this flaw; the bubblewrap `PR_SET_NO_NEW_PRIVS` turns
of setuid. However, in combination with code execution on the host via another
mechanism (e.g. unsandboxed app), a setuid app injected could be used to gain
full host privileges.
At this time we're not aware of any flatpak content exploiting this issue.
Closes: https://github.com/flatpak/flatpak/issues/845
This goes into a big old topic about Unix homedir permissions; it's not uncommon
for general purpose OS vendors to have homedirs be 0755. In that case,
applications need to ensure confidentiality for data requiring it (classically
e.g. `~/.ssh`) by making the dirs `0700`.
While most of the data in the flatpak per-user dir probably isn't confidential
(debatably) we have a different issue; if container content includes suid or
world-writable files/dirs, then having that data accessible to other users
is obviously problematic.
We're going to fix flatpak/ostree to not create files with those modes
to begin with, but this simple fix closes off the attack route for
the per-user directory.
A different fix will be necessary for the system-wide repo.
See: https://github.com/flatpak/flatpak/pull/837
Looking at the git history, this code originally retried on
some cases for pull, then stopped doing so, then a later commit
added code after it, which made it incorrect.
Just do an early return again and drop the `res` variable.
We previously required the directory to be writable to expose
it in the app-specific directory. However, the file was already
made visible in the regular location, and it was explicitly requested
by the app, so not allowing it to be there read-only makes no sense.
In particular, this allows KDE apps to use
--filesystem=xdg-config/kdeglobals:ro to allow apps to pick up global
configurations such as theme, etc, in a safe way.
Writing things on the console every 100msec doesn't really
make any sense, the progress bar is not finegrained enough
and you can't read the text that fast anyway.
This looks for an installed app, using the current
one, and loads its permissions and overriders
(ignoring the ones from the runtime).
This is useful if you want to know the permissions
for an application by name, such as in the
document portal.
