Previously --nofilesystem=host only removed specifically access to the
`host` permissions, and not necessarily other filesystems (like `home`
or `/some/path`). This isn't very useful to limit access because you
don't know what other filesystems the app may have access too.
We change this to mean that `--nofilesystem=host` removes *all* filesystem
access from the parent layer, and `--nofilesystem=home` removes all
file access to the homedir and paths inside it.
The available layers are, in order:
* app permissions
* overrides
* commandline args
This allows you to start from scratch with the filesystem permissions
in the overrides or the commandline. This is a small change in
behaviour, but not a lot of things use --nofilesystem, and the ones
that do probably expects this behaviour.
This tests for invalid metadata, missing xa.metadata and mismatched
values in xa.metadata and the real metadata, including the embedded
null leading to the hidden permissions of CVE-2021-43860.
This was disables a long time ago because the fedora remotes didn't
contain metadata, but that has been added since then. Requiring fixes
a security concern where an app claims to require no permissions (by
having no metadata in commit) but then actually requires permissions
in the installed app.
If we fail to parse xa.metadata from the summary cache or the commit
xa.metadata we fail the resolve.
If xa.metadata is missing in the commit we fail the resolve (it is
always set in the summary cache, because summary update converts
missing xa.metadata to "", so we either get that, or cache miss which
leads to resolving from the commit.
This means that op->resolved_metadata is always set during install and
updates, which means we will show the app permissions. The transaction
will also always make sure that this data actually matches what gets
deployed.
Before this change an invalid metadata in the summary cache could lead
to a NULL resolved_metadata, which means we wouldn't print the app
permissions, yet we would still deploy some metadata file that could
have permissions. (NOTE: It would fail to deploy unless the
xa.metadata in the commit matched the metadata file, but in this
corner case we would't compare the summary and commit metadata, so
they may differ.)
In particular, if a null terminator is placed inside the metadata file,
Flatpak will only compare the text *before* it to the value of
xa.metadata, but the full file will be parsed when permissions are set
at runtime. This means that any app can include a null terminator in its
permissions metadata, and Flatpak will only show the user the
permissions *preceding* the terminator during install, but the
permissions *after* the terminator are applied at runtime.
Fixes GHSA-qpjc-vq3c-572j / CVE-2021-43860
Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
Previously, the code would rescan the list of refs many, many times.
Now, it only scans once per flatpak_dir_find_local_related_for_metadata
invocation, and it also only parses each refspec once. On my local
system with a large number of refs (>200) installed, this reduces the
time for a `flatpak remove org.freedesktop.Platform//21.08` to start
from ~7s to ~2s.
This does result in dropping an optimization where ostree_repo_list_refs
is already given the ref kind, but IME the overall speed gains are still
worthwhile.
Fixes#4191.
Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
Commits that are found to have missing or invalid objects need to be
marked partial so that when the thing referencing them is reinstalled,
the missing objects will be pulled. libostree treats non-partial commits
as complete even if they're not, since verifying their completeness is
an expensive operation.
This exactly mirrors what the "ostree fsck" command does when it finds
corruption in a commit.
This fix is especially important because corrupt repos have been an
issue lately so we at least need repair to work properly.
Relatedly, delete invalid commit objects to ensure they are
re-downloaded, though it's not clear that code path is almost ever
reachable.
Fixes https://github.com/flatpak/flatpak/issues/4618
The history test fails sometimes in the CI due to the remote add
operation being missing from the history command's output:
+ diff history-log -
0a1
> add remote system (history-installation) test-repo
Presumably this is due to that operation happening in the same second
that is passed to --since, so move the sleep statement to make sure a
second passes before we do anything.
There's no need to use polkit in the history command, so don't start the
agent in flatpak-main.c. This means we can avoid a test failure in
test-history.sh which was caused by old versions of valgrind being
unaware of syscall sched_getattr, which is used in g_bus_get_sync(),
itself called by install_polkit_agent().
Currently we include entries in the output of the history command for
pulls of appstream refs, e.g. "appstream2/x86_64". However since they
don't have an application ID the Application column shows up blank and
it seems like a pull of nothing which is confusing. These are basically
an implementation detail like the temp repo pulls we already exclude, so
I think it makes sense to exclude them from the output.
It would also make sense to exclude pulls of ostree-metadata refs, but
for some reason I don't see those in practice, even with a collection ID
set on the remote.
The history command seems to have been broken since it was changed to
use FlatpakDecomposed, since that type only works for app or runtime
refs, resulting in errors such as:
$ flatpak history
error: appstream2/x86_64 is not application or runtime
Fix this by making the logic a bit smarter, and don't let any one
invalid ref entry prevent the whole command from working.
Fixes#4332
This is another case where commit 4beaa990c seems to have mistakenly
turned an error code path into one where the deploy appears successful
to the caller of flatpak_dir_deploy() but the commit doesn't actually
get deployed.
If an app was created without a files/ directory, which shouldn't happen
with flatpak-builder but could happen if the commit is crafted manually,
currently the install operation exits successfully but the app is not
actually installed. Instead, error out, as we were doing before commit
4beaa990c2.
Have heard of people running Flatpak commands with both sudo and --user,
and not expecting it work on the root user's installation. Let's just
not allow it since it's not something people ever do intentionally.
Maybe it's a bit pedantic but we shouldn't be matching
"org.test.Hello.Plugin.fun" when we're trying to match "org.test.Hello",
so add some trailing slashes to prevent that, and change the options on
a few commands so we're only parsing the columns we care about.
Caught by @gasinvein on #4575 post-merge: I didn't realize fish has a
separate folder for config files provided by the vendor vs added by the
user. This changes the install directory to match the vendor config dir.
Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
Currently we verify the checksum of indexed summary files (which have
.sub file names) before writing them to the on-disk cache, so in theory
as long as the disk I/O is successful the data integrity should be
intact when we use it via the flatpak-variant-impl-private.h helpers
generated by variant-schema-compiler. However in practice people
sometimes hit assertion failures which are what you would expect to see
if the data is corrupt, since GVariant stores some metadata such as the
"offset size" toward the end of the data, and if we read this from
serialized user data instead it will obviously be incorrect. In one case
I was able to acquire the flathub.idx, flathub.idx.sig, and
flathub-x86_64-fad08cfb10713e749f02a0e894b5d577b7e9c4931fdf9d2fdc50364c002bc925.sub
files which reproduce one of the assertion failures, and the sub file
appears to be incomplete, like the writing of it was interrupted.
We use g_file_replace_contents() when saving these to the disk, and when
not replacing an existing file that function writes directly to the
final filename, so if interrupted it would be expected to leave an
incomplete file.
This commit changes the summary file handling so that we verify the
checksum of any indexed subsummary again after reading it from disk. If
it doesn't match we delete the on-disk cache and try fetching from the
network.
Fixes#4127
The man page states that the --all option for the list command includes
runtime extensions (e.g. that end in .Locale or .Debug) and this is the
case. When --all is omitted, we only show such extensions when the thing
they extend is not already in the list. However when you run a command
like "flatpak list --runtime --columns=application,branch", you get a
list that excludes runtime locale extensions but includes app locale
extensions, since the corresponding apps are not in the list despite
presumably being installed. This doesn't seem like the right behavior,
so tweak the logic so that app locale extensions are excluded when --all
is omitted and --runtime is used.
Strictly speaking the "extension-of" information is not guaranteed to be
present in the deploy data (which acquires it from the metadata), but in
practice it seems to be present for all but Sources extensions, and I
think it should be considered required since we are already using it to
implement functionality elsewhere in Flatpak:
https://github.com/flatpak/flatpak/issues/4585
