This is a docker seccomp profile that allows you to run flatpak
inside a docker container, given some special requirements:
* The host kernel must support unprivileged user namespaces
(Supported by e.g. fedora and ubuntu kernels)
* The seccomp profile must be used
(--security-opt seccomp=flatpak-docker-seccomp.json)
* flatpak is run as a reguler user, not root, in the container
* The full host /proc must be visible in the container
(-v=/proc:/host/proc)
The last one is a bit weird, but the regular /proc in docker
is mounted with some cover-over mounts, and this makes the kernel
disallow mounting a new procfs for the pid namespace. Adding
in a full copy of the host fs causes this to be allowed.
Closes: #2867
Approved by: alexlarsson
This adds the xml interface definition for
org.freedesktop.impl.portal.PermissionStore.
Subsequent commits will use this interface.
Closes: #1837
Approved by: alexlarsson
This listens to org.freedesktop.portal.Flatpak and lets flatpak
sandboxes do flatpak specific things.
Initially this only allows access to "Spawn", which lets you start a
new copy of the current or latest version of the calling app,
optionally with sandboxing.
This allows the app to re-start itself with the latest version after
an update, and the sandboxing is useful for apps that want to manually
sandbox part of themselves.
You can also expose one or more subdirectories of
~/.var/app/$appid/sandbox/ to the app, read-write or read-only. This is
useful to communicate with the sandbox.
This is now in xdg-desktop-portal. We keep a version of the document
portal dbus XML so that we avoid weird build dependencies.
Flatpak itself is technically not dependent on the document portal,
but it is very much recommended that you use it.
Closes: #1398
Approved by: alexlarsson
