flatpak_close_fds_workaround() wasn't technically async-signal-safe,
because the requirement for sysconf() to be async-signal-safe was
removed in POSIX.1-2008.
It could also leave high fds open in some cases: in practice
sysconf(_SC_OPEN_MAX) returns the soft resource limit, but if our
resource limit has been reduced by an ancestor process, we could
conceivably still have fds open and inherited above that number.
We can fix this by using g_fdwalk_set_cloexec() with GLib >= 2.79.2,
or the backport in libglnx with older GLib. This uses close_range()
if possible, falling back to rummaging in /proc with async-signal-safe
syscalls.
Signed-off-by: Simon McVittie <smcv@collabora.com>
var_variant_dup_to_gvariant() returns a floating GVariant, and
g_variant_get_child_value() won't sink it, so we need to free it.
Signed-off-by: Simon McVittie <smcv@collabora.com>
g_variant_get_child_value() returns a non-floating reference, so
g_variant_builder_add() will not sink it.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This is, strictly speaking, not allowed. On uncommon architectures like
CHERI, a pointer can be larger than a gsize.
This might also help to avoid AddressSanitizer losing track of
reachability, so that it won't think the array and its contents have
been leaked.
Signed-off-by: Simon McVittie <smcv@collabora.com>
1. For security context creation, only relies on WAYLAND_DISPLAY, do not
use WAYLAND_SOCKET since the file descriptor defined by WAYLAND_SOCKET
can be only consumed once.
2. Due to the incompatiblity between WAYLAND_SOCKET and the security
context, add a new permission --socket=inherit-wayland-socket
to limit the usage of WAYLAND_SOCKET to an opt-in feature. Only when
this flag is set, WAYLAND_SOCKET will be passed to the sandbox.
3. When WAYLAND_SOCKET is not inherited, set FD_CLOEXEC to avoid it to
be leaked the to sandbox.
Closes: #5614
As noticed on #5615, under normal circumstances, flatpak-run(1)
replaces itself with the bwrap process via execve(), and does not
close any fds that it might have inherited from its parent. This
allows for patterns like:
flatpak run com.example.App --in-fd=3 --out-fd=5 3<foo 5>bar
However, using execve() is annoying when trying to analyze code
coverage, because the coverage instrumentation does not get the
opportunity to write out its data during exit, so it is possible to
set FLATPAK_TEST_COVERAGE=1 to make flatpak run the app as a child
process and wait for it. This puts us on the code path normally used
for apps launched in the background by flatpak_installation_launch_full(),
which *don't* inherit arbitrary fds from their parent.
Detect this situation and use a different child setup function,
avoiding closing fds that we were meant to inherit.
Fixes: 88a928ea "run: Avoid execve() when measuring test coverage"
Signed-off-by: Simon McVittie <smcv@collabora.com>
In order to maintain a system over time update automatically removes any EOL runtimes that are unused.
This extends it to also remove any autopruned refs. In practice this means removing no longer used driver versions as the system is updated.
Closes#5261
Currently if the parental controls check can't connect to the system
bus, apps are not allowed to run. However, apps are also allowed to run
if the malcontent (or accounts-service) D-Bus services aren't available.
Since it's trivial to meet that requirement by starting a temporary
dbus-daemon and setting `DBUS_SYSTEM_BUS_ADDRESS` to use it, not being
able to access the system bus at all is no less secure.
This primarily affects flatpak running in a container where D-Bus is
generally not available.
Fixes: #5076
This means we can still test the old code path, even when a newer version
of AccountsService that will take the newer code path is available.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This function can be used to parse environment variable blocks in
"env -0" format from a buffer. It performs a few format checks during
its parsing and returns an error if an issue is found.
When successful, it returns a string array containing each individual
environment variable parsed from the buffer, in the same format as
the return value of g_get_environ().
The implementation of this function is based on
flatpak_context_parse_env_block().
Unlike the instance directory, whose directory structure is
considered public API and is mounted in the sandbox, the private
instance directory is meant to hold private data or metadata about
an instance for use by internal components.
The private instance directory is not meant to be shared with any
external component, and provides no guarantees about its structure
or contents.
While the public instance directory is named "<instance-id>", the
private instance directory is named "<instance-id>-private". Both the
public and private instance directories share the same parent
directory.
The private instance directory relies on the same lock file as the
public instance directory, and both are garbage-collected together.
To align with work in D-Bus, the security-context's sandbox engine names
are now supposed to follow the reverse-DNS style.
This change should be fine because there has not been a release of
flatpak with security-context support, yet.
These environment variables inform the Vulkan loader on where to find driver files.
Since they typically point to locations on the host filesystem, any application that
attempts to load Vulkan within the flatpak sandbox would break with these set.
Doing so adds the following flags to the openat() call:
O_RDONLY | O_NONBLOCK | O_NOCTTY
And removes the following flag: O_PATH
Also let libglnx handle the error message formatting.
There was already a timeout set using `CURLOPT_CONNECTTIMEOUT`, but that
only affects the initial connection. Once a HTTP connection is
established, the timeout is ineffective.
That means that once a HTTP connection is established, there is no bound
on the length of time a download can take. Sometimes, downloads drop to
very low speeds (for Networking Reasons) and we need a way to give up on
a download if that happens.
So, set a low speed limit of 10KB/s for 60s. If a curl download goes
more slowly than this, it will be considered timed out, and the
`CURLE_OPERATION_TIMEDOUT` code path will be taken.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Fixes: https://github.com/flatpak/flatpak/issues/5519
The `code` argument to wayland-scanner is deprecated in favour of
`private-code`, which marks the symbols as private, avoiding them
leaking into the ABI of `libflatpak.so.0`.
`private-code` was new in wayland-scanner 1.15, which is available in
relatively old LTS distributions like CentOS 7, Debian 10 and
Ubuntu 18.04, and is much older than wayland-protocols 1.32.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This is only needed in flatpak-run-wayland.c, so we don't need it when
linking ancillary daemons that don't need any of flatpak-run, such as
the portal, session helper, system helper and OCI authenticator.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This was new in GLib 2.60, but libglnx now provides a backport, so we
can use it unconditionally.
We still need a wrapper because g_strv_equal() is not NULL-safe, but
it's a very thin wrapper now.
Signed-off-by: Simon McVittie <smcv@collabora.com>
These functions are to do with being an interactive, terminal-oriented
CLI/TUI, so it would be inappropriate for library code in libflatpak
to call them, and it would also be inappropriate for daemons like the
session and system helpers to call them.
In fact all calls to these were already isolated to app/, so we can
easily move the terminal-related utilities themselves into app/.
As well as shrinking libflatpak, this makes it obvious that the system
helper does not actually need to call flatpak_disable_fancy_output():
it does not link any code that would be affected by that API call.
Signed-off-by: Simon McVittie <smcv@collabora.com>
By giving the context a bit more knowledge of which directories Flatpak
uses for what, we can stop it from depending on the dir/run modules,
which themselves depend on FlatpakContext.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Previously we were relying on flatpak-utils-private.h having a circular
dependency on this, but I'm intending to remove that during future
refactoring.
Signed-off-by: Simon McVittie <smcv@collabora.com>
They are the same as `flatpak run --sandbox` with two exceptions:
* `FLATPAK_RUN_FLAG_MULTIARCH` might be required so we just add it
always
* `FLATPAK_RUN_FLAG_NO_PROC` is added to prevent sandbox escapes via
`/proc/self/exe`
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
This could be uninitialized if the app has --socket=fallback-x11 but
not --socket=wayland, although that's a combination that doesn't make
a great deal of sense. Regression introduced during recent refactoring.
Fixes: db7a8bb5 "common: Split up socket setup from flatpak-run into multiple files"
Signed-off-by: Simon McVittie <smcv@collabora.com>
