This adds new FlatpakTransaction API, and a new top level CLI command to
preinstall flatpaks, that is to install flatpaks that are considered
part of the operating system.
A new drop-in directory /etc/flatpak/preinstall.d/ allows configuring
what apps should be preinstalled, and a new flatpak preinstall command
installs and removes apps based on the current configuration.
A drop-in loupe.preinstall file can look something like this:
[Flatpak Preinstall org.gnome.Loupe]
Branch=stable
IsRuntime=false
The corresponding API is flatpak_transaction_add_sync_preinstalled()
which can be implemented by GUI clients to drive the actual installs
on system startup.
Resolves: https://github.com/flatpak/flatpak/issues/5579
Co-authored-by: Sebastian Wick <sebastian.wick@redhat.com>
We want to use collection IDs to specify what remote to install from
when processing /etc/flatpak/preinstall.d; in order for this to work
for OCI remotes, we need to permit collection IDs.
- In flatpakrepo files, don't require a GPGKey for a OCI remote
with a collection - we don't have signature verification for GPG remotes.
- Don't validate that the collection ID appears in the summary -
the image index doesn't currently contain an image ID
Instead of passing the delta URL along with the image source, when
we create an image source for a remote registry, if we find a delta
URL in the metadata, set it on the FlatpakImageSource for later use.
Centralize duplicated code for creating an image source for a remote
repository based on a summary lookup into one place.
Add support for `oci-archive:` image sources by temporarily
unpacking the archive using libarchive.
Co-authored-by: Sebastian Wick <sebastian.wick@redhat.com>
Which allows one to create an image source from a container location.
It also adds a new FlatpakDockerReference to access different parts of a
docker reference and changes to FlatpakOciIndex to get a manifest for a
specific architecture.
This will become useful in the next commit when we're going to add
support for installing OCI images.
To avoid passing around combinations of a FlaptakOciRegistry with
repository and digest, add a FlatpakImageSource type.
This also reduces duplicated code where every place that did
this independently retrieved the repository and image config.
Docker and podman can be configured to use mutual TLS authentication
to the registry by dropping files into system-wide and user
directories. Implement this in a largely compatible way.
(Because of the limitations of our underlying libraries, we
can't support multiple certificates within the same host config,
but I don't expect anybody actually needs that.)
The certs.d handling is extended so that certificates are separately
looked up when downloading the look-aside index. This is mostly
to simplify our tests, so we can use one web server for both -
in actual operation, we expect the indexes to be unauthenticated.
Also for testing purposes, FLATPAK_CONTAINER_CERTS_D is supported
to override the standard search path.
Co-authored-by: Sebastian Wick <sebastian.wick@redhat.com>
The systemd Desktop Environments conventions for cgroup names is
app[-<launcher>]-<ApplicationID>-<RANDOM>.scope
where RANDOM should ensure that multiple instances of the application
can be launched. Currently flatpak uses the PID of itself but the
instance fullfills this convention and is a bit more useful for matching
the cgroup to a flatpak instance.
There are cases where flatpak is doing some internal work (apply extra
data) where there is no instance id, and more philosophically also no
app instance. In those cases we simply do not move the process to the
cgroup with the XDG convention.
The original idea behind this code was that the initial lockless scan
of reachable objects will make the locking one fast enough that
it won't matter to software managing flatpak repos like flat-manager.
Few years later I can say this is not true, and the locking variant
of scan does take too long and affects Flathub's publishing process.
By keeping only the lockless variant in dry run, we can run it on a
weekly schedule without affecting operations, and issue actual pruning
with flat-manager which will hold a lock in external system and avoid
executing any actions requiring locking to avoid errors/timeouts.
Currently, app installs and updates are treated the same from the point
of view of the parental controls permissions checks. This was intended so
that parents have to re-check each app update to make sure it’s still
appropriate for their children.
In practice, though, parents are not that hands-on, and there are a lot of
regular app updates. The tradeoff between app updates (which bring
security fixes and features) and not changing so much in apps that a
parent’s initial assessment of their suitability for their child is
probably skewed the wrong way. We should be preferring updates (in
particular, so we get security updates), and assuming that if an app is
OK to begin with, it’s probably not going to change so radically as to
become unsuitable for a child with an update.
As a data point, Google Play’s parental controls will allow apps to be
automatically updated even if a child account can’t install new apps.
So, implement this by splitting the existing
`org.freedesktop.Flatpak.override-parental-controls` polkit action in
two: the existing action for _installs_, and a new
`org.freedesktop.Flatpak.override-parental-controls-update` action for
_updates_. `FlatpakDir` is changed to use the appropriate action
depending on whether an app is being installed from scratch or updated.
The default policies for the two actions differ.
Users/Distros who disagree with the new default policy can provide their
own polkit rules to change the behaviour of
`override-parental-controls-update` so that it matches
`override-parental-controls`, to bring back the old behaviour.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Fixes: https://github.com/flatpak/flatpak/issues/5552
udmabuf allows clients to allocate virtual memory as dmabufs,
which then potentially can be imported by other dma subsystems -
most importantly GPU drivers and KMS. This can avoid copies and
thus increase performance.
Unlike other dmabuf allocators like e.g. dma heaps this doesn't
have known issues relevant for sandboxing. Notably memory accounting
works as expected, so apps can't use udmabuf to escape resource
limitations. For this reason systemd, since version 257[1], grants
"uaccess" access to udmabuf by default, considering it as "safe".
With udmabuf increasingly being availably by default, various apps
and libraries start making use of it - examples include libcamera,
mesa llvmpipe and Gstreamer. Thus let's grant access to it in Flatpak
as well.
For now limit it to "dri" access as sharing buffers with GPUs is
the most common use-case. There is no strong reason to not lift
restrictions further if the need arises, though.
1: https://github.com/systemd/systemd/pull/33738
Signed-off-by: Sebastian Wick <sebastian@sebastianwick.net>
Signed-off-by: Robert Mader <robert.mader@collabora.com>
In the real at-spi2-core client library, AT_SPI_BUS_ADDRESS is treated
as higher-precedence than the AT_SPI_BUS X11 atom or the GetAddress()
D-Bus method. Mimic this.
We don't currently implement querying the X11 atom because that would
require a libX11 dependency, so leave a comment indicating where it
would appear in precedence order.
Signed-off-by: Simon McVittie <smcv@collabora.com>
To handle those details at the right place (flatpak-run-wayland.c), we
pass if the wayland socket is allowed to flatpak_run_add_wayland_args
and handle it there instead of in the caller.
Closes#3948
Static libraries do not carry information about their dependencies.
Thus, libflatpak_dep must include all of the dependencies for
libraries to link against libflatpak. To do this, I've repurposed the
libflatpak_common_deps variable, which previously was either empty or
contained only wayland_client, and was then included into the list of
dependencies for libflatpak-common, to be a list of all dependencies
required to both build libflatpak-common, and link against it (or
libflatpak).
This fixes building Flatpak with -Ddefault_library=static. gtkdoc
must currently be disabled due to a Meson bug I'm working on[1].
[1]: https://github.com/mesonbuild/meson/pull/14257
The ostree and Flatpak APIs both refer to "end of life", but
this internal #define (though not the data stored in the cache)
refer to "end of line".
Fix this.
This is a new warning. Reproducible on F41
Fixes:
../common/flatpak-installation.c:1963: Warning: Flatpak: invalid closure annotation: only valid on callback parameters
../common/flatpak-installation.c:1858: Warning: Flatpak: invalid closure annotation: only valid on callback parameters
../common/flatpak-installation.c:2129: Warning: Flatpak: invalid closure annotation: only valid on callback parameters
../common/flatpak-installation.c:2014: Warning: Flatpak: invalid closure annotation: only valid on callback parameters
../common/flatpak-installation.c:1732: Warning: Flatpak: invalid closure annotation: only valid on callback parameters
../common/flatpak-installation.c:2177: Warning: Flatpak: invalid closure annotation: only valid on callback parameters
../common/flatpak-installation.c:2220: Warning: Flatpak: invalid closure annotation: only valid on callback parameters
../common/flatpak-installation.c:2608: Warning: Flatpak: invalid closure annotation: only valid on callback parameters
Signed-off-by: Hubert Figuière <hub@figuiere.net>
Instead of hardcoding /var/tmp when temporarily downloading layer
tarballs, support overriding with a FLATPAK_DOWNLOAD_TMPDIR
environment variable.
We don't use TMPDIR because the layer tarballs can be very big
(in extreme cases like an SDK > 1GB), and TMPDIR is more
likely to point to a in-memory tmpfs.
Now that we read remotes from $datadir/flatpaks/remotes.d as well as
/etc/flatpaks/remotes.d, we should have a mechanism to redirect this, as
we do for almost all other filesystem path locations.
To avoid an explosion of new variables, we introduce FLATPAK_DATA_DIR to
represent configuration that ships with the operating system.
This is useful:
- To fix sandboxing of tests
- When installing using flatpak into a chroot, so that we read
the chroot's configuration rather than the host.
It also is used when reading triggers, but the current
FLATPAK_TRIGGERSDIR is left for compatibility.
Co-authored-by: Sebastian Wick <sebastian.wick@redhat.com>
As described in #5614, `WAYLAND_SOCKET` provides a single-use socket
as a file descriptor, which some Wayland compositors use to track
special-purpose Wayland clients like input methods and panels.
Since #5615, there are two cases for how it works:
1. With `--nosocket=inherit-wayland-socket` (default): the file
descriptor is marked close-on-exec so that the sandboxed app does
not inherit it, and the `WAYLAND_SOCKET` environment variable
becomes unset. Every time the sandboxed app connects to Wayland,
because `WAYLAND_SOCKET` is unset, it will fall back to the ordinary,
public `WAYLAND_DISPLAY`.
2. With `--socket=inherit-wayland-socket`: the file descriptor is
allowed to be inherited, and the environment variable continues
to be set. The first time the sandboxed app connects to Wayland,
it will connect to the `WAYLAND_SOCKET`. The second and subsequent
connection attempts will be to the ordinary `WAYLAND_DISPLAY`.
However, when #4920 added a code path for the Wayland security-context-v1
interface, it was implemented as a completely separate code path which
early-returned from flatpak_run_add_wayland_args() before the point
where #5615 subsequently added the implementation for (1.). The practical
result of this is that if the compositor sets `WAYLAND_SOCKET` for
a Flatpak app, and it also happens to implement security-context-v1,
then the application will always inherit the `WAYLAND_SOCKET` as though
`--socket=inherit-wayland-socket` had been used. In this case, the app's
first connection to Wayland will use the `WAYLAND_SOCKET` (bypassing
the security context mechanism), the same as in compositors that do not
implement security-context-v1 at all, and only the second and subsequent
connections will use the special per-app `WAYLAND_DISPLAY` created by the
security context mechanism. This seems likely to be unexpected.
To give maintainers and users a choice between behaviours (1.) and (2.),
we can put the security-context-v1 code path through the same code to
handle `WAYLAND_SOCKET` that is used for Wayland compositors that do not
implement that interface. This means that
`--nosocket=inherit-wayland-socket` disables `WAYLAND_SOCKET` in all
cases: if the compositor supports security-context-v1 and the feature
was also available when Flatpak was compiled, then all of the sandboxed
app's Wayland connections will be to the per-app `WAYLAND_DISPLAY`
created by security-context-v1, and otherwise all of the sandboxed app's
Wayland connections will be to the ordinary, public `WAYLAND_DISPLAY`.
With `--socket=inherit-wayland-socket`, the sandboxed app's
first connection to Wayland will continue to be to the inherited
`WAYLAND_SOCKET` fd, and the second and subsequent connections will
be to the `WAYLAND_DISPLAY`, which might either be the special per-app
version created by security-context-v1, or the ordinary public version.
Signed-off-by: Simon McVittie <smcv@collabora.com>
In the older code path where we were not using Wayland security contexts,
we would try to preserve the name of the Wayland display socket
(`$WAYLAND_DISPLAY`), only falling back to `wayland-0` if the name was
something unconventional (contains `/` or does not start with `wayland-`).
This means that in practice, apps could often successfully use a value
of `$WAYLAND_DISPLAY` from the wrong "world" - for example reading the
value used outside the sandbox from a file in code that runs inside the
sandbox, or conversely, passing the value used inside the sandbox via
IPC to a service like gpg-agent outside the sandbox.
However, the implementation in
flatpak_run_add_wayland_security_context_args() did not do this, and
instead would unconditionally use `wayland-0`. There's no real need to
enforce use of that name.
Apps should not really be passing the string value of `WAYLAND_DISPLAY`
across a sandbox boundary, but in practice some do, and we will get
better interoperability if we try to keep that working in at least the
simple cases. This is similar in spirit to how we have handled X11
since 2022 (flatpak/flatpak#5034).
For now, we skip the last few lines of flatpak_run_add_wayland_args() if
we are using Wayland security contexts, to preserve existing
functionality. A subsequent commit will revisit that.
Resolves: https://github.com/flatpak/flatpak/issues/5863
Signed-off-by: Simon McVittie <smcv@collabora.com>
apply_extra_data() passes a null instance ID to
flatpak_run_add_environment_args(), causing a segfault in
flatpak_run_in_transient_unit() which assumes the instance ID is non-null.
Revert this for now: flatpak#5962 was non-essential, and we can redo it
in a less crashy way later.
This reverts commit 7d6f3e8b6b.
Resolves: https://github.com/flatpak/flatpak/issues/6009
Signed-off-by: Simon McVittie <smcv@collabora.com>
Add '--usb' and '--nousb' to the FlatpakContext option group.
Map these parameters to either the enumarable list, or the hidden
list, of a new "USB Devices" group in the metadata key file. It looks
like this:
```
[USB Devices]
hidden-devices=cls:01:*;
enumerable-devices=vnd:0fd9+dev:0080;vnd:0fd9+dev:0080;
```
Flatpak itself does not use these values, they're meant to be used
by e.g. XDG Desktop Portal to filter which devices the app can see
through the USB portal.
Hidden devices must always take precedence over enumerable devices.
This is heavily inspired by https://github.com/flatpak/flatpak/pull/4083
Co-Authored-By: Georges Basile Stavracas Neto <georges.stavracas@gmail.com>
Co-Authored-By: Ryan Gonzalez <rymg19@gmail.com>
Signed-off-by: Hubert Figuière <hub@figuiere.net>
The systemd Desktop Environments conventions for cgroup names is
app[-<launcher>]-<ApplicationID>[@<RANDOM>].service
where RANDOM should ensure that multiple instances of the application
can be launched. Currently flatpak uses the PID of itself but the
instance fullfills this convention and is a bit more useful for matching
the cgroup to a flatpak instance.
For historical reasons g_qsort_with_data() "only" works with up to 2**31
items, so it won't necessarily work for pathologically large arrays
and therefore is deprecated.
One advantage of g_qsort_with_data() and its replacement g_sort_array()
is that GLib guarantees that they are a stable sort (will not permute
items that already compare equal), which is not a guarantee for glibc's
qsort() and qsort_r(). However, I don't think it's actually relevant
whether we are doing a stable sort in any of these places: most of the
time we are sorting an array of unique items (often the keys of a hash
table, which are necessarily unique), therefore the compare function
will not compare equal in any case.
Another advantage of the GLib functions is that they are portable,
unlike qsort_r(). However, Flatpak is Linux-only, so we can freely use
useful functions like qsort_r().
Signed-off-by: Simon McVittie <smcv@collabora.com>
When iterating more than one group, the variable got clobbered.
Narrowing their scope helps.
This was triggered installing an Inkscape test build
Signed-off-by: Hubert Figuière <hub@figuiere.net>
KDE krunner supports DBus plugins that allow search completion
comparable to the already supported gnome-shell searchprovider.
Exporting the contents of the runner directory enables us to enable
search results from within flatpack applications.
We now resolve the zoneinfo and always make it available at
/usr/share/zoneinfo in the sandbox so we unset TZDIR to get flatpak apps
looking at the right directory.
We seem to have no interest in the specific error, as we are using it
locally just to "return". So there's no point in having the error in
the first place. In consequence, the error is only used in the loop
and can be declared locally to it.
This is more compliant with FHS specification. Most notably, /etc
is not appropriate to hold distro configuration, which is a common
use for the remotes.d feature. It is better practice to put things
under /usr/share, and let the system administrator modify /etc to
their will, of course giving them priority.
Update documentation to reflect this change.
In the process, move to use g_build_filename
