Commit Graph

6703 Commits

Author SHA1 Message Date
Alexander Larsson
72b16394e6 Update NEWS for release 2022-02-11 16:20:40 +01:00
Alexander Larsson
4050c810f6 appstream deploy: Delete old tmpfiles
Due to previous bugs we were leaving a lot of temp files around
in the appstream deploy dirs, which could add up to using a lot of
space. So, lets find and delete these on updates.

This check only happens on a successful update to a new appstream,
which isn't that often, so the cost of this check is unlikely to be a
problem.

(cherry picked from commit d4a9f3ba23)
2022-02-11 16:18:19 +01:00
Alexander Larsson
66f3cc462c appstream deploy: Clean up temporary files on error
If during appstream deploy there is an error, the temporary files were
not deleted, resulting in leaked files in /var/lib/flatpak/appstream.
Over time these could add up to a significant size. In particular this
happes if several deploys happen in parallel, because then the final
move into place will fail with EEXIST.

This fixes the cleanup of both the temporary directory and the temporary
link on any error.

Fixes https://github.com/flatpak/flatpak/issues/4735

(cherry picked from commit 61f9297cbc)
2022-02-11 16:18:19 +01:00
Bastien Nocera
dcd79527a1 run: Don't propagate GStreamer variables to the sandbox
Trying to run sandboxed GStreamer applications from within jhbuild, for
example, would make those applications fail to find their plugins.

$ LANG=C flatpak run org.gnome.Totem.Devel
** (totem:2): WARNING **: 19:32:06.406: Element 'gtkglsink' is missing, verify your installation
** (totem:2): WARNING **: 19:32:06.406: Element 'glsinkbin' is missing, verify your installation

Don't propagate those GStreamer environment variables to within the
sandbox to avoid that problem.

See https://gitlab.gnome.org/GNOME/totem/-/issues/504

(cherry picked from commit 4470bf1425)
2022-02-11 16:18:19 +01:00
Simon McVittie
8feef258f0 Update changelog so far
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-02-09 16:43:40 +00:00
Simon McVittie
62cc8a4717 NEWS: Correct release date for 1.12.4 2022-02-09 16:33:03 +00:00
Phaedrus Leeds
6c57af648b test-history.sh: Fix flakiness by moving sleep
The history test fails sometimes in the CI due to the remote add
operation being missing from the history command's output:

+ diff history-log -
0a1
> add remote			system (history-installation)	test-repo

Presumably this is due to that operation happening in the same second
that is passed to --since, so move the sleep statement to make sure a
second passes before we do anything.
2022-02-08 10:12:24 -08:00
Phaedrus Leeds
0a4491aed7 app: Don't use polkit agent in history command
There's no need to use polkit in the history command, so don't start the
agent in flatpak-main.c. This means we can avoid a test failure in
test-history.sh which was caused by old versions of valgrind being
unaware of syscall sched_getattr, which is used in g_bus_get_sync(),
itself called by install_polkit_agent().

(cherry picked from commit dd9fe19066)
2022-02-08 10:12:24 -08:00
Phaedrus Leeds
3e1f661654 Add a unit test for the history command
(cherry picked from commit 1b6de2518b)
2022-02-08 10:12:24 -08:00
Phaedrus Leeds
77303bd41d history: Fix exclusion of temp repos
Without this change there are history entries showing pulls into
temporary repos which we don't want.

(cherry picked from commit e18df8379a)
2022-02-08 10:12:24 -08:00
Phaedrus Leeds
2cfce0f1fd history: Omit entries for appstream refs
Currently we include entries in the output of the history command for
pulls of appstream refs, e.g. "appstream2/x86_64". However since they
don't have an application ID the Application column shows up blank and
it seems like a pull of nothing which is confusing. These are basically
an implementation detail like the temp repo pulls we already exclude, so
I think it makes sense to exclude them from the output.

It would also make sense to exclude pulls of ostree-metadata refs, but
for some reason I don't see those in practice, even with a collection ID
set on the remote.

(cherry picked from commit fbad9641b7)
2022-02-08 10:12:24 -08:00
Phaedrus Leeds
4b37f88c68 history: Fix printing refs
The history command seems to have been broken since it was changed to
use FlatpakDecomposed, since that type only works for app or runtime
refs, resulting in errors such as:
$ flatpak history
error: appstream2/x86_64 is not application or runtime

Fix this by making the logic a bit smarter, and don't let any one
invalid ref entry prevent the whole command from working.

Fixes #4332
(cherry picked from commit e44b54856e)
2022-02-08 10:12:24 -08:00
Piotr Drąg
1810377649 Update Polish translation 2022-02-05 09:05:49 -08:00
Phaedrus Leeds
786f64dc5b dir: Fix typo of bundle
(cherry picked from commit a626003d6d)
2022-01-19 12:52:13 +00:00
Simon McVittie
103ed5c02c Regenerate translation files for release
Signed-off-by: Simon McVittie <smcv@collabora.com>
1.12.4
2022-01-18 17:38:36 +00:00
Simon McVittie
d19ed758f9 Release v1.12.4
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-18 17:34:01 +00:00
Simon McVittie
617494c63f NEWS: Describe what is intended to appear in 1.12.4
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-18 16:35:28 +00:00
Simon McVittie
61927c7af7 NEWS: Mention CVE-2022-21682
At the time we wrote the NEWS for 1.12.3, this CVE ID had not yet been
issued.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-18 16:35:28 +00:00
Simon McVittie
f9ce3433e0 test-override: Exercise --nofilesystem=host:reset
Signed-off-by: Simon McVittie <smcv@collabora.com>
Co-authored-by: Alexander Larsson <alexl@redhat.com>
(cherry picked from commit 4aa70d2d72)
2022-01-18 16:35:28 +00:00
Simon McVittie
a16efca8ec test-context: Exercise some corner cases for merging filesystems
Signed-off-by: Simon McVittie <smcv@collabora.com>
Co-authored-by: Alexander Larsson <alexl@redhat.com>
(cherry picked from commit fab0f8ed7c)
2022-01-18 16:35:28 +00:00
Simon McVittie
0e2e9a5583 test-exports: Exercise host:reset and related filesystem tokens
Signed-off-by: Simon McVittie <smcv@collabora.com>
Co-authored-by: Alexander Larsson <alexl@redhat.com>
(cherry picked from commit f3d12dc793)
2022-01-18 16:35:28 +00:00
Simon McVittie
4eb3c2addd context: Introduce new --nofilesystem=host:reset
This reintroduces the special case that existed in Flatpak 1.12.3, but
under a different name, so that it will be backwards-compatible. With
this change, flatpak-builder will be able to resolve CVE-2022-21682 by
using --filesystem=host:reset.

We want to implement this as a suffix rather than as a new keyword,
because unknown suffixes are ignored with a warning, rather than causing
a fatal error. This means that the new version of flatpak-builder will
be able to run against older versions of flatpak: it will still be
vulnerable to CVE-2022-21682 in that situation, but at least it will run.

Co-authored-by: Alexander Larsson <alexl@redhat.com>
(cherry picked from commit 5709f1aaed)
2022-01-18 16:35:28 +00:00
Simon McVittie
47247b0987 test-override: Assert that --nofilesystem with suffix yields a warning
This was added as part of implementing the :reset suffix.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit ab0169ee39)
2022-01-18 16:35:28 +00:00
Simon McVittie
ecaabf5e9d test-override: Assert pre-1.12.3 behaviour of --nofilesystem=home, host
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 813e1f0b3b)
2022-01-18 16:35:28 +00:00
Simon McVittie
4a93202fc8 run, override: Clarify the effect of --nofilesystem
There are two reasonable interpretations for --nofilesystem=home:
either it revokes a previous --filesystem=home (as in Flatpak 1.12.2 and
older versions), or it completely forbids access to the home directory
(as in Flatpak 1.12.3). Clarify the man pages to indicate that it only
revokes a previous --filesystem=home. This will hopefully reduce
mismatches between the design and what users expect to happen, as
in flatpak#4654.

A subsequent commit will introduce a way to get the Flatpak 1.12.3
behaviour in a way that is more backwards-compatible with Flatpak 1.12.2
and older versions.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 7bbeed2b87)
2022-01-18 16:35:28 +00:00
Simon McVittie
a4291cd8e0 Revert "Make --nofilesystem=host/home remove access to subdirs of those"
This caused regressions for some previously-working use cases. For
example, some Flatpak users previously used a global
`flatpak override --nofilesystem=home` or
`flatpak override --nofilesystem=host`, but expected that individual apps
would still be able to have finer-grained filesystem access granted by the
app manifest, such as Zoom's `--filesystem=~/Documents/Zoom:create`. With
the changes in 1.12.3, this no longer has the desired result, because
`--nofilesystem=home` was special-cased to disallow inheriting the
finer-grained `--filesystem`.

This reverts commit 445bddeee6.

This reverts the initial solution to CVE-2022-21682, which we intend to
resolve differently, by introducing a new feature in Flatpak and making
use of it in a new flatpak-builder version.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 917a7f5870)
2022-01-18 16:35:28 +00:00
Simon McVittie
59dc5f783e Revert "manpages: Document the new details of --nofilesystem behaviour."
The new behaviour caused regressions in some situations that previously
worked, and will be reverted.

This reverts commit 4d11f77aa7.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit dfe868d628)
2022-01-18 16:35:28 +00:00
Simon McVittie
5dc5b1bb07 test-override: Assert that unimplemented suffix is ignored with a warning
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 8a44df04c8)
2022-01-17 16:03:25 +00:00
Simon McVittie
9bb041f457 test-override: Assert that only the expected term is negated
We weren't distinguishing here between overrides that should have been
negated (xdg-documents) and overrides that should not have been negated
(everything else).

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 4e3d1d8b7b)
2022-01-17 16:03:25 +00:00
Simon McVittie
6780cbdcb7 Don't rely on AS_BUNDLE_KIND_FLATPAK existing
The appstream-glib in Ubuntu 16.04 didn't have this.

Signed-off-by: Simon McVittie <smcv@debian.org>
(cherry picked from commit 97db30f38d)
2022-01-13 09:35:05 +00:00
Alexander Larsson
38621b439e Fix 1.12.3 version reference in NEWS 2022-01-12 19:59:36 +01:00
Alexander Larsson
e528dcf196 Update pofiles for release 1.12.3 2022-01-12 13:13:24 +01:00
Alexander Larsson
08cf080287 Update NEWS for 1.12.3 2022-01-12 12:42:33 +01:00
Alexander Larsson
8573fdc54f Bump version to 1.12.3 2022-01-12 11:53:58 +01:00
Alexander Larsson
dfa079604c manpages: Document the new details of --nofilesystem behaviour.
(cherry picked from commit da3e12b319094158c2afa3df380bc45a7626928c)
2022-01-12 11:53:14 +01:00
Alexander Larsson
d36382dd4d Make --nofilesystem=host/home remove access to subdirs of those
Previously --nofilesystem=host only removed specifically access to the
`host` permissions, and not necessarily other filesystems (like `home`
or `/some/path`). This isn't very useful to limit access because you
don't know what other filesystems the app may have access too.

We change this to mean that `--nofilesystem=host` removes *all* filesystem
access from the parent layer, and `--nofilesystem=home` removes all
file access to the homedir and paths inside it.

The available layers are, in order:

 * app permissions
 * overrides
 * commandline args

This allows you to start from scratch with the filesystem permissions
in the overrides or the commandline. This is a small change in
behaviour, but not a lot of things use --nofilesystem, and the ones
that do probably expects this behaviour.

(cherry picked from commit e2c8863fb62301cb05c64bbb32b04446e88ce11a)
2022-01-12 11:53:08 +01:00
Phaedrus Leeds
b0e0bba79a Add test for metadata validation
This tests for invalid metadata, missing xa.metadata and mismatched
values in xa.metadata and the real metadata, including the embedded
null leading to the hidden permissions of CVE-2021-43860.

(cherry picked from commit 2c2ce58c54b3e6c62f9c21c15efa0ba22f4bc09b)
2022-01-12 11:52:39 +01:00
Alexander Larsson
426aac432b Ensure that bundles have metadata on install
If we have a bundle without metadata we wouldn't properly present
the permissions in the transaction.

(cherry picked from commit b250541302187ff2209b0bb1295e8223d0af860f)
2022-01-12 11:52:34 +01:00
Alexander Larsson
e9455b7a7f Require metadata in commit also for OCI remotes
This was disables a long time ago because the fedora remotes didn't
contain metadata, but that has been added since then. Requiring fixes
a security concern where an app claims to require no permissions (by
having no metadata in commit) but then actually requires permissions
in the installed app.

(cherry picked from commit f0f3a35f404b5bd533186095db055f8b3d135576)
2022-01-12 11:52:28 +01:00
Alexander Larsson
927c2b0318 Transaction: Fail the resolve if xa.metadata invalid or missing
If we fail to parse xa.metadata from the summary cache or the commit
xa.metadata we fail the resolve.

If xa.metadata is missing in the commit we fail the resolve (it is
always set in the summary cache, because summary update converts
missing xa.metadata to "", so we either get that, or cache miss which
leads to resolving from the commit.

This means that op->resolved_metadata is always set during install and
updates, which means we will show the app permissions. The transaction
will also always make sure that this data actually matches what gets
deployed.

Before this change an invalid metadata in the summary cache could lead
to a NULL resolved_metadata, which means we wouldn't print the app
permissions, yet we would still deploy some metadata file that could
have permissions. (NOTE: It would fail to deploy unless the
xa.metadata in the commit matched the metadata file, but in this
corner case we would't compare the summary and commit metadata, so
they may differ.)

(cherry picked from commit 5036bca4214d5b77e884dec42e36496a06e74081)
2022-01-12 11:52:21 +01:00
Ryan Gonzalez
5daba75daf Fix metadata file contents after null terminators being ignored
In particular, if a null terminator is placed inside the metadata file,
Flatpak will only compare the text *before* it to the value of
xa.metadata, but the full file will be parsed when permissions are set
at runtime. This means that any app can include a null terminator in its
permissions metadata, and Flatpak will only show the user the
permissions *preceding* the terminator during install, but the
permissions *after* the terminator are applied at runtime.

Fixes GHSA-qpjc-vq3c-572j / CVE-2021-43860

Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
(cherry picked from commit c9c3a667c09a846c0b230cf1cc8ed330028aa03c)
2022-01-12 11:52:15 +01:00
Phaedrus Leeds
9fded3abe4 Add a test for the repair command
This should ensure that https://github.com/flatpak/flatpak/issues/4618
stays fixed.

(cherry picked from commit 45c7f5071c)
2022-01-11 23:47:36 +00:00
Phaedrus Leeds
f809e9f9a4 repair: Properly mark invalid commits as partial
Commits that are found to have missing or invalid objects need to be
marked partial so that when the thing referencing them is reinstalled,
the missing objects will be pulled. libostree treats non-partial commits
as complete even if they're not, since verifying their completeness is
an expensive operation.

This exactly mirrors what the "ostree fsck" command does when it finds
corruption in a commit.

This fix is especially important because corrupt repos have been an
issue lately so we at least need repair to work properly.

Relatedly, delete invalid commit objects to ensure they are
re-downloaded, though it's not clear that code path is almost ever
reachable.

Fixes https://github.com/flatpak/flatpak/issues/4618

(cherry picked from commit 6fac58a9b9)
2022-01-11 11:51:30 +01:00
Phaedrus Leeds
8db0af3e84 list: Tweak logic for excluding Locale/Debug extensions
The man page states that the --all option for the list command includes
runtime extensions (e.g. that end in .Locale or .Debug) and this is the
case. When --all is omitted, we only show such extensions when the thing
they extend is not already in the list. However when you run a command
like "flatpak list --runtime --columns=application,branch", you get a
list that excludes runtime locale extensions but includes app locale
extensions, since the corresponding apps are not in the list despite
presumably being installed. This doesn't seem like the right behavior,
so tweak the logic so that app locale extensions are excluded when --all
is omitted and --runtime is used.

Strictly speaking the "extension-of" information is not guaranteed to be
present in the deploy data (which acquires it from the metadata), but in
practice it seems to be present for all but Sources extensions, and I
think it should be considered required since we are already using it to
implement functionality elsewhere in Flatpak:
https://github.com/flatpak/flatpak/issues/4585

(cherry picked from commit 470b321c63)
2022-01-11 11:51:02 +01:00
Phaedrus Leeds
c7b8e3c54f Change how automatic pinning is implemented
This commit re-works how we automatically "pin" runtimes that are
explicitly installed, to prevent them from being removed automatically.
In this implementation we do the update to the config as part of the
deploy, which has the following advantages:
(1) It ensures that there's never a confusing polkit prompt about
configuring the software installation when the user asked for a runtime
to be installed (https://github.com/flatpak/flatpak/issues/4200)
(2) It means we don't have to rely on the code on the error path of
flatpak_transaction_real_run() to un-pin the runtime in case something
went wrong with the installation, since we pin it almost atomically with
the deploy.

Fixes #4200

(cherry picked from commit 6f5bb3597e)
2022-01-11 11:51:02 +01:00
Phaedrus Leeds
bd4fff12f6 Don't use app title from flatpakref as remote title
On two different code paths we were using the "Title" field in
flatpakref files as the title of a remote, which is incorrect. In most
cases, the remote added via the RuntimeRepo key will be the same as the
remote the app is from, so when the remote is added for the runtime, its
title will be correctly set using the Title value from the flatpakrepo
file and the app will therefore have an origin remote with a title set.
This is not currently true for flatpakref files that use
SuggestRemoteName=, see https://github.com/flatpak/flatpak/pull/4513

For flatpakref files that use a different remote than the RuntimeRepo,
we don't currently have a way for the title to be set automatically;
perhaps we should (https://github.com/flatpak/flatpak/issues/4512).

Fixes https://github.com/flatpak/flatpak/issues/4499

(cherry picked from commit 9dbd265cdd)
2022-01-11 11:51:02 +01:00
Phaedrus Leeds
512b693dbf Ensure refs are updated from their origin
It can happen that a related ref is installed from a different remote
than the thing it's related to. We always want to update things from
their origin remote. However as of now FlatpakTransaction resolves the
commit of a related ref to the one available from the main ref origin,
and later sets the remote for the operation to the installed origin (see
commit 6793d90b8). In case there is a newer commit in the main ref
origin than the installed origin, this leads to an update operation
being erroneously created, only to then error out with an HTTP 404
error, because the commit from the main ref origin is being pulled from
the installed ref origin. For specific steps to reproduce see
https://github.com/flatpak/flatpak/issues/3128#issuecomment-948948040

So, ensure that when a FLATPAK_TRANSACTION_OPERATION_INSTALL_OR_UPDATE
operation is created for something that's installed, whether it's a
related ref or something else, the remote used is always the origin. And
ensure that the remote is set correctly before the stage where the op is
resolved to a commit, to avoid the situation described above. This is
essentially a re-implementation of the fix in commit 6793d90b8.

Also, add a unit test for this behavior.

This commit also makes a few changes to documentation to make it clear
that this related-ref-different-origin situation is possible.

Fixes #3128

(cherry picked from commit 49d9052d22)
(only merge conflicts in tests/testlibrary.c)
2022-01-11 11:51:02 +01:00
Phaedrus Leeds
e4db35077c app: Fix behavior when installing end-of-life-rebased ref
Currently if the user specifies a ref to install that has been renamed
via the end-of-life-rebased mechanism, for example "flatpak install
com.visualstudio.code.oss", Flatpak erroneously tries to install both
the old and new versions of the app. This happens because the code
handling end-of-life-rebase conditions is written assuming the rebased
app is being updated rather than installed for the first time.

Specifically, in FlatpakCliTransaction and FlatpakQuietTransaction, in
end_of_lifed_with_rebase(), we treat a failure of
flatpak_transaction_add_uninstall() as fatal and return FALSE from the
signal handler, which means that the install operation that triggered
the signal will not be skipped (see the docs for
FlatpakTransaction::end-of-lifed-with-rebase).

So, instead check for the FLATPAK_ERROR_NOT_INSTALLED error code and
ignore it, so that the installation of the old version of the renamed
app will be properly cancelled.

Fixes https://github.com/flatpak/flatpak/issues/3754

(cherry picked from commit 3aa9a7f3a1)
2022-01-11 11:51:02 +01:00
Patrick Griffis
5f8ce1d491 Re-enable HTTP compression
The original commit (9865ed8989) disabling
it claimed it fixed OCI downloads. This no longer seems to be a problem.

This has also exposed new bugs as some servers will send
gzip compressed data when the client does not send Accept-Encoding.
If we leave this enabled that issue goes away.

(cherry picked from commit cda4967a9e)
2022-01-11 11:51:02 +01:00
Phaedrus Leeds
8ce5211201 dir: Fix an issue with fetch_remote_ref_sync()
This commit is a follow-up to "Fix implementation of xa.noenumerate
remote option" since that turned out to break
flatpak_installation_fetch_remote_ref_sync() in some cases. I didn't see
it at the time, but flatpak_decomposed_get_collection_id() explains that
the collection ID shouldn't be set on FlatpakDecomposed objects, even
when the remote has a collection ID set, unless they are being used to
enumerate refs from a file:// URI rather than a configured remote. So
this commit changes list_remote_refs() and list_all_remote_refs() to
keep the xa.noenumerate implementation working and to get
fetch_remote_ref_sync() working again (since the latter uses
flatpak_decomposed_new_from_parts() and thus doesn't set a collection ID
on the FlatpakDecomposed object used for comparison).

(cherry picked from commit f3214c59d2)
2022-01-11 11:51:02 +01:00