In general xa.filter being "" means don't filter, so that it can be
used to override-unset a previous filter. However, We canonicalize
to unset/NULL when comparing, returing, or setting the ostree config.
Closes: #2884
Approved by: alexlarsson
This kind of remotes don't work very well, because they are not modifiable
or removable and can cause conflicts with pre-existing remotes.
We instead want to switch to a way to define default remotes that
is applied to the regular ostree repo config, allowing later changes.
Closes: #2884
Approved by: alexlarsson
This is in preparation for writing some unit tests
for these functions. Apparently they are not too
trivial to get them wrong.
Closes: #2880
Approved by: alexlarsson
If you're adding a remote with --if-not-exists and it exists,
apply the filter key anyway. Typically this is used to allow a
user to use the standard instructions to add a remote even if there
is a pre-existing filtered remote already configured.
Closes: #2869
Approved by: alexlarsson
This is kind of special as it handles non-existing filter keys
as "override to no filters" instead of "leave existing filters" whic
we do for other things. However, that matches how we want to use
.flatpakrepo files to override site-local filters.
Closes: #2869
Approved by: alexlarsson
If there is a filter for the remote, include the checksum of it
in the directory name for the deploy dir. This way we re-deploy the
appstream if the filter changes.
Closes: #2869
Approved by: alexlarsson
This means only refs that are allowed will be visible in the deployed
appstream.
This sometimes means we have to uncompress the xml.gz before rewriting
and then re-compressing that.
As a result of this we now always end up with both the compressed and
the uncompressed xml file, whereas we before didn't get an uncompressed
one if the remote was using the old appstream format.
Closes: #2869
Approved by: alexlarsson
Full names are:
* flatpak_remote_state_lookup_ref()
* flatpak_dir_list_all_remote_refs()
This should be enough to not get any stray refs, because due to the
complexities of p2p all accesses go via FlatpakRemoteState.
The one leftover to non-filtered stuff is the appstream file, a later
commit will handle that.
Closes: #2869
Approved by: alexlarsson
If this is set to a pathname in the configuration of a remote we load
that file and keep track of it as a filter. No filter is actually applied
yet though.
There is two levels of caching, consecutive lookups of the filter
with less than 500msec between use the previous value. Once its more
that that we stat() the file and compare the mtime, reloading the file
if the mtime changes. We also directly reload the file if the pathname
changes.
Closes: #2869
Approved by: alexlarsson
Filters are specified as a list of
op glob
where op can be allow or deny, and the blogs are partial refs
where * means anything in this part of the ref, and non-specified
trailing parts of the ref matches anything.
By default everything is allowed, but if you specify some
deny rules all that they match is denied, except if there is
an specific allow rule.
Internally this takes all the allow and deny globs and convert
them into two combined regular expressions.
Some examples:
* - match anything
app/* - match all apps
runtime/* - match all runtimes
app/*/x86_64 - match all x86-64 apps
app/org.gnome.*/*/stable - match all stable gnome apps
org.gnome.frogr* - match frogr and extensions
This means you can do a both whitelisting:
deny *
allow org.the.good.app*
Or blacklisting:
deny org.the.bad.app*
Closes: #2869
Approved by: alexlarsson
The function was already leaking the result of
extract_unix_path_from_dbus_address() in the case where that call
succeeded. Since commit 0e545799 it would also leak the result of
g_build_filename in the case where it checked $XDG_RUNTIME_DIR/bus.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #2877
Approved by: matthiasclasen
This matches what's now implemented in libdbus, GDBus and sd-bus.
If $DBUS_SESSION_BUS_ADDRESS is unset, check whether $XDG_RUNTIME_DIR/bus
is a socket owned by Flatpak's uid; if it is, use it.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #2874
Approved by: alexlarsson
readlink() and readlinkat() have weird semantics (they return the
number of bytes they would have written if there was enough space,
even if that's larger than the buffer), but glnx_readlinkat_malloc()
takes care to do the right thing in all situations.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #2873
Approved by: matthiasclasen
If the buffer is too small, readlink() returns the number of bytes that
would have been stored if the buffer had been large enough.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #2873
Approved by: matthiasclasen
This is a docker seccomp profile that allows you to run flatpak
inside a docker container, given some special requirements:
* The host kernel must support unprivileged user namespaces
(Supported by e.g. fedora and ubuntu kernels)
* The seccomp profile must be used
(--security-opt seccomp=flatpak-docker-seccomp.json)
* flatpak is run as a reguler user, not root, in the container
* The full host /proc must be visible in the container
(-v=/proc:/host/proc)
The last one is a bit weird, but the regular /proc in docker
is mounted with some cover-over mounts, and this makes the kernel
disallow mounting a new procfs for the pid namespace. Adding
in a full copy of the host fs causes this to be allowed.
Closes: #2867
Approved by: alexlarsson
Any log output interferes with comletion.
We already refrain from installing our verbose
log handlers in this case, but we are still
vulnerable to GLib default message handling,
e.g. via the G_MESSAGES_DEBUG environment
variable. To avoid that, explicitly install
a message handler that suppresses all output.
Closes: https://github.com/flatpak/flatpak/issues/2860Closes: #2862
Approved by: alexlarsson
