We enforce an umask of 022 (no world/group writable) in the cli and
the system helper. This is necessary, because we need to create
ostree repositories shared between the helper and the client, and
a more strict umask breaks this.
It would be nice if we could just set this in a thread-local way when
needed, but unfortunately umask() is not threadsafe or overridable in
any local way.
This unfortunately means this it will not automatically work for
libflatpak users...
Closes: #2856
Approved by: alexlarsson
Old versions of the create-usb command created a summary file in the
local repo being pulled from (e.g. /var/lib/flatpak/repo) but this
summary generation turned out not to be necessary and was removed. So
any computer which used the create-usb command before commit 7c5751a4f
will have a leftover /var/lib/flatpak/repo/summary file which becomes
outdated as apps are updated and installed. This causes problems for the
next invocation of (a recent version of) the create-usb command which
will use the outdated summary during the pull and fail with an error
message like:
error: Importing 3b1293596e9aa67f6fd0daeae477cb94603a4e8ca9e825f446d3dd04a2b5d5ec.commit:
fstatat(3b/1293596e9aa67f6fd0daeae477cb94603a4e8ca9e825f446d3dd04a2b5d5ec.commit): No such file or directory
So this commit makes the create-usb command delete the summary if it
exists before pulling onto the repo on the USB drive. This means USB
copies will work again for any users that used the USB app copy feature
in Endless OS 3.4.7.
Closes: #2854
Approved by: alexlarsson
As seen in https://github.com/flatpak/flatpak/issues/2829,
the system-helper crashes while trying to access an as
parameter as s. Looking at the likely culprits for this,
I find that the permission check for Deploy has an off-by-one
error where it tries to get the installation, but
passes the offset for the previous_ids parameter.
Closes: #2831
Approved by: matthiasclasen
end-of-lifed-with-rebase runs earlier in the transaction system than end-of-lifed, meaning it can modify the transaction for rebasing.
The new flatpak_transaction_add_rebase() function can then be used to apply the rebase if wanted.
Closes: #2775
Approved by: alexlarsson
In the normal case, pass the full LIBEXEC path, and in the tests,
pass the path via the env var FLATPAK_REVOKEFS_FUSE.
Closes: #2657
Approved by: alexlarsson
This is necessary so as to not leave the revokefs backend around
when the system-helper exits abruptly (e.g. OOM killer). It would
be a vulnerability if revokefs backend continues to live even after
the system-helper is killed as it might lead to write access to the
underlying directory.
Closes: #2657
Approved by: alexlarsson
If there is a pull failure in a child repo created on revokefs-fuse
mount, there is no way to go back to the system helper and notify
it to cleanup. Therefore, CancelPull is required on the pull failure
error path, so that the ongoing pull can be cleaned up nicely and
prevent any dangling mounts and subprocesses.
Closes: #2657
Approved by: alexlarsson
This adds a new helper method "GetRevokefsFd" which is responsible
for spawning the backend part of the revokefs filesystem. It takes care
of creating a cache location for the backing directory in repo/tmp.
This cache location is transferred over D-Bus to the client with the
other end socket fd.
The client on receiving the socket fd creates a mountpoint directory and
spawns the revokefs-fuse filesystem. It then creates a child repo for the
pull. In any case of failure, it fallbacks on the current code path
(which causes temporary duplication of files on disk).
The backing dir itself and all files written to it by the revokefs-fuse
backend process are owned by the "flatpak" user. After the pull in the
child repo is completed, it's ownership is then canoncalized with owner=root
and permissions as per bare-user-only in Deploy().
Now we have fulfilled all the criteria to hardlink the child repo into
the system one and avoid duplication. See [1].
If there is existing cache directory available in repo/tmp, it will be
mounted using revokefs-fuse for the current pull. Hence, it is possible
to recover the previous partial pull which might have failed due to some
error.
[1] https://github.com/ostreedev/ostree/pull/1776Closes: #2657
Approved by: alexlarsson
Uncrustify has an option "nl_func_var_def_blk" which is supposed to
ensure there's a newline character between the block of variable
definitions and the rest of the function body, but it gets confused and
thinks that the first instance of "g_autoptr" or "g_auto" being used on
a variable is the start of the function body. So this commit removes
those extra newline characters and removes that option in uncrustify.cfg
so they don't get re-added the next time uncrustify is run.
Here's the command I used:
perl -0777 -i -pe 's/\n(\n\s*g_auto\()/\1/g' `git ls-tree --name-only
-r HEAD | grep \\\.[ch]$ | grep -v common/valgrind-private.h |
grep -v app/flatpak-polkit-agent-text-listener\\\.[ch]`
I ran it again with "g_autoptr" in place of "g_auto", and made a few
manual edits to add back the newline when the g_auto* was in the middle
of a function body rather than at the top.
Closes: #2715
Approved by: matthiasclasen
Be more systematic about returning FLATPAK_ERROR unmodified
and wrap everything else in a G_DBUS_ERROR_FAILED.
Closes: #2391Closes: #2532
Approved by: alexlarsson
These services were not generating coverage data
because they always get ended by GDBus raising
SIGTERM when the bus goes away. Prevent this by
telling GDBus not to do that, and let the services
exit regularly, on their own terms.
This makes the system helper code show up in the
coverage statistics.
Closes: #2530
Approved by: matthiasclasen
This adds a version to the deply data format, assuming that if
there is no version then it is 0. Also extends all loaders so that
it can specify a required version, with the goal that most users
are fine with old versions, but if you need more recent we have
a (costly) conversion process to upgrade (will be added later).
The library and the flatpak list/info commands require the most
current version for full info, all other users can use any version.
Also, as part of this we now pass the ref to flatpak_load_deploy_data()
as this will be needed later for the backwards compat support.
Closes: #2409
Approved by: alexlarsson
The first element put in the variant created by
flatpak_dir_system_helper_call_deploy() is the repo path, but this is
being treated as the installation ID in
flatpak_authorize_method_handler(), which results in a seg fault when
dir_get_system() returns NULL and this NULL is passed to
dir_ref_is_installed(). Fix the seg fault by getting the correct element
from the variant.
Closes: #2411
Approved by: matthiasclasen
We shouldn't put the unsightly dbus error wrapping in the
UI. The cient already strips the wrapping from the system
helper call, but it can't strip the second level itself.
Closes: #2399
Approved by: mwleeds
GVariant doesn't take it lightly when you are trying to extract
an ay value with an s format. This was causing critical warnings.
Closes: #2393
Approved by: alexlarsson
There was a bunch of handle methods which forgot to do
this manually, so call the flatpak_dir_set_source_pid()
method right when we create the FlatpakDir object.
Closes: #2384
Approved by: alexlarsson
The Deploy method takes an 'update' flag from the caller
and picked the permission to check based on that, which
is not safe. Instead, we can check ourselves if the ref
we are given is already installed (in which case it is
an update, or a reinstall).
After this change, the update flag is ignored by the
system helper.
Closes: #2384
Approved by: alexlarsson
I realized that these messages are a bit confusing, with
keep permissions and implications. We end up asking a
question about one ref, but then use the permission we optained
to operate on other refs. This will get a bit worse with
the new hints, so go back to more generic messages that
don't talk about the details. The ultimate goal here is
less messages, anyway.
Closes: #2384
Approved by: alexlarsson
This is to avoid multiple polkit dialogs, regardless
of transaction ordering.
FlatpakTransaction calculates the 'strongest' op it has,
and passes the hints accordingly. FlatpakInstallation
doesn't pass hints, since it does individual operations.
The system helper uses the hints to determine which PolicyKit
permission to request. Since the policy typically has 'keep'
set, this mean that the following operations in the same
transaction will be able to reuse the permission obtained
for the first one.
Closes: #2384
Approved by: alexlarsson
Add a new 'no-interaction' flag to all system-helper methods
that have flags, and don't allow polkit user interaction if
it is set. This will let tools like GNOME Software do automatic
updates in the background without interrupting the user with dialogs.
For methods that don't have flags, we always allow user interaction.
Closes: #2367
Approved by: alexlarsson
Some methods were missing a flags argument. This
will be a problem in the future, when we want to
pass a no-interaction flag to all methods. Therefore,
add an empty flags enum for every method that is lacking
one now.
This is an api change for the system-helper interface.
Closes: #2370
Approved by: alexlarsson
The OCI support relies on downloading a json index and converting it
to a ostree-style summary, which we the use in all sorts of operations
in the client code. Currently this happens in the user code, which means
that it will fail (due to permissions) in the system installation case.
We could do the conversion as the user, but when eventually installing
something the system-helper will anyway do this download and
conversion, so that would only double the work and risk things going out
of sync. Also, the OCI index is not gpg signed, so we can't realy on
downloads done as the user.
So, the solution done here is to add a GenerateOciSummary
system-helper call which we use instead of directly generating the
oci summary.
This fixes https://github.com/flatpak/flatpak/issues/2350Closes: #2363
Approved by: matthiasclasen
Currently by an accident of history when the system-helper is asked to
deploy updates to the repo metadata (stored on the ref
"ostree-metadata") it uses the polkit action
org.freedesktop.Flatpak.runtime-install since the ref doesn't start with
"app/" and is therefore assumed to be a runtime. This of course doesn't
make much sense, so this commit redirects such invocations of the
"Deploy" method to the "modify-repo" action, which is a bit of a
catch-all of things the system-helper should be allowed to do. It
doesn't seem necessary to split this out into its own action, since
sysadmins probably don't need the ability to break Flatpak's expected
functionality by disabling it. See the PR for more discussion.
Fixes https://github.com/flatpak/flatpak/issues/2328Closes: #2351
Approved by: matthiasclasen
Originally the modify-repo action was only used by the RemoveLocalRef
method, which has "remote" and "ref" parameters, but now other methods
use it which don't have such parameters. So this commit modifies
flatpak_authorize_method_handler() so that we're not trying to pass
information along to polkit that we might not have, and modifies the
message shown by polkit to be more accurate.
Closes: #2351
Approved by: matthiasclasen
This is not a functional change: the default return value is equivalent
to polkit.Result.NOT_HANDLED. However, this makes the behaviour more
obvious.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #2354
Approved by: matthiasclasen
This is currently only used in the ‘search’ built-in command, but will
need to be used in upcoming parental controls filtering changes in
Endless OS (which will go upstream eventually) too.
This introduces no functional changes.
The CFLAGS/LIBADD changes are necessary because of the new
AppStream #includes.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #2296
Approved by: matthiasclasen
Update the user-visible messages to include some of
the details that are available. An informed user is
a happy user.
String change!
Closes: #2287
Approved by: matthiasclasen
We add the callers pid as OBJECT_PID to our journal
entries, which causes journald to add number of useful
fields, such as the user and binary on whose behalf we
are acting.
Our benchmarks show this significantly reduces the interactivity impact of
ongoing Flatpak operations while the user is continuing other tasks on the
system. The effect is very pronounced with the default CFQ scheduler, and in
combination with BFQ, using the idle class improves the worst case to nearly
the same as an unloaded system.
Closes: #2071
Approved by: alexlarsson
When deploying the appstream for an OCI remote we actually pull the
http remote. This triggers some libsoup code that recurses the default
mainloop. As this happens of the main thread we can get the response
back on the wrong thread leading causing us to never send the reply
back, hanging the call.
Closes: #2010
Approved by: alexlarsson
The normal behavior where we only list already installed refs for
a noenumerate remote doesn't work for the case where flatpak-system-helper
verifies a ref on an OCI server during installation - in that case, the
ref being installed to does not *yet* exist locally.
