* Fix function detection when using -Werror=return-type
(Resolves: flatpak/flatpak#5778)
* Add a fallback definition for G_PID_FORMAT
* Avoid warnings for g_steal_fd() when targeting older GLib
* Include <glib-unix.h> from glnx-backports.h
Signed-off-by: Simon McVittie <smcv@collabora.com>
We still only require a system xdg-dbus-proxy to be v0.1.0 or later,
although a newer release is recommended.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Every time we load something into the context, debug-log what it was.
Again, the more involved parts of this are skipped if debug logging is
disabled.
This will help to diagnose what is going on if the app metadata or the
command-line options are setting sandboxing parameters that break an app.
Signed-off-by: Simon McVittie <smcv@collabora.com>
The more involved parts of this are skipped if debug logging is disabled.
This will help to diagnose what is going on when users have added
overrides that make their app not work as intended.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This can be used to disable code paths that assemble relatively
"expensive" debug information when debugging is not enabled.
It's activated by `flatpak -v -v`.
With a sufficiently modern GLib version, it also activates for
`G_MESSAGES_DEBUG=all` or `G_MESSAGES_DEBUG=flatpak`.
Signed-off-by: Simon McVittie <smcv@collabora.com>
GLib has optimizations for hash tables that are sets (conventionally
represented as key == value), and the APIs to work with such hash tables
are also slightly nicer, so use them instead of putting an arbitrary
constant string in the value.
Signed-off-by: Simon McVittie <smcv@collabora.com>
These are passed to non-const-correct APIs which still need a cast, but
at least we can declare the array in a way that reduces mistakes.
Signed-off-by: Simon McVittie <smcv@collabora.com>
For historical reasons C string literals are officially of type `char *`,
but if we build with -Wwrite-strings, they are `const char *` as they
should be.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Instead of passing a /proc/self/fd bind mount we use --bind-fd, which
has two advantages:
* bwrap closes the fd when used, so it doesn't leak into the started app
* bwrap ensures that what was mounted was the passed in fd (same dev/ino),
as there is a small (required) gap between symlink resolve and mount
where the target path could be replaced.
Please note that this change requires an updated version of bubblewrap.
Resolves: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Make whitespace consistent]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
We need this for the --bind-fd option, which will close a race
condition in our solution to CVE-2024-42472.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This adds three "positive" tests: the common case --persist=.persist, the
deprecated spelling --persist=/.persist, and the less common special case
--persist=. as used by Steam.
It also adds "negative" tests for CVE-2024-42472: if the --persist
directory is a symbolic link or contains path segment "..", we want that
to be rejected.
Reproduces: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Add "positive" tests]
[smcv: Exercise --persist=..]
[smcv: Assert that --persist with a symlink produces expected message]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
These directories are in a location under application control, so we
can't trust them to not be a symlink outside of the files accessibe to
the application.
Continue to treat --persist=/foo as --persist=foo for backwards compat,
since this is how it (accidentally) worked before, but print a warning.
Don't allow ".." elements in persist paths: these would not be useful
anyway, and are unlikely to be in use, however they could potentially
be used to confuse the persist path handling.
This partially addresses CVE-2024-42472. If only one instance of the
malicious or compromised app is run at a time, the vulnerability
is avoided. If two instances can run concurrently, there is a
time-of-check/time-of-use issue remaining, which can only be resolved
with changes to bubblewrap; this will be resolved in a separate commit,
because the bubblewrap dependency might be more difficult to provide in
LTS distributions.
Helps: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Make whitespace consistent]
[smcv: Use g_warning() if unable to create --persist paths]
[smcv: Use stat() to detect symlinks and warn about them]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
We should do a new 1.16.x soon, but after releasing that, we certainly
won't have the resources to backport security fixes beyond 1.14.x.
Signed-off-by: Simon McVittie <smcv@collabora.com>
There are two places where we deliberately leak some memory. There are
some cases which look like leaks in libostree but it's not impossible
that we made a mistake in flatpak.
Two other cases seem like issues in flatpak that I couldn't figure out.
parse_ref_file() cleared all its out params to NULL, with the exception
of collection_id_out. Make sure to clear this one as well to avoid
surprises in the future.
Fixes commit ae7d96037 that added collection ID support to flatpakref.
In some restrictive environments like Whonix, access to /sys/ is blocked by file
permissions (chmod 0700 /sys). Previously, Flatpak would give bwrap a
command-line that will fail altogether in these locked-down environments.
Instead, fall back to running the app with no access to these /sys
subdirectories.
The application will be unable to enumerate game controllers and similar
hardware devices in this situation, but that's the same limited functionality
that would be seen for a non-sandboxed application.
Resolves: https://github.com/flatpak/flatpak/issues/5138
