Add support for `oci-archive:` image sources by temporarily
unpacking the archive using libarchive.
Co-authored-by: Sebastian Wick <sebastian.wick@redhat.com>
Similar to bundle installs, add:
flatpak install [--image] docker://registry.example.com/image:latest
flatpak install [--image] oci:/path/to/image
These is useful for testing purposes and in certain cases when installing
Flatpaks on disconnected systems.
Docker and podman can be configured to use mutual TLS authentication
to the registry by dropping files into system-wide and user
directories. Implement this in a largely compatible way.
(Because of the limitations of our underlying libraries, we
can't support multiple certificates within the same host config,
but I don't expect anybody actually needs that.)
The certs.d handling is extended so that certificates are separately
looked up when downloading the look-aside index. This is mostly
to simplify our tests, so we can use one web server for both -
in actual operation, we expect the indexes to be unauthenticated.
Also for testing purposes, FLATPAK_CONTAINER_CERTS_D is supported
to override the standard search path.
Co-authored-by: Sebastian Wick <sebastian.wick@redhat.com>
Now that we read remotes from $datadir/flatpaks/remotes.d as well as
/etc/flatpaks/remotes.d, we should have a mechanism to redirect this, as
we do for almost all other filesystem path locations.
To avoid an explosion of new variables, we introduce FLATPAK_DATA_DIR to
represent configuration that ships with the operating system.
This is useful:
- To fix sandboxing of tests
- When installing using flatpak into a chroot, so that we read
the chroot's configuration rather than the host.
It also is used when reading triggers, but the current
FLATPAK_TRIGGERSDIR is left for compatibility.
Co-authored-by: Sebastian Wick <sebastian.wick@redhat.com>
Without this, "as-installed" tests via `ginsttest-runner` will fail,
for example in Debian's autopkgtest framework.
Fixes: 1d56bd37 "context: Implement device lists for usb"
Signed-off-by: Simon McVittie <smcv@debian.org>
Add '--usb' and '--nousb' to the FlatpakContext option group.
Map these parameters to either the enumarable list, or the hidden
list, of a new "USB Devices" group in the metadata key file. It looks
like this:
```
[USB Devices]
hidden-devices=cls:01:*;
enumerable-devices=vnd:0fd9+dev:0080;vnd:0fd9+dev:0080;
```
Flatpak itself does not use these values, they're meant to be used
by e.g. XDG Desktop Portal to filter which devices the app can see
through the USB portal.
Hidden devices must always take precedence over enumerable devices.
This is heavily inspired by https://github.com/flatpak/flatpak/pull/4083
Co-Authored-By: Georges Basile Stavracas Neto <georges.stavracas@gmail.com>
Co-Authored-By: Ryan Gonzalez <rymg19@gmail.com>
Signed-off-by: Hubert Figuière <hub@figuiere.net>
For historical reasons g_qsort_with_data() "only" works with up to 2**31
items, so it won't necessarily work for pathologically large arrays
and therefore is deprecated.
One advantage of g_qsort_with_data() and its replacement g_sort_array()
is that GLib guarantees that they are a stable sort (will not permute
items that already compare equal), which is not a guarantee for glibc's
qsort() and qsort_r(). However, I don't think it's actually relevant
whether we are doing a stable sort in any of these places: most of the
time we are sorting an array of unique items (often the keys of a hash
table, which are necessarily unique), therefore the compare function
will not compare equal in any case.
Another advantage of the GLib functions is that they are portable,
unlike qsort_r(). However, Flatpak is Linux-only, so we can freely use
useful functions like qsort_r().
Signed-off-by: Simon McVittie <smcv@collabora.com>
KDE krunner supports DBus plugins that allow search completion
comparable to the already supported gnome-shell searchprovider.
Exporting the contents of the runner directory enables us to enable
search results from within flatpack applications.
In context of the previous commit, this allows Flatpak apps to spawn
subsandboxes with `--a11y-own-name=DBUS_NAME`, where `DBUS_NAME` must
have the app id as prefix.
For example, `org.webkitgtk.MiniBrowser` would be able to spawn a Web
process using the Flatpak portal, and by passing
`org.webkitgtk.MiniBrowser.Sandboxed.WebProcess0`, this Web process
would be able to own this name in the a11y bus. This allows the Web
process and the main WebKit process to connect their a11y trees across
sandboxes.
These are passed to non-const-correct APIs which still need a cast, but
at least we can declare the array in a way that reduces mistakes.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This adds three "positive" tests: the common case --persist=.persist, the
deprecated spelling --persist=/.persist, and the less common special case
--persist=. as used by Steam.
It also adds "negative" tests for CVE-2024-42472: if the --persist
directory is a symbolic link or contains path segment "..", we want that
to be rejected.
Reproduces: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Add "positive" tests]
[smcv: Exercise --persist=..]
[smcv: Assert that --persist with a symlink produces expected message]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
There are two places where we deliberately leak some memory. There are
some cases which look like leaks in libostree but it's not impossible
that we made a mistake in flatpak.
Two other cases seem like issues in flatpak that I couldn't figure out.
I was trying to get the `flatpak` for Chimera Linux template to run
tests. However, due to Chimera Linux using core utilities based on
FreeBSD's, some stuff used in the test shell scripts didn't work there
and caused issues. While I eventually gave that endeavour up, I wanted
to upstream the upstreamable changes I had anyway.
Arguably bwrap should exit with status 127 if it can't find the
executable, but right now it exits 1, so we accept any nonzero status.
The implementation was correct, but the comment was wrong.
Fixes: 84984e49 "test-run: Add a reproducer for CVE-2024-32462"
Signed-off-by: Simon McVittie <smcv@collabora.com>
Otherwise, tests for OCI and the update portal fail with:
/usr/libexec/installed-tests/Flatpak/libtest.sh: line 611: FUSERMOUNT: unbound variable
Fixes: 2cb17b4e "Do not hard-code fusermount, add option or auto-detect instead"
Signed-off-by: Simon McVittie <smcv@collabora.com>
Add a basic test for the extraction of appdata name and summary values
that are displayed in the flatpak UI. Also use the new developer name
syntax in the test app. This tests the fix made in previous commit.
The hard-coding is not appropriate. According to libfuse 3.0.0 release
notes: "The fusermount and mount.fuse binaries have been renamed to
fusermount3 and mount.fuse3 to allow co-installation of libfuse 2.x
and 3.x". Some distributions seem to install a symlink, but this is
not upstream's default behavior.
In addition, fusermount might be provided from non-distro sources. So
a build-time option takes precedence over auto-detection logic.
Fixes#5104Fixes#5694
As discussed in #5695, I think we're reaching a point where removing
Autotools is preferable to fixing it.
1.14.x continues to use Autotools, so platforms whose Meson version is
too old can stay on that branch until it becomes unsupported. We have
a very conservative Meson dependency (Ubuntu 20.04).
Signed-off-by: Simon McVittie <smcv@collabora.com>
flatpak_deploy_data_get_subpaths() returns a new array (of unowned
strings) and flatpak_dir_new_deploy_data() doesn't take ownership.
Signed-off-by: Simon McVittie <smcv@collabora.com>
g_option_context_add_group() takes ownership of the group that it's
given, so we can't also free it.
Fixes: fab0f8ed "test-context: Exercise some corner cases for merging filesystems"
Signed-off-by: Simon McVittie <smcv@collabora.com>
1. For security context creation, only relies on WAYLAND_DISPLAY, do not
use WAYLAND_SOCKET since the file descriptor defined by WAYLAND_SOCKET
can be only consumed once.
2. Due to the incompatiblity between WAYLAND_SOCKET and the security
context, add a new permission --socket=inherit-wayland-socket
to limit the usage of WAYLAND_SOCKET to an opt-in feature. Only when
this flag is set, WAYLAND_SOCKET will be passed to the sandbox.
3. When WAYLAND_SOCKET is not inherited, set FD_CLOEXEC to avoid it to
be leaked the to sandbox.
Closes: #5614
