Add '--usb' and '--nousb' to the FlatpakContext option group.
Map these parameters to either the enumarable list, or the hidden
list, of a new "USB Devices" group in the metadata key file. It looks
like this:
```
[USB Devices]
hidden-devices=cls:01:*;
enumerable-devices=vnd:0fd9+dev:0080;vnd:0fd9+dev:0080;
```
Flatpak itself does not use these values, they're meant to be used
by e.g. XDG Desktop Portal to filter which devices the app can see
through the USB portal.
Hidden devices must always take precedence over enumerable devices.
This is heavily inspired by https://github.com/flatpak/flatpak/pull/4083
Co-Authored-By: Georges Basile Stavracas Neto <georges.stavracas@gmail.com>
Co-Authored-By: Ryan Gonzalez <rymg19@gmail.com>
Signed-off-by: Hubert Figuière <hub@figuiere.net>
The systemd Desktop Environments conventions for cgroup names is
app[-<launcher>]-<ApplicationID>[@<RANDOM>].service
where RANDOM should ensure that multiple instances of the application
can be launched. Currently flatpak uses the PID of itself but the
instance fullfills this convention and is a bit more useful for matching
the cgroup to a flatpak instance.
For historical reasons g_qsort_with_data() "only" works with up to 2**31
items, so it won't necessarily work for pathologically large arrays
and therefore is deprecated.
One advantage of g_qsort_with_data() and its replacement g_sort_array()
is that GLib guarantees that they are a stable sort (will not permute
items that already compare equal), which is not a guarantee for glibc's
qsort() and qsort_r(). However, I don't think it's actually relevant
whether we are doing a stable sort in any of these places: most of the
time we are sorting an array of unique items (often the keys of a hash
table, which are necessarily unique), therefore the compare function
will not compare equal in any case.
Another advantage of the GLib functions is that they are portable,
unlike qsort_r(). However, Flatpak is Linux-only, so we can freely use
useful functions like qsort_r().
Signed-off-by: Simon McVittie <smcv@collabora.com>
When iterating more than one group, the variable got clobbered.
Narrowing their scope helps.
This was triggered installing an Inkscape test build
Signed-off-by: Hubert Figuière <hub@figuiere.net>
KDE krunner supports DBus plugins that allow search completion
comparable to the already supported gnome-shell searchprovider.
Exporting the contents of the runner directory enables us to enable
search results from within flatpack applications.
We now resolve the zoneinfo and always make it available at
/usr/share/zoneinfo in the sandbox so we unset TZDIR to get flatpak apps
looking at the right directory.
We seem to have no interest in the specific error, as we are using it
locally just to "return". So there's no point in having the error in
the first place. In consequence, the error is only used in the loop
and can be declared locally to it.
This is more compliant with FHS specification. Most notably, /etc
is not appropriate to hold distro configuration, which is a common
use for the remotes.d feature. It is better practice to put things
under /usr/share, and let the system administrator modify /etc to
their will, of course giving them priority.
Update documentation to reflect this change.
In the process, move to use g_build_filename
Because flatpak_get_real_xdg_runtime_dir() return an allocated string
we have to return strduped.
Closeflatpak/flatpak#5920
Signed-off-by: Hubert Figuière <hub@figuiere.net>
This adds a new `usb` device in the list to grant access to the whole
USB bus. This is narrower than `all` and should be enough for
anything accessing the USB directly (i.e. using libusb or equivalent).
This doesn't grant access to synthesized devices, i.e those exposed
in `/dev` but using USB, including but not limited to USB serial, webcams,
hidraw, hid, sound.
Close#4405
Signed-off-by: Hubert Figuière <hub@figuiere.net>
This option allows the application (or subsandbox) to own the specified
name on the a11y bus. This will be useful for WebKit, that has a strict
security need that the Web processes cannot talk or see each other.
An alternative approach would be to make xdg-dbus-proxy permissions
modifiable at runtime, but that seems a lot riskier than this. Owning
a well known name based on the app id has proven to be a robust and
secure approach after all.
Every time we load something into the context, debug-log what it was.
Again, the more involved parts of this are skipped if debug logging is
disabled.
This will help to diagnose what is going on if the app metadata or the
command-line options are setting sandboxing parameters that break an app.
Signed-off-by: Simon McVittie <smcv@collabora.com>
The more involved parts of this are skipped if debug logging is disabled.
This will help to diagnose what is going on when users have added
overrides that make their app not work as intended.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This can be used to disable code paths that assemble relatively
"expensive" debug information when debugging is not enabled.
It's activated by `flatpak -v -v`.
With a sufficiently modern GLib version, it also activates for
`G_MESSAGES_DEBUG=all` or `G_MESSAGES_DEBUG=flatpak`.
Signed-off-by: Simon McVittie <smcv@collabora.com>
GLib has optimizations for hash tables that are sets (conventionally
represented as key == value), and the APIs to work with such hash tables
are also slightly nicer, so use them instead of putting an arbitrary
constant string in the value.
Signed-off-by: Simon McVittie <smcv@collabora.com>
For historical reasons C string literals are officially of type `char *`,
but if we build with -Wwrite-strings, they are `const char *` as they
should be.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Instead of passing a /proc/self/fd bind mount we use --bind-fd, which
has two advantages:
* bwrap closes the fd when used, so it doesn't leak into the started app
* bwrap ensures that what was mounted was the passed in fd (same dev/ino),
as there is a small (required) gap between symlink resolve and mount
where the target path could be replaced.
Please note that this change requires an updated version of bubblewrap.
Resolves: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Make whitespace consistent]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
These directories are in a location under application control, so we
can't trust them to not be a symlink outside of the files accessibe to
the application.
Continue to treat --persist=/foo as --persist=foo for backwards compat,
since this is how it (accidentally) worked before, but print a warning.
Don't allow ".." elements in persist paths: these would not be useful
anyway, and are unlikely to be in use, however they could potentially
be used to confuse the persist path handling.
This partially addresses CVE-2024-42472. If only one instance of the
malicious or compromised app is run at a time, the vulnerability
is avoided. If two instances can run concurrently, there is a
time-of-check/time-of-use issue remaining, which can only be resolved
with changes to bubblewrap; this will be resolved in a separate commit,
because the bubblewrap dependency might be more difficult to provide in
LTS distributions.
Helps: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Make whitespace consistent]
[smcv: Use g_warning() if unable to create --persist paths]
[smcv: Use stat() to detect symlinks and warn about them]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
parse_ref_file() cleared all its out params to NULL, with the exception
of collection_id_out. Make sure to clear this one as well to avoid
surprises in the future.
Fixes commit ae7d96037 that added collection ID support to flatpakref.
In some restrictive environments like Whonix, access to /sys/ is blocked by file
permissions (chmod 0700 /sys). Previously, Flatpak would give bwrap a
command-line that will fail altogether in these locked-down environments.
Instead, fall back to running the app with no access to these /sys
subdirectories.
The application will be unable to enumerate game controllers and similar
hardware devices in this situation, but that's the same limited functionality
that would be seen for a non-sandboxed application.
Resolves: https://github.com/flatpak/flatpak/issues/5138
Include flatpak-ref-utils-private.h explicitly in each remaining
module that needs it (mostly for FlatpakDecomposed).
Signed-off-by: Simon McVittie <smcv@collabora.com>
This further reduces circular dependencies: utils no longer has a
circular dependency with repo-utils or xml-utils.
Signed-off-by: Simon McVittie <smcv@collabora.com>
The declaration was already in flatpak-ref-utils-private.h.
Fixes: 5dae1fc6 "Break out ref helper functions to separate file"
Signed-off-by: Simon McVittie <smcv@collabora.com>
This is a step towards removing the libostree dependency from
flatpak-utils, which should be one of the lowest-level components.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This breaks the circular dependency between flatpak-utils and flatpak-dir.
There is still a circular dependency between flatpak-dir and
flatpak-dir-utils, but I don't want to make flatpak-dir even larger.
Signed-off-by: Simon McVittie <smcv@collabora.com>
