Each of these is only needed in one place, so move them there. This is
another step towards the utils module being the lowest-level.
Signed-off-by: Simon McVittie <smcv@collabora.com>
The exports module doesn't actually need these, and this removes a
circular dependency: previously, exports both depended on and was
depended on by dir.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Following on from b8d8d80c61, add more environment variables used by
the Vulkan loader which expect paths to be provided.
These paths are typically referencing the host filesystem; if the user
is referencing paths only available in the sandbox, they can use --env
or overrides for them.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Similar to how b8d8d80c61 inhibited passthrough of environment
variables pointing the Vulkan loader towards a specific ICD, do the same
for the EGL paths used by libglvnd to discover the GL driver to use, as
well as for NVIDIA's EGLStream shim.
These paths are typically referencing the host filesystem; if the user
is referencing paths only available in the sandbox, they can use --env
or overrides for them.
Signed-off-by: Daniel Stone <daniels@collabora.com>
I don't think this env var makes much sense to pass into the sandbox
for similar reasons to LD_LIBRARY_PATH. Libraries from the host
just aren't relevant.
Users can still pass `--env=LD_PRELOAD=/foo` to use this functionality.
The release was prepared under embargo and it wasn't immediately obvious
which day it was going to be released, so I left out the release date
at the time.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Arguably bwrap should exit with status 127 if it can't find the
executable, but right now it exits 1, so we accept any nonzero status.
The implementation was correct, but the comment was wrong.
Fixes: 84984e49 "test-run: Add a reproducer for CVE-2024-32462"
Signed-off-by: Simon McVittie <smcv@collabora.com>
This particular bwrap invocation cannot cause a sandbox escape because
the command to run is hard-coded, but it's more clearly correct if we
pass "--" to every bwrap invocation.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This particular bwrap invocation cannot cause a sandbox escape because
the command to run is hard-coded, but it's more clearly correct if we
pass "--" to every bwrap invocation.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This ensures that the command is not taken to be a bwrap option.
Resolves: CVE-2024-32462
Resolves: GHSA-phv6-cpc2-2fgj
Signed-off-by: Alexander Larsson <alexl@redhat.com>
[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path]
[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct]
Signed-off-by: Simon McVittie <smcv@collabora.com>
Otherwise, tests for OCI and the update portal fail with:
/usr/libexec/installed-tests/Flatpak/libtest.sh: line 611: FUSERMOUNT: unbound variable
Fixes: 2cb17b4e "Do not hard-code fusermount, add option or auto-detect instead"
Signed-off-by: Simon McVittie <smcv@collabora.com>
As of LLVM/Clang 18 and LLD18 linker with the -export-dynamic option compilation ends with an error:
cc: error: unknown argument: '-export-dynamic'
For GCC and the default compiler this is not a problem. The problem occurs in Clang/LLD 18.
Fix tested on Mandriva via 39f1c03e91
The transaction ops are a g_autolist(FlatpakTransactionOperation) which
means the list gets freed automatically. Calling g_list_free_full
without clearing the variable to NULL results in a double-free.
Closes: https://github.com/flatpak/flatpak/issues/5763
Fixes: 6e3cc82a ("Fix memory leaks")
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
This restores support for 'mixed' system locales where different locale
categories are configured with different languages. AccountsService
currently only includes the LC_MESSAGES language from the system locale.
Helps #5497
Otherwise, an out-of-bounds left shift can occur, as diagnosed by
UBSan here:
../../../../src/flatpak/common/flatpak-prune.c:387:14: runtime error: left shift of 253 by 24 places cannot be represented in type 'int'
Signed-off-by: Simon McVittie <smcv@collabora.com>
With older GLib, it's provided by libglnx, but with newer GLib, we need
to include the correct header.
Fixes: 7b1cd206 "Replace flatpak_close_fds_workaround() with g_fdwalk_set_cloexec()"
Signed-off-by: Simon McVittie <smcv@collabora.com>
This is best effort. There is a 2s timeout and if something fails
everything continues on.
This is called from flatpak_dir_run_triggers because it gets called
whenever we might have changes to the exported service files.
Fixes#3342
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
