Following on from b8d8d80c61, add more environment variables used by
the Vulkan loader which expect paths to be provided.
These paths are typically referencing the host filesystem; if the user
is referencing paths only available in the sandbox, they can use --env
or overrides for them.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Similar to how b8d8d80c61 inhibited passthrough of environment
variables pointing the Vulkan loader towards a specific ICD, do the same
for the EGL paths used by libglvnd to discover the GL driver to use, as
well as for NVIDIA's EGLStream shim.
These paths are typically referencing the host filesystem; if the user
is referencing paths only available in the sandbox, they can use --env
or overrides for them.
Signed-off-by: Daniel Stone <daniels@collabora.com>
I don't think this env var makes much sense to pass into the sandbox
for similar reasons to LD_LIBRARY_PATH. Libraries from the host
just aren't relevant.
Users can still pass `--env=LD_PRELOAD=/foo` to use this functionality.
The release was prepared under embargo and it wasn't immediately obvious
which day it was going to be released, so I left out the release date
at the time.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Arguably bwrap should exit with status 127 if it can't find the
executable, but right now it exits 1, so we accept any nonzero status.
The implementation was correct, but the comment was wrong.
Fixes: 84984e49 "test-run: Add a reproducer for CVE-2024-32462"
Signed-off-by: Simon McVittie <smcv@collabora.com>
This particular bwrap invocation cannot cause a sandbox escape because
the command to run is hard-coded, but it's more clearly correct if we
pass "--" to every bwrap invocation.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This particular bwrap invocation cannot cause a sandbox escape because
the command to run is hard-coded, but it's more clearly correct if we
pass "--" to every bwrap invocation.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This ensures that the command is not taken to be a bwrap option.
Resolves: CVE-2024-32462
Resolves: GHSA-phv6-cpc2-2fgj
Signed-off-by: Alexander Larsson <alexl@redhat.com>
[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path]
[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct]
Signed-off-by: Simon McVittie <smcv@collabora.com>
Otherwise, tests for OCI and the update portal fail with:
/usr/libexec/installed-tests/Flatpak/libtest.sh: line 611: FUSERMOUNT: unbound variable
Fixes: 2cb17b4e "Do not hard-code fusermount, add option or auto-detect instead"
Signed-off-by: Simon McVittie <smcv@collabora.com>
As of LLVM/Clang 18 and LLD18 linker with the -export-dynamic option compilation ends with an error:
cc: error: unknown argument: '-export-dynamic'
For GCC and the default compiler this is not a problem. The problem occurs in Clang/LLD 18.
Fix tested on Mandriva via 39f1c03e91
The transaction ops are a g_autolist(FlatpakTransactionOperation) which
means the list gets freed automatically. Calling g_list_free_full
without clearing the variable to NULL results in a double-free.
Closes: https://github.com/flatpak/flatpak/issues/5763
Fixes: 6e3cc82a ("Fix memory leaks")
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
This restores support for 'mixed' system locales where different locale
categories are configured with different languages. AccountsService
currently only includes the LC_MESSAGES language from the system locale.
Helps #5497
Otherwise, an out-of-bounds left shift can occur, as diagnosed by
UBSan here:
../../../../src/flatpak/common/flatpak-prune.c:387:14: runtime error: left shift of 253 by 24 places cannot be represented in type 'int'
Signed-off-by: Simon McVittie <smcv@collabora.com>
With older GLib, it's provided by libglnx, but with newer GLib, we need
to include the correct header.
Fixes: 7b1cd206 "Replace flatpak_close_fds_workaround() with g_fdwalk_set_cloexec()"
Signed-off-by: Simon McVittie <smcv@collabora.com>
This is best effort. There is a 2s timeout and if something fails
everything continues on.
This is called from flatpak_dir_run_triggers because it gets called
whenever we might have changes to the exported service files.
Fixes#3342
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
Add a basic test for the extraction of appdata name and summary values
that are displayed in the flatpak UI. Also use the new developer name
syntax in the test app. This tests the fix made in previous commit.
<developer_name> has been deprecated in favor of <developer> with a
<name> child. We need to ensure that this developer name isn't parsed
as the application name.
Fixes: #5700
The hard-coding is not appropriate. According to libfuse 3.0.0 release
notes: "The fusermount and mount.fuse binaries have been renamed to
fusermount3 and mount.fuse3 to allow co-installation of libfuse 2.x
and 3.x". Some distributions seem to install a symlink, but this is
not upstream's default behavior.
In addition, fusermount might be provided from non-distro sources. So
a build-time option takes precedence over auto-detection logic.
Fixes#5104Fixes#5694
As discussed in #5695, I think we're reaching a point where removing
Autotools is preferable to fixing it.
1.14.x continues to use Autotools, so platforms whose Meson version is
too old can stay on that branch until it becomes unsupported. We have
a very conservative Meson dependency (Ubuntu 20.04).
Signed-off-by: Simon McVittie <smcv@collabora.com>
Before commits 97768cea and cb655ab3, we were upgrading GLib to a
post-Ubuntu-18.04 version before running tests, to work around a GLib
bug. We no longer need to do that now that we're running everything on
Ubuntu 20.04 or later.
Fixes: cb655ab3 "check.yml: remove glib260 ppa"
Signed-off-by: Simon McVittie <smcv@collabora.com>
