This way we never get confused about which part of the argument
is the permission suffix, which could be exploitable if you can
control the --filesystem calls such as with sandboxed Spawns.
This listens to org.freedesktop.portal.Flatpak and lets flatpak
sandboxes do flatpak specific things.
Initially this only allows access to "Spawn", which lets you start a
new copy of the current or latest version of the calling app,
optionally with sandboxing.
This allows the app to re-start itself with the latest version after
an update, and the sandboxing is useful for apps that want to manually
sandbox part of themselves.
You can also expose one or more subdirectories of
~/.var/app/$appid/sandbox/ to the app, read-write or read-only. This is
useful to communicate with the sandbox.
This runs the app in a very tight sandbox, with no access to anything
except /app and /run and some read-only host things like fonts and icons.
You can additionally add explicit permissions on the commandline,
like --share=network to actually grant some access.
This also sets $FLATPAK_SANDBOX_DIR to ~/.var/app/$appid/sandbox in the
environment.
This means if we undeploy something, but its still in use, then
we can find it later. This is interesting because it lets
us re-find it for spawning an instance of the same version.
So, if you run your instance with e.g. flatpak run --filesystem=/some/dir
you can now see this. This will be useful in the restart yourself
portal as we can then inherit such permissions.
When uninstalling, if no specific installation was specified with e.g.
--user or --system, automatically chose any unique match, or error
out if there are multiple alternatives.
Fixes#1321
We currently auto-pick installation for update when you didn't pick
any specific one, so we should complete from all of them too.
Closes: #1537
Approved by: mwleeds
This uses the new ostree feature at:
https://github.com/ostreedev/ostree/pull/1496
Note, this will only work with the current ostree master,
and does nothing on older versions.
Closes: #1533
Approved by: mwleeds
This commit adds the collection ID (if any) to the "Can't find ref"
error message produced by flatpak_dir_pull_untrusted_local(). This makes
the message more helpful if for example you run `flatpak update` when
some of the remotes are configured with the wrong collection IDs. It
also changes the wording to be consistent with other similar errors.
Closes: #1521
Approved by: mwleeds
When a collection ID is set on a remote configuration,
gpg-verify-summary should be set to FALSE because flatpak uses signed
per-repo and per-commit metadata instead. The flatpak command line
already does this (use flatpak remote-modify --collection-id=... and
notice that gpg-verify-summary is then set to false). This commit
changes libflatpak to have the same behavior. Specifically, with a
collection ID set gpg-verify-summary is set to false and otherwise its
value matches that of gpg-verify. This commit also adds a test for this
in testlibrary.c.
Fixes https://github.com/flatpak/flatpak/issues/1479Closes: #1501
Approved by: pwithnall
As per https://github.com/flatpak/xdg-desktop-portal/pull/166, an access
check to a non-existant file should succeed if the parent directory
exists, and we have write access to it, because we can then just create the
file. This is needed for the "save" file chooser portal.
Closes: #1488
Approved by: alexlarsson
We set the Flatpak-Ref http header to the ref we're pulling, thus
allowing the server to log this for per-ref download statistics, as
otherwise the ref being downloaded is not visible in the log (only
the commit id).
Closes: #1487
Approved by: alexlarsson
The remote-ls command should skip remotes that have "xa.disable" set to
true or have no URL set, which can happen for remotes added for flatpak
bundle files.
Fixes https://github.com/flatpak/flatpak/issues/1427Closes: #1457
Approved by: alexlarsson
If the --show-details option is passed to the remotes command, show the
collection ID for each remote, which the user might need to know if
they're using flatpak's P2P support.
Closes: #1458
Approved by: alexlarsson
repo_pull_one_dir() and repo_pull_one_local_untrusted() used to only
support pulling one directory at a time, but now support more than one,
so rename them so the names are less misleading.
Closes: #1475
Approved by: alexlarsson
This isn't needed for servers and starting the a11y bus on a
fresh session bus takes upwards of 15 seconds.
Fixes#1471Closes: #1486
Approved by: alexlarsson
Similarly to commit 272af0f8c, this commit makes sure the child repo
used by the system helper has an accurate summary file so it can be
pulled from. This time it's for the fetches of the ostree-metadata ref
and the appstream data.
This fixes a bug that occurs if a remote has a collection ID set and
uses the "branches" key as well. Under those conditions, `flatpak
remote-ls -d REMOTE` and `flatpak update --appstream REMOTE` can fail
with "Error pulling from repo: No summary found".
Until recently, the /ostree/repo/config in Endless contained a remote
that was shared between flatpak and ostree, which had "branches" set. So
that's a use case where this helps.
Fixes https://github.com/flatpak/flatpak/issues/1440Closes: #1478
Approved by: pwithnall
