Commit Graph

6759 Commits

Author SHA1 Message Date
Simon McVittie
e19d3cdfa1 test-run: Add a reproducer for CVE-2024-32462
Signed-off-by: Simon McVittie <smcv@collabora.com>
2024-04-17 18:14:06 +01:00
Alexander Larsson
81abe2a37d When starting non-static command using bwrap use "--"
This ensures that the command is not taken to be a bwrap option.

Resolves: CVE-2024-32462
Resolves: GHSA-phv6-cpc2-2fgj
Signed-off-by: Alexander Larsson <alexl@redhat.com>
[smcv: Fix DISABLE_SANDBOXED_TRIGGERS code path]
[smcv: Make flatpak_run_maybe_start_dbus_proxy() more obviously correct]
Signed-off-by: Simon McVittie <smcv@collabora.com>
2024-04-17 18:13:39 +01:00
Simon McVittie
c87d8b25c6 Update translation files for 1.12.8 release
Signed-off-by: Simon McVittie <smcv@collabora.com>
1.12.8
2023-03-16 10:07:32 +00:00
Simon McVittie
b25c37e7ab Prepare v1.12.8
Signed-off-by: Simon McVittie <smcv@collabora.com>
2023-03-16 09:55:31 +00:00
Simon McVittie
3667641add Update NEWS
Signed-off-by: Simon McVittie <smcv@collabora.com>
2023-03-16 09:55:31 +00:00
Simon McVittie
de68092f7f run: Prevent TIOCLINUX ioctl, the same as TIOCSTI
The TIOCLINUX ioctl is only available on Linux virtual consoles such as
/dev/tty1. It has several Linux-specific functions, one of which is a
copy/paste operation which can be used for attacks similar to TIOCSTI.

This vulnerability does not affect typical graphical terminal emulators
such as xterm, gnome-terminal and Konsole, and Flatpak is primarily
designed to be run from a Wayland or X11 graphical environment, so this
is relatively unlikely to be a practical problem.

CVE-2023-28100, GHSA-7qpw-3vjv-xrqp

Resolves: https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp
Signed-off-by: Simon McVittie <smcv@debian.org>
2023-03-16 09:55:31 +00:00
Ryan Gonzalez
872ba2db4c Reject paths given to --filesystem/--persist with special characters
There isn't much in the way of legit reasons for this, but it's a
potential security footgun when displaying the text.

CVE-2023-28101, GHSA-h43h-fwqx-mpp8

Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
Co-authored-by: Simon McVittie <smcv@collabora.com>
2023-03-16 09:55:31 +00:00
Ryan Gonzalez
01ed14ced4 Ensure special characters in permissions and metadata are escaped
This prevents someone from placing special characters in order to
manipulate the appearance of the permissions list.

CVE-2023-28101, GHSA-h43h-fwqx-mpp8

Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
2023-03-16 09:55:31 +00:00
Simon McVittie
ac9b91aa25 Update NEWS
Signed-off-by: Simon McVittie <smcv@collabora.com>
2023-03-15 11:18:03 +00:00
Simon McVittie
977126ee01 build: Accept gpgme >= 1.8.0 as equivalent to gpgme-pthread
Before 1.8.0 (2016), gpgme used to have two different thread-safe builds,
one for use with POSIX-style pthread and one for use with GNU Portable
Threads (libpth), plus a non-thread-safe version. Since 1.8.0, this
complexity has gone away and there is only libgpgme, which is thread-safe.

In practice this meant that on modern distros since 2016, we would always
fail to detect gpgme via pkg-config and fall back to calling gpgme-config.

Library-specific -config scripts are generally considered problematic
for multiarch, multilib and cross-compiling, and the gpgme-config script
recently disappeared from GPGME's Debian packaging
(see https://bugs.debian.org/1022348 and https://bugs.debian.org/1023601),
so it's better if we can prefer to use pkg-config.

If gpgme >= 1.8.0 is not found, fall back to gpgme-pthread >= 1.1.8,
either discovered via pkg-config or via gpgme-config.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 9b87e4c0d4)
(cherry picked from commit c8f3f0dc1a)
2023-03-15 11:12:20 +00:00
Debarshi Ray
bde48ebcf0 selinux: Permit read access to symbolic links in /var/lib/flatpak
Commit 8617ab0ad0 granted read and lock access to
/var/lib/flatpak but didn't cover symbolic links.  This explicitly
permits that to avoid running into SELinux denials.

https://bugzilla.redhat.com/show_bug.cgi?id=2071215
(cherry picked from commit 0329f657ee)
2022-11-10 12:46:45 +00:00
Philip Withnall
f9bbf22c74 flatpak-dir: Clean up temp deploy dir on failure of flatpak_dir_deploy()
This already happens for installs due to the cleanup path in
`flatpak_dir_deploy_install()`, but it doesn’t happen for other calls to
`flatpak_dir_deploy()`. Notably, during updates of already installed
apps.

Specifically, this means that if an app update is cancelled due to being
blocked by a parental controls policy, the temp deploy dir for that app
(such as
`~/.local/share/flatpak/app/com.corp.App/x86_64/stable/.somehex-XXXXXX`)
will be leaked. It will never be automatically cleaned up, as it’s not
in `/var/tmp` either.

Fix that by using `glnx_mkdtempat()` to create a scoped temporary
directory.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
(cherry picked from commit ce1829a703)
2022-11-10 12:43:30 +00:00
Phaedrus Leeds
2d10c8c641 common: Add missing error codes to GDBusErrorEntry array
These were mistakenly only added to flatpak-error.h

(cherry picked from commit bf37034663)
2022-07-26 14:11:08 -04:00
Debarshi Ray
00f82bc9d0 CI: Use CodeQL Action v2, not the deprecated v1
See:
https://github.blog/changelog/2022-04-27-code-scanning-deprecation-of-codeql-action-v1/

(cherry picked from commit 120322cb8f)
2022-06-30 16:25:29 +01:00
Phaedrus Leeds
bf9a72a3be Delete some unreachable ref-not-found code
flatpak_remote_state_lookup_ref() always sets the error to
FLATPAK_ERROR_REF_NOT_FOUND when it returns FALSE.

Found by coverity CID 1514265

(cherry picked from commit 12ebf8fd9a)
2022-06-27 10:04:20 -07:00
Debarshi Ray
399710ada1 selinux: Permit using systemd-userdbd
The systemd-userdbd service was added in systemd 245, which was
released in March 2020 and is available in RHEL 9.  Therefore, it's
safe to assume that the systemd_userdbd_stream_connect() SELinux
interface is also available on all relevant operating systems, unless
there's reason to believe otherwise.

https://bugzilla.redhat.com/show_bug.cgi?id=2071217
(cherry picked from commit 4965e5d076)
2022-06-09 20:45:00 +01:00
Debarshi Ray
83c318c43c selinux: Permit read access to /var/lib/flatpak
It's clearly quite important to have read access to /var/lib/flatpak
and it's contents.  This explicitly permits that to avoid running
into SELinux denials.

https://bugzilla.redhat.com/show_bug.cgi?id=2070741
(cherry picked from commit 8617ab0ad0)
2022-06-09 20:45:00 +01:00
Debarshi Ray
248b1f9ffe selinux: Let the system helper watch files inside $libexecdir
The system-helper (ie., the `flatpak-system-helper` process) is
labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
domain, and tries to set up an inotify(7) watch on it's own binary so
that it can exit when the binary is replaced.  This explicitly permits
it to do so to avoid running into SELinux denials.

The corecmd_watch_bin_dirs SELinux interface is a recent addition [1],
and is therefore used conditionally when defined.

[1] https://github.com/fedora-selinux/selinux-policy/commit/88072fd293
    https://github.com/fedora-selinux/selinux-policy/pull/1133

https://bugzilla.redhat.com/show_bug.cgi?id=2053634
(cherry picked from commit f8a9153d0e)
2022-06-09 20:45:00 +01:00
Debarshi Ray
cdfda66101 selinux: Let the system helper have read access to /etc/passwd
The system-helper (ie., the `flatpak-system-helper` process) is
labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
domain, and needs to be able to read /etc/passwd.  This explicitly
permits it to do so to avoid running into SELinux denials.

https://bugzilla.redhat.com/show_bug.cgi?id=2070350
(cherry picked from commit 002e4455d8)
2022-06-09 20:45:00 +01:00
Simon McVittie
9a6b71b626 Update localization files for release
Signed-off-by: Simon McVittie <smcv@collabora.com>
1.12.7
2022-03-14 17:32:08 +00:00
Simon McVittie
4ddb842169 Prepare v1.12.7
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-03-14 16:29:42 +00:00
Simon McVittie
81723d57fb Update NEWS
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-03-14 15:01:23 +00:00
Philip Withnall
9cba0b5ceb subprojects: Update variant-schema-compiler to bring in leak fixes
This brings in:
 * https://gitlab.gnome.org/alexl/variant-schema-compiler/-/merge_requests/13
 * https://gitlab.gnome.org/alexl/variant-schema-compiler/-/merge_requests/14
 * https://gitlab.gnome.org/alexl/variant-schema-compiler/-/merge_requests/15

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
(cherry picked from commit 9199a8efb6)
2022-03-14 14:01:04 +00:00
Simon McVittie
543b98c0bc NEWS: Update with 1.12.7 changes so far
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-03-14 13:29:54 +00:00
Simon McVittie
4ef2fa05d5 tests: Don't install tap-driver.sh in the installed-tests
This is specifically for running build-time tests in the Autotools build
system, and is not used when running installed-tests.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 597abdc585)
2022-03-14 13:29:17 +00:00
Simon McVittie
79df7151b6 dir: Consistently use relative paths for libostree subpaths
The subpath is resolved relative to the root of the commit, so we can
use either an absolute or a relative path interchangeably. When using
libostree < 2021.6 with GLib >= 2.71, absolute paths cause an assertion
failure here; that was a libostree bug and was fixed in 2021.6, but we
can interoperate with more versions by sticking to relative paths, and
there's no real reason to prefer absolute.

Resolves: https://github.com/flatpak/flatpak/issues/4805
Co-authored-by: Corentin Noël <corentin.noel@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 2df1b1628c)
2022-03-14 13:21:27 +00:00
Simon McVittie
6196a7aa13 run: Allow remapping Xauthority entries for remote or forwarded X11
As with non-path-based AF_UNIX sockets, both of these are going to
require --share=network to be enabled, so print a warning if it isn't.
We don't automatically enable --share=network, because that elevates
the privileges of apps that would otherwise have entered a new network
namespace, but regular users of remote X11 can choose to enable it with
`flatpak run --share=network` or `flatpak override --share=network`.

Resolves: https://github.com/flatpak/flatpak/issues/397
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit db885e0542)
2022-03-10 09:41:08 -08:00
Simon McVittie
5d993be576 run: Handle X11 over local abstract or TCP sockets
If the filesystem-backed Unix socket (G_UNIX_SOCKET_ADDRESS_PATH) does
not exist, X11 clients can also use a Linux abstract Unix socket
(G_UNIX_SOCKET_ADDRESS_ABSTRACT), or even a TCP socket.

Both of these are going to require --share=network to be enabled, so
print a warning if it isn't. We don't automatically enable
--share=network, because that elevates the privileges of apps that would
otherwise have entered a new network namespace, but users can make it
work with `flatpak run --share=network` or
`flatpak override --share=network`.

When falling back to an abstract Unix socket or to a TCP socket, we
can't remap the display number to the fixed :99.0 that we normally use,
so adjust write_xauth() to be able to avoid doing that.

Resolves: https://github.com/flatpak/flatpak/issues/4702
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 1d81d61053)
2022-03-10 09:41:08 -08:00
Simon McVittie
1ab2631b57 run: Support parsing non-local X11 addresses
We still don't support rewriting XAUTHORITY for these, but at least we
understand them now.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 69f347e58a)
2022-03-10 09:41:08 -08:00
Simon McVittie
6bc97d5511 run: Treat DISPLAY=unix:42 the same as :42
xauth and xcb both treat this as a request to use AF_UNIX.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit c3395a0e83)
2022-03-10 09:41:08 -08:00
Simon McVittie
15bd70808f run: Factor out parsing X11 displays into a helper function
This allows it to be unit-tested.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 18db8e8713)
2022-03-10 09:41:08 -08:00
Simon McVittie
17e9d429cf run: Avoid signed/unsigned comparison in Xauth handling
In practice, au_len comes from one of the length fields in an Xauth
struct, which are all of type unsigned short, so it cannot really be
negative; but if we passed a negative argument here, the comparisons
would not behave as intended. Use the more correct size_t.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 2358d25684)
2022-03-10 09:41:08 -08:00
Simon McVittie
4a72b35be4 run: Improve const-correctness of Xauth code
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 7efeb9ab62)
2022-03-10 09:41:08 -08:00
Simon McVittie
aa5db72e1c run: Avoid cast warning when built with -Wwrite-strings
We're not going to call XauDisposeAuth on local_xa, so it's OK to put
a "borrowed" constant string here.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 39823be84f)
2022-03-10 09:41:08 -08:00
Simon McVittie
723ae9d5fa app: Make ALL_DIRS and STANDARD_DIRS imply OPTIONAL_REPO
It is already the case that when we are using ALL_DIRS, we always
combine it with OPTIONAL_REPO, meaning no need to populate empty
installations. ALL_DIRS is used for commands that iterate through all
known installations to enumerate apps/runtimes, such as `flatpak run`
and `flatpak list`; for these commands, it's reasonable to say that
if the installation does not have a libostree repository, then that's
equivalent to it having a libostree repository with no apps and no
runtimes. Make this happen automatically if forgotten.

For STANDARD_DIRS, we were inconsistent about this: `flatpak remote-list`
had OPTIONAL_REPO, but the other commands did not.
STANDARD_DIRS is used for `flatpak create-usb`, and for all the commands
that manipulate remotes.

For the commands that manipulate remotes, it seems reasonable to say
that if an installation has no libostree repository and we are unable
to create one, then that's equivalent to an installation with a
libostree repository but no remotes.

Similarly, for create-usb, an installation where we are unable to create
a libostree repository seems like it should be equivalent to an
installation whose libostree repository does not contain any of the
refs we are interested in.

Resolves: https://github.com/flatpak/flatpak/issues/4111
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 3f144d1e02)
2022-03-10 09:10:12 -08:00
Simon McVittie
acbd21cbb7 dir: Include repo path in error message if unable to create it
libostree makes heavy use of fd-based I/O, which has the disadvantage
that it is rarely obvious what path an error message is referring to.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d106384446)
2022-03-10 09:10:12 -08:00
Simon McVittie
7056f7b617 dir: Avoid polkit prompts for EnsureRepo in most CLI commands
If we are running a CLI command in the background, then EnsureRepo
might require authorization. Silently skip it if allow_empty was true,
as it is for commands that iterate through all repositories.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 48f40d4504)
2022-03-10 09:10:12 -08:00
Simon McVittie
6255938ee2 dir: Use system helper to create system repo if necessary
Previously, if /var/lib/flatpak didn't exist then we would use the
system helper to create and populate it, but if it existed and was empty,
we could only populate it if we had privileges. This led to errors from
libostree:

    Creating repo: mkdirat: Permission denied

The EnsureRepo method call is allowed by default for active local users,
so do this even if allow_empty is true: this will incorporate
/etc/flatpak/remotes.d into the repository, whether it is newly-created
or not. This makes a `flatpak search` work immediately, without having
to fetch metadata explicitly.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 2489b915ef)
2022-03-10 09:10:12 -08:00
Simon McVittie
35ce090b9c dir: Factor out function to open the libostree repository
I'm about to add another caller for this.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 8537b3412a)
2022-03-10 09:10:12 -08:00
Simon McVittie
285aa88f4c dir: Factor out common code to call EnsureRepo on system helper
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 951b111d26)
2022-03-10 09:10:12 -08:00
Simon McVittie
5477f08eaa dir: Pass cancellable through to remote EnsureRepo call
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 15c1d4f8cb)
2022-03-10 09:10:12 -08:00
Guido Günther
f8e400738b Accept share/metainfo exports when installing
This is a combination of these two commits from the main branch:

build-finish: Export appstream metainfo into a single directory
(cherry picked from commit 766bf5f08a)
Export to share/metainfo not share/appdata
(cherry picked from commit 3c63cac8f9)

However this commit only allows the exports when deploying an
install/update, not when building a new Flatpak, so we avoid a warning
message but arguably don't add any new features to the stable branch.

Fixes https://github.com/flatpak/flatpak/issues/4800
2022-03-09 15:14:31 -08:00
Julian Orth
df2c099142 wayland: allow absolute path in WAYLAND_DISPLAY
If WAYLAND_DISPLAY starts with a '/', use it for the socket path as-is.
See [1].

[1]: d690712b7b/src/wayland-client.c (L1064-1095)

Signed-off-by: Julian Orth <ju.orth@gmail.com>
(cherry picked from commit aac1205d66)
2022-03-07 10:37:40 +01:00
Simon McVittie
3d67f4ec40 run: Interpret tcp: addresses for PulseAudio
Put the configured server address string in PULSE_SERVER if it appears
to be remote. This should be enough for apps that already have network
access via --share=network.

If remote access to a PulseAudio server has been selected but the app
does not already have the --share=network permission, we don't want to
add --share=network automatically, because that would open up the app's
access to network resources, perhaps unexpectedly. However, users of
this non-default configuration can use `flatpak run --share=network` or
`flatpak override --share=network` to open up that access if they
consider it to be safe enough.

Resolves: https://github.com/flatpak/flatpak/issues/3908
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit ee418c1f20)
2022-03-07 10:32:06 +01:00
Phaedrus Leeds
e49f5289bc Update pofiles 1.12.6 2022-02-21 16:53:11 -08:00
Phaedrus Leeds
2fa0ac4c4b Bump version to 1.12.6 2022-02-21 16:53:11 -08:00
Phaedrus Leeds
07e8ceefe1 Update NEWS for release 2022-02-21 16:53:11 -08:00
Simon McVittie
841429b1f6 test-history: Skip test if we cannot read from the Journal
In some OS configurations, unprivileged users cannot read back messages
that they have written to the system log. This test cannot succeed if that
happens, so skip it.

In particular, if the Journal is only in-memory rather than persisted
to disk (as it was by default in Debian 10), then there are no per-user
Journal files, only a single system-wide Journal which requires privileges
to read.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Fixes: 8b05f6b3 "Add a unit test for the history command"
(cherry picked from commit 0deb80efa8)
2022-02-21 16:44:44 -06:00
Phaedrus Leeds
0956357de1 dir: Add some precondition checks to repo_pull()
(cherry picked from commit af04ea669a)
2022-02-21 16:44:44 -06:00
Phaedrus Leeds
2700b43210 dir: Work around libostree partial pull bug
All the details of the bug are in:
https://github.com/ostreedev/ostree/pull/2549
https://github.com/flatpak/flatpak/issues/3479

This patch works around it by marking the commit we're about to pull
partial, so that if the .commit object exists in a staging directory
from a previous failed pull, it will not be erroneously considered a
complete commit, even by affected versions of libostree that don't have
the above patch. If for some reason the commit in the staging dir is
complete, libostree should harmlessly verify that and pull it in.

Usually the commit we are pulling does not already exist in the local
repo, but add a check anyway so we don't risk marking a complete commit
as partial, and so this works on the code path from
"flatpak install --reinstall ..."

Fixes #3479

(cherry picked from commit 11158c2481)
2022-02-21 16:44:44 -06:00