I was trying to get the `flatpak` for Chimera Linux template to run
tests. However, due to Chimera Linux using core utilities based on
FreeBSD's, some stuff used in the test shell scripts didn't work there
and caused issues. While I eventually gave that endeavour up, I wanted
to upstream the upstreamable changes I had anyway.
Arguably bwrap should exit with status 127 if it can't find the
executable, but right now it exits 1, so we accept any nonzero status.
The implementation was correct, but the comment was wrong.
Fixes: 84984e49 "test-run: Add a reproducer for CVE-2024-32462"
Signed-off-by: Simon McVittie <smcv@collabora.com>
Otherwise, tests for OCI and the update portal fail with:
/usr/libexec/installed-tests/Flatpak/libtest.sh: line 611: FUSERMOUNT: unbound variable
Fixes: 2cb17b4e "Do not hard-code fusermount, add option or auto-detect instead"
Signed-off-by: Simon McVittie <smcv@collabora.com>
Add a basic test for the extraction of appdata name and summary values
that are displayed in the flatpak UI. Also use the new developer name
syntax in the test app. This tests the fix made in previous commit.
The hard-coding is not appropriate. According to libfuse 3.0.0 release
notes: "The fusermount and mount.fuse binaries have been renamed to
fusermount3 and mount.fuse3 to allow co-installation of libfuse 2.x
and 3.x". Some distributions seem to install a symlink, but this is
not upstream's default behavior.
In addition, fusermount might be provided from non-distro sources. So
a build-time option takes precedence over auto-detection logic.
Fixes#5104Fixes#5694
As discussed in #5695, I think we're reaching a point where removing
Autotools is preferable to fixing it.
1.14.x continues to use Autotools, so platforms whose Meson version is
too old can stay on that branch until it becomes unsupported. We have
a very conservative Meson dependency (Ubuntu 20.04).
Signed-off-by: Simon McVittie <smcv@collabora.com>
flatpak_deploy_data_get_subpaths() returns a new array (of unowned
strings) and flatpak_dir_new_deploy_data() doesn't take ownership.
Signed-off-by: Simon McVittie <smcv@collabora.com>
g_option_context_add_group() takes ownership of the group that it's
given, so we can't also free it.
Fixes: fab0f8ed "test-context: Exercise some corner cases for merging filesystems"
Signed-off-by: Simon McVittie <smcv@collabora.com>
1. For security context creation, only relies on WAYLAND_DISPLAY, do not
use WAYLAND_SOCKET since the file descriptor defined by WAYLAND_SOCKET
can be only consumed once.
2. Due to the incompatiblity between WAYLAND_SOCKET and the security
context, add a new permission --socket=inherit-wayland-socket
to limit the usage of WAYLAND_SOCKET to an opt-in feature. Only when
this flag is set, WAYLAND_SOCKET will be passed to the sandbox.
3. When WAYLAND_SOCKET is not inherited, set FD_CLOEXEC to avoid it to
be leaked the to sandbox.
Closes: #5614
Before the previous commit, this would normally work, but would fail if
we had FLATPAK_TEST_COVERAGE=1 in the environment.
Signed-off-by: Simon McVittie <smcv@collabora.com>
In order to maintain a system over time update automatically removes any EOL runtimes that are unused.
This extends it to also remove any autopruned refs. In practice this means removing no longer used driver versions as the system is updated.
Closes#5261
The tests/make-test-runtime.sh scripts sets '-e' in lieu of
implementing useful error checking, but doesn't actually check
if the programs it uses exist in the first place; and aborts
silently when they're not available.
It is more useful to warn about them, and stop execution earlier.
This leaves some leftover files, but arguably that's better than
leaving leftover files AND people scratching their heads.
Warn about missing required programs.
Related: https://github.com/flatpak/flatpak/issues/5020
These functions are to do with being an interactive, terminal-oriented
CLI/TUI, so it would be inappropriate for library code in libflatpak
to call them, and it would also be inappropriate for daemons like the
session and system helpers to call them.
In fact all calls to these were already isolated to app/, so we can
easily move the terminal-related utilities themselves into app/.
As well as shrinking libflatpak, this makes it obvious that the system
helper does not actually need to call flatpak_disable_fancy_output():
it does not link any code that would be affected by that API call.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Use the real GLib function if we can, and resync the backport with the
version in GLib 2.76.2: use a compatibility replacement for
G_NUMBER_PARSER_ERROR so that it can be textually identical to the
version in GLib, and revert Flatpak changes to the whitespace.
The only functional change is that if the function fails, we'll raise
G_NUMBER_PARSER_ERROR_INVALID if GLib is new enough.
Signed-off-by: Simon McVittie <smcv@collabora.com>
flatpak-run is large enough to be getting unwieldy, so separate it out
into various smaller modules.
A side benefit of these is that they'll be easier to reuse in other
projects, like Steam's pressure-vessel tool.
Signed-off-by: Simon McVittie <smcv@collabora.com>
As with commit 43085c0e "dir: Consistently initialize g_autofree
variables", this is currently harmless because we never actually
early-return or goto out of the region between declaration and
initialization, but some compiler versions log a warning here anyway.
Signed-off-by: Simon McVittie <smcv@collabora.com>
g_test_init() is meant to be called before any other use of GTest APIs,
and isolated_test_dir_global_setup() can call g_test_message(). GLib
2.76 makes this more of a practical problem.
(isolated_test_dir_global_setup() is essentially a reimplementation of
G_TEST_OPTION_ISOLATE_DIRS, since we don't depend on GLib 2.60.)
Alternative to https://github.com/flatpak/flatpak/pull/5355.
Signed-off-by: Simon McVittie <smcv@collabora.com>
The TIOCLINUX ioctl is only available on Linux virtual consoles such as
/dev/tty1. It has several Linux-specific functions, one of which is a
copy/paste operation which can be used for attacks similar to TIOCSTI.
This vulnerability does not affect typical graphical terminal emulators
such as xterm, gnome-terminal and Konsole, and Flatpak is primarily
designed to be run from a Wayland or X11 graphical environment, so this
is relatively unlikely to be a practical problem.
CVE-2023-28100, GHSA-7qpw-3vjv-xrqp
Resolves: https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp
Signed-off-by: Simon McVittie <smcv@debian.org>
There isn't much in the way of legit reasons for this, but it's a
potential security footgun when displaying the text.
CVE-2023-28101, GHSA-h43h-fwqx-mpp8
Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
Co-authored-by: Simon McVittie <smcv@collabora.com>
This prevents someone from placing special characters in order to
manipulate the appearance of the permissions list.
CVE-2023-28101, GHSA-h43h-fwqx-mpp8
Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
If `no_deploy` has been set to `TRUE` in a transaction, then the
intention is that no changes will be made to the installed flatpaks.
Currently that's not the case for explicitly or implicitly added
uninstall operations. That's particularly bad for eol-rebase flatpaks
since they old version will be automatically removed without the new
version being installed. To address this, prevent uninstall operations
from being added for no deploy transactions.
Closes: #5172
Now that we are logging `flatpak -v` messages with log level INFO,
and printing INFO messages in the same way as DEBUG, we can reserve
log level DEBUG for `flatpak -v -v` messages. This means we no longer
need a weird secondary debug domain.
There is a very small behaviour change here: G_MESSAGES_DEBUG=flatpak
is now similar to `flatpak -v -v` (previously `flatpak -v`), and
G_MESSAGES_DEBUG=flatpak2 no longer has any effect. This seems more in
line with what would be expected from a GLib-based application.
In flatpak(1) and the system helper, this does not change behaviour
other than that: the same messages are logged by `-v` and by `-v -v`
as before.
In daemons that do not implement `-v -v` (the OCI authenticator, portal
and session helper), it continues to be necessary to use
G_MESSAGES_DEBUG to see flatpak_debug2() messages.
Signed-off-by: Simon McVittie <smcv@collabora.com>
