Its not totally unheard of to use network during builds, for
instance to download packages. This does so via a straight
(readonly) bind mount of the host version.
This is slightly different from what xdg-app run does, as
that relies on a full session and xdg-app-helper, but instead
that handles the config changing during runtime.
If the session bus is allowed we get unfiltered access to it, but if
it is not, then we install a filter with the policy specified by the
runtime and the app.
By default you can always own your app-id and wildcarded names below
it (i.e. org.gnome.gedit and org.gnome.gedit.*). On top of that we add
all the policies specified in the metadata for the runtime, and then
the metadata from the application.
The metadata policy config looks like this:
[Session Bus Policy]
ca.desrt.dconf=talk
org.gtk.*=see
org.my.name=own
* Convert LD_LIBRARY_PATH in [Vars] to _LD_LIBRARY_PATH in the env
so that its properly propagated.
* Always unset the regular LD_LIBRARY_PATH in the app if
_LD_LIBRARY_PATH is unset.
* Always unset LD_LIBRARY_PATH as passed to the helper to
avoid it getting some weird effect.
Some env vars (like LD_LIBRARY_PATH) was set by the helper, which
made it hard to override it. We instead set all these from the
launcher which gives us the same result but greater control.
For LD_LIBRARY_PATH in particular we pass it as _LD_LIBRARY_PATH
to avoid the env var affecting the helper.
This runs a plain non-filtering dbus proxy if needed,
i.e. if the session or system bus are on a non-plain unix socket
address. This helps fix issues if the session socket is
an abstract unix socket, but mostly it sets the stage for
adding dbus filtering.
It is not guaranteed that source_relpath ends with '/', so g_strconcat()
would generate invalid path, like "share/icons/hicolor64x64/apps". Use
g_build_filename() instead to ensure we don't miss any separators.
When we've listened to all sockets we write to the fd, and when
the other end of the fd is closed we exit. This can be used to
limit the lifetime of the proxy to the container.
Sometimes it's necessary to override environment variables coming from
outside the sandbox in order to point to the right places in the sandbox
(like QT_PLUGIN_PATH pointing to /self/lib/qt5/plugins).
To do so, runtimes and applications can add ENV=VALUE entries into [Vars]
section in their metadata files. Specifying an empty value is also possible,
which will effectively unset the variable.
