Changes to the Makefile could include changes to the options passed
to gdbus-codegen, which would invalidate the output.
Signed-off-by: Simon McVittie <smcv@collabora.com>
A rule of the form
foo.c foo.h: foo.in
some-generator --output=foo foo.in
is essentially equivalent to writing the same rule once for each target:
foo.c: foo.in
some-generator --output=foo foo.in
foo.h: foo.in
some-generator --output=foo foo.in
In a parallel build, this can result in some-generator being run more
than once with the same inputs and outputs, leading to unpredictable
results if the outputs are overwritten in-place by two parallel copies
(particularly if the generator does not use the standard atomic-writing
trick of writing out a temporary file and renaming it over the top of
the intended name, which gdbus-codegen does not).
gdbus-codegen happens to write the .h file before the .c file, so
use the real build rules to generate the .c file, and consider the
.h file to be a side-effect.
Signed-off-by: Simon McVittie <smcv@collabora.com>
It's sufficient to g_free it, which we do further down finalize().
This is not a double-free, because we used g_clear_pointer(),
but it's redundant.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This will make it easier to add another version in upcoming commits
which gets the updated configuration from another source (an
ostree-metadata branch).
This commit introduces no functional changes.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
There was already a convenience method for this,
fetch_remote_summary_file(), but it wasn’t used uniformly throughout the
file. This introduces no functional changes.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
There are several places which query keys in the metadata in the summary
file. Factor out a common function to do that, and write it in such a
way that it could be extended to read the metadata from somewhere else
in future (the plan being that metadata will move to an ostree-metadata
branch rather than the summary file).
Signed-off-by: Philip Withnall <withnall@endlessm.com>
This ensures it’s always included in the build, regardless of whether
someone forgets to #include it from a C file.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Previously, the mandatory location, directory and branch positional
arguments were passed as part of the varargs. This meant the varargs
were conflating flags and positional arguments, making it harder to add
new positional arguments.
Move the mandatory positional arguments to separate parameters for
do_export(). This introduces no functional changes, but makes later
commits easier.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Any build-args specified in the manifest should be used during the
cleanup and platform-cleanup stages. This is because if you are using
QEMU to build for another architecture, for example, you need to pass
--bind-mount in the build-args, and the bind mount also needs to be
present while running cleanup commands.
Factor out a common GVariant child getter from all the print_*()
functions. This will make upcoming changes a little easier to integrate.
This introduces no functional changes.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
These will be useful in upcoming tests, as they are in the right format
to be substituted into a .flatpakref file.
Generated using `gpg2 --homedir test-keyring --armor --export
${FL_GPG_ID}`, then stripping the packet header and removing line
breaks.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
This mirrors the same environment variable in OSTree’s unit tests, which
keeps the temporary directory around after tests have completed (or
failed) so the developer can examine it.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
If you inherit an extension, and it has no explicit version, then
use the version of the parent, as that is what would automatically
be used for the parent.
Instead of constantly looking at the option we change the
manifest value if its unset. This means we can access the
default branch outside of builder-main.c, and that we get
it into the serialized manifest in the build.
Unless forced by the FLATPAK_OSTREE_REPO_MODE env var, we default cache
repos to bare-user mode. Otherwise it can lead to permissions problems
because, e.g. if the system repo is configured as a "bare" repo, then
the cache repo will be too and this will lead to fchown calls even if
the user is non-privileged.
With the latest ostree, pull --mirror does not mirror the
summary for partial pulls, so system-wide installs fail. We
fix it by manually updating the summary.
This uses the new libostree APIs that landed recently to ensure
that we reject any files with mode outside of `0775` for system
helper pulls, and we also mask directory modes during checkout.
However, this does *not* fix up any already downloaded content.
For that, one could uninstall/reinstall; or a future patch could
do a one-time fixup pass.
Note that I am not aware of a way for flatpak applications to escalate their
privileges directly with this flaw; the bubblewrap `PR_SET_NO_NEW_PRIVS` turns
of setuid. However, in combination with code execution on the host via another
mechanism (e.g. unsandboxed app), a setuid app injected could be used to gain
full host privileges.
At this time we're not aware of any flatpak content exploiting this issue.
Closes: https://github.com/flatpak/flatpak/issues/845
