mirror of
https://github.com/flatpak/flatpak.git
synced 2026-03-27 19:33:06 -04:00
bbf6debec2
As with flatpak run --parent-expose-pids, this will only work if we have a working, non-setuid bwrap. Systems where user namespace creation is restricted and bwrap needs to be setuid (Debian 10, RHEL/CentOS 7, Arch Linux linux-hardened kernel) will have degraded functionality. This option is similar to --expose-pids, except that instead of making the subsandbox use a nested pid namespace inside the parent's, it makes the subsandbox share the parent's pid namespace as-is, so that process IDs in the parent and the subsandbox are interchangeable. This will be useful if the parent and the subsandbox communicate via protocols that assume a global view of the process ID namespace, for example passing process IDs across an AF_UNIX socket or in shared memory. In particular, this will be useful for Steam's pressure-vessel container tool: the IPC between the Steam client and the "game overlay" loaded into Steam games uses process IDs, and becomes confused if they don't match up. This weakens the security boundary between a subsandbox and the parent, but that's OK in some cases, especially if the subsandbox is being used as a way to get a different runtime /usr (flatpak-spawn --latest-version or #4018) rather than as a security boundary. Signed-off-by: Simon McVittie <smcv@collabora.com>
61 lines
2.3 KiB
C
61 lines
2.3 KiB
C
/*
|
|
* Copyright © 2015 Red Hat, Inc
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library. If not, see <http://www.gnu.org/licenses/>.
|
|
*
|
|
* Authors:
|
|
* Alexander Larsson <alexl@redhat.com>
|
|
*/
|
|
|
|
#ifndef __FLATPAK_COMMON_TYPES_H__
|
|
#define __FLATPAK_COMMON_TYPES_H__
|
|
|
|
typedef enum {
|
|
FLATPAK_KINDS_APP = 1 << 0,
|
|
FLATPAK_KINDS_RUNTIME = 1 << 1,
|
|
} FlatpakKinds;
|
|
|
|
typedef enum {
|
|
FLATPAK_RUN_FLAG_DEVEL = (1 << 0),
|
|
FLATPAK_RUN_FLAG_BACKGROUND = (1 << 1),
|
|
FLATPAK_RUN_FLAG_LOG_SESSION_BUS = (1 << 2),
|
|
FLATPAK_RUN_FLAG_LOG_SYSTEM_BUS = (1 << 3),
|
|
FLATPAK_RUN_FLAG_NO_SESSION_HELPER = (1 << 4),
|
|
FLATPAK_RUN_FLAG_MULTIARCH = (1 << 5),
|
|
FLATPAK_RUN_FLAG_WRITABLE_ETC = (1 << 6),
|
|
FLATPAK_RUN_FLAG_NO_SESSION_BUS_PROXY = (1 << 7),
|
|
FLATPAK_RUN_FLAG_NO_SYSTEM_BUS_PROXY = (1 << 8),
|
|
FLATPAK_RUN_FLAG_SET_PERSONALITY = (1 << 9),
|
|
FLATPAK_RUN_FLAG_FILE_FORWARDING = (1 << 10),
|
|
FLATPAK_RUN_FLAG_DIE_WITH_PARENT = (1 << 11),
|
|
FLATPAK_RUN_FLAG_LOG_A11Y_BUS = (1 << 12),
|
|
FLATPAK_RUN_FLAG_NO_A11Y_BUS_PROXY = (1 << 13),
|
|
FLATPAK_RUN_FLAG_SANDBOX = (1 << 14),
|
|
FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15),
|
|
FLATPAK_RUN_FLAG_BLUETOOTH = (1 << 16),
|
|
FLATPAK_RUN_FLAG_CANBUS = (1 << 17),
|
|
FLATPAK_RUN_FLAG_DO_NOT_REAP = (1 << 18),
|
|
FLATPAK_RUN_FLAG_NO_PROC = (1 << 19),
|
|
FLATPAK_RUN_FLAG_PARENT_EXPOSE_PIDS = (1 << 20),
|
|
FLATPAK_RUN_FLAG_PARENT_SHARE_PIDS = (1 << 21),
|
|
} FlatpakRunFlags;
|
|
|
|
typedef struct FlatpakDir FlatpakDir;
|
|
typedef struct FlatpakDeploy FlatpakDeploy;
|
|
typedef struct FlatpakOciRegistry FlatpakOciRegistry;
|
|
typedef struct _FlatpakOciManifest FlatpakOciManifest;
|
|
typedef struct _FlatpakOciImage FlatpakOciImage;
|
|
|
|
#endif /* __FLATPAK_COMMON_TYPES_H__ */
|