mirror of https://github.com/flatpak/flatpak.git synced 2026-03-27 03:14:04 -04:00

Go to file

Alexander Larsson 3caeb16c31 Don't follow symlinks when mounting persisted directories

These directories are in a location under application control, so we
can't trust them to not be a symlink outside of the files accessibe to
the application.

Continue to treat --persist=/foo as --persist=foo for backwards compat,
since this is how it (accidentally) worked before, but print a warning.

Don't allow ".." elements in persist paths: these would not be useful
anyway, and are unlikely to be in use, however they could potentially
be used to confuse the persist path handling.

This partially addresses CVE-2024-42472. If only one instance of the
malicious or compromised app is run at a time, the vulnerability
is avoided. If two instances can run concurrently, there is a
time-of-check/time-of-use issue remaining, which can only be resolved
with changes to bubblewrap; this will be resolved in a separate commit,
because the bubblewrap dependency might be more difficult to provide in
LTS distributions.

Helps: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Make whitespace consistent]
[smcv: Use g_warning() if unable to create --persist paths]
[smcv: Use stat() to detect symlinks and warn about them]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>

2024-08-12 19:26:44 +01:00

.devcontainer

Add devcontainer file for GitHub Codespaces support.

2024-04-30 20:10:55 -05:00

.github

ci: Run CodeQL job in Ubuntu 22.04

2024-04-28 13:23:40 -05:00

app

utils: Move more repository functionality to repo-utils

2024-07-09 17:12:55 -03:00

buildutil

Remove Autotools build system

2024-02-16 19:30:32 +00:00

common

Don't follow symlinks when mounting persisted directories

2024-08-12 19:26:44 +01:00

completion

Add a Meson build system

2022-10-24 16:12:14 +01:00

data

Remove Autotools build system

2024-02-16 19:30:32 +00:00

doc

doc/release-checklist.md: Fix a leftover Autotools reference

2024-07-22 19:12:31 +01:00

env.d

Add a Meson build system

2022-10-24 16:12:14 +01:00

icon-validator

validate-icon: For completeness, always add "--" to bwrap arguments

2024-04-17 18:10:46 +01:00

oci-authenticator

oci-authenticator: Unref the GOptionContext when we're done with it

2024-08-03 11:12:31 -05:00

Update translation files for release

2024-07-22 17:58:03 +01:00

portal

portal: Free the ops from flatpak_transaction_get_operations

2024-08-03 11:12:31 -05:00

profile

profile: Install flatpak.csh

2024-06-04 17:23:32 +01:00

revokefs

revokefs: Clean up struct fuse_args with fuse_opt_free_args

2024-08-03 11:12:31 -05:00

scripts

Add a Meson build system

2022-10-24 16:12:14 +01:00

selinux

Remove Autotools build system

2024-02-16 19:30:32 +00:00

session-helper

Remove Autotools build system

2024-02-16 19:30:32 +00:00

sideload-repos-systemd

Remove Autotools build system

2024-02-16 19:30:32 +00:00

subprojects

subprojects: Add a README explaining how to manage subprojects

2024-05-06 18:34:57 +01:00

system-helper

Fix missing declaration for g_fdwalk_set_cloexec() with GLib 2.80.x

2024-03-21 20:20:15 +00:00

tests

tests: Add an address sanitizer suppression file

2024-08-03 11:12:31 -05:00

triggers

Add a Meson build system

2022-10-24 16:12:14 +01:00

.editorconfig

Add a vim modeline and .editorconfig

2022-08-22 19:48:10 -07:00

.gitignore

.gitignore: Add tests/runtime-repo.stamp

2022-06-27 20:15:41 +01:00

CODE_OF_CONDUCT.md

Create CODE_OF_CONDUCT.md

2018-02-05 15:21:40 +00:00

CONTRIBUTING.md

CONTRIBUTING: Recommend building this branch with Meson

2023-02-21 09:54:46 +00:00

COPYING

Add COPYING to reflect license headers

2015-03-31 15:36:29 +01:00

flatpak.png

README: update logo

2022-09-26 14:35:40 +01:00

meson_options.txt

Do not hard-code fusermount, add option or auto-detect instead

2024-02-19 12:05:05 +00:00

meson.build

Prepare v1.15.9

2024-07-22 17:47:36 +01:00

NEWS

Update NEWS

2024-08-12 18:48:24 +01:00

README.md

README: Signpost https://flatpak.org/setup/ as a good way to install

2023-02-21 09:55:10 +00:00

SECURITY.md

doc: 1.12.x, 1.10.x are no longer security-supported

2024-08-09 17:29:31 +01:00

uncrustify.cfg

Remove extra newlines in variable definiton blocks

2019-02-25 18:12:30 +00:00

uncrustify.sh

uncrustify: Exclude app/flatpak-polkit-agent-text-listener.[ch]

2019-02-25 18:12:30 +00:00

README.md

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.

See https://flatpak.org/ for more information.

Flatpak is available in the package repositories of most Linux distributions and can be installed from there. See https://flatpak.org/setup/ for quick setup instructions for many distributions.

Community discussion happens in #flatpak:matrix.org, on the mailing list, and on the Flathub Discourse.

Read documentation for Flatpak here.

Contributing

Flatpak welcomes contributions from anyone! Here are some ways you can help:

Fix one of the issues and submit a PR
Update flatpak's translations and submit a PR
Improve flatpak's documentation, hosted at http://docs.flatpak.org and developed over in flatpak-docs
Find a bug and submit a detailed report including your OS, flatpak version, and the steps to reproduce
Add your favorite application to Flathub by writing a flatpak-builder manifest and submitting it
Improve the Flatpak support in your favorite Linux distribution

Hacking

See CONTRIBUTING.md

Here are some notable projects in the Flatpak ecosystem:

Flatseal: An app for managing permissions of Flatpak apps without using the CLI
Flat-manager: A tool for managing Flatpak repositories

Languages

C 91.1%

Shell 5.1%

Python 1.8%

Meson 1.1%

Yacc 0.8%

README.md

Contributing

Hacking

Related Projects