| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
| |
Closes: #3117
Approved by: alexlarsson
|
|
|
|
|
| |
Closes: #3117
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support a list of versions that are supported. This will be useful
for e.g. the extra_data for extensions once that is backported to
1.2, because that will require it to say that it is supported for
> 1.2.5 in the 1.2 series and > 1.4.2 otherwise.
Closes: #3112
Approved by: alexlarsson
(cherry picked from commit 5026f01153c21a2906f7c7b7b573543691daccfd)
(cherry picked from commit 9bbe6fbb480f32c808bdc46c7937eb5fce804ac4)
Closes: #3115
Approved by: alexlarsson
Closes: #3117
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This sets required-flatpak in the metadata to some different versions
and ensure we're properly able or not able to install it.
Additionally it uses some options with multiple versions. This is not
yet supported but I want to test the existing code and make sure it
properly falls back to just using the first element of the list.
Closes: #3112
Approved by: alexlarsson
(cherry picked from commit 62117308c1dd0f10f82d274d542da0d9b7f7d426)
(cherry picked from commit 5db4631a795fc642e9be2c58dd0efb2ef4ff6090)
Closes: #3115
Approved by: alexlarsson
(cherry picked from commit cf13a1461fc9ed3c2a78d5b4f15466afb5ba87af)
Closes: #3117
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Closes: #2954
Approved by: alexlarsson
(cherry picked from commit 9cd682b057206de8596bdba6303a0414207ef621)
Closes: #2992
Approved by: alexlarsson
(cherry picked from commit cdc8d2deb5567727c2adaa0f962cba75ab86ac1a)
Closes: #3115
Approved by: alexlarsson
(cherry picked from commit 4b7963f5b1c303d4a9d2e21afdfdf5338841b93c)
Closes: #3117
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Closes: #2954
Approved by: alexlarsson
(cherry picked from commit c87c480a18e6a112e49c639f7b5a818135ef1e68)
Closes: #2992
Approved by: alexlarsson
(cherry picked from commit 1ca31146d367f0d08cddd083677503b5cafbc6e4)
Closes: #3115
Approved by: alexlarsson
(cherry picked from commit f7463733dac0d1115e49428b938d401e19427462)
Closes: #3117
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unfortunately when I added the DeployCollectionID key for flatpakrepo
files I only added support for it in flatpak_dir_parse_repofile and
missed adding it to the remote-add command. So fix the oversight so that
flatpakrepo files that use the key are properly interpreted.
Closes: #2598
Approved by: matthiasclasen
(cherry picked from commit 6bf47b4c26e195509f771c91c8070903b0404afa)
Closes: #2897
Approved by: alexlarsson
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Closes #2782.
Closes: #2783
Approved by: alexlarsson
(cherry picked from commit a9107feeb4b8275b78965b36bf21b92d5724699e)
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As shown by CVE-2019-5736, it is sometimes possible for the sandbox
app to access outside files using /proc/self/exe. This is not
typically an issue for flatpak as the sandbox runs as the user which
has no permissions to e.g. modify the host files.
However, when installing apps using extra-data into the system repo
we *do* actually run a sandbox as root. So, in this case we disable mounting
/proc in the sandbox, which will neuter attacks like this.
(cherry picked from commit 468858c1cbcdbcb27266deb5c7347b37adf3a9e4)
|
|
|
|
|
| |
Closes: #2429
Approved by: matthiasclasen
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Fixes https://github.com/flatpak/flatpak/issues/2315
Closes: #2316
Approved by: alexlarsson
(cherry picked from commit 0af71792b47c72b628947af4b97ef687009ad49b)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
apply_extra
When installing a flatpak with extra-data we execute the apply_extra
script from the flatpak to extract the extra data files we
created. This script runs with very little filesystem acces, but it
does have write permissions to the location that will eventually be
/app/extra in the finished flatpak. This is especially problematic for
the systemwide install case, because the script is then run as root,
so it could potentially create a setuid file there.
Such a file would not be usable inside the sandbox (because setuid is
disabled in the sandbox), but it could potentially be a problem if the
user could be tricked into running the file directly on the host. This
is the same behaviour as e.g. rpm or deb which both can install setuid
files, but we want to guarantee that flatpak is better than that.
The fix is to run the script with all capabilities dropped (bwrap
--cap-drop ALL) which removes a bunch of possible attack vectors (for
instance setting file capabilities). However, even without
capabilities, it is possible for a user to make any file setuid to the
same user, so we also need to canonicalize the permissions of all
files generated by running the script.
Additionally, while running the script we set the toplevel directory
only be accessible to the user, meaning we will not temporarily leak
any potential setuid files to other users.
Note, this commit actually goes furthen than that and completely
canonicalizes all the file permissions to be the same as those
otherwise used by flatpak. For example we fix up cases where the
script creates files writable or unreadable by non-root users.
Closes: #2323
Approved by: alexlarsson
(cherry picked from commit 35598f46a5ccff3e726c148314aa6577fac2cf82)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you have a pre-existing remote configured its exact definition
might differ from the one specified in a flatpakrepo file and yet
be the same.
For example, i have:
$ flatpak --user remotes -d
Name Title URL Collection ID Priority Options
flathub Flathub https://dl.flathub.org/repo/ org.flathub.Stable 1
Yet when i install a flatpakref:
$ flatpak --user install http://flathub.org/repo/appstream/org.gnome.gedit.flatpakref
The application org.gnome.gedit depends on runtimes from:
https://dl.flathub.org/repo/
Configure this as new remote 'flathub-1' [y/n]:
Because the flathub flatpakrepo does not yet have the collection id specified.
So, we need to be more lenient when matching the pre-configured remotes.
Closes: #2324
Approved by: alexlarsson
(cherry picked from commit 1ce0246b0d8012193f8a4f63579162916c3e2e69)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a key called DeployCollectionID to the flatpakref and
flatpakrepo file formats, which is intended to replace the CollectionID
key (which is still supported but deprecated). The reason for the change
is the same as for the metadata key change from xa.collection-id to
ostree.deploy-collection-id, which is that old versions of Flatpak
(roughly 0.9.8 through 1.0.1 depending on compile time options) hit
various bugs when collection IDs are in use. Flathub will soon enable
the metadata key to deploy collection IDs, and this change means Flathub
can also deploy the collection ID in flatpakref and flatpakrepo files
without affecting old clients.
Adding DeployCollectionID to the flatpakref and flatpakrepo files will
mean the flathub remote can be automatically configured with a
collection ID without depending on the metadata key to do that.
Closes: #2329
Approved by: alexlarsson
(cherry picked from commit 348fcc3f97f6262e4005ff1c3518c722a0078091)
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We generate various configuration files for each sandbox instance,
and expose them to the sandbox using flatpak_bwrap_add_args_data,
which in the end passed --bind-data to bwrap. These files are not
sensitive or shared, but it still doesn't really make sense for
the sandbox to allow them to be modified, so lets switch them
to --ro-bind-data.
This affects these files in the sandbox:
$HOME/.var/app/$APPID/config/user-dirs.dirs
/etc/group
/etc/ld.so.conf
/etc/passwd
/etc/pkcs11/modules/p11-kit-trust.module
/etc/pkcs11/pkcs11.conf
/etc/timezone
/run/flatpak/ld.so.conf.d/*.conf
/run/user/$UID/pulse/config
/run/user/$UID/Xauthority
(cherry picked from commit a71f6ef13b95404d29a76ca1e4d3f4c40ec4e39b)
|
|
|
|
|
|
|
|
|
| |
We mistakenly bind-mounted the runtime /usr/etc files read-write in
/etc, which means that application could modify some parts of the
runtimes (at least when using a per-user installed runtime). Fix
this by using a --ro-bind.
(cherry picked from commit 08e47e954443520962e0e0f8b9a5aac0017ae5c8)
|
|
|
|
|
|
|
| |
If some installation is empty (or otherwise broken) we fail the
entire run command, even though the app might exist in e.g. the
user installation. This is a regression from
651c86d3c60cdf41e9dea2ce23cc7eb2aacb9b4f which also ended up in 1.0.4.
|
|\
| |
| | |
Update Polish translation 181028
|
| | |
|
|/
|
|
|
| |
Closes: #2278
Approved by: matthiasclasen
|
|
|
|
|
|
|
|
|
|
|
| |
Explain that it is possible to install from a
local repo by passing the location.
Closes: #2245
Approved by: alexlarsson
Closes: #2247
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
|
| |
This won't go well.
Spotted while writing tests.
Closes: #2245
Approved by: alexlarsson
Closes: #2247
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we use a remote name containing questionable characters
such as newlines or '[', we will run into assertions in
GKeyFile. To avoid that, check that the group name we
pass is valid, and throw an error otherwise.
Found while writing tests.
Closes: #2244
Approved by: alexlarsson
Closes: #2247
Approved by: alexlarsson
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some remote metadata can cause changes to the local configuration for a
remote, but Flatpak is not properly reloading the new config after
making changes. Specifically in flatpak_transaction_update_metadata() we
call flatpak_dir_update_remote_configuration() for each remote and then
try to reload the configuration by calling flatpak_dir_recreate_repo().
The problem is that while this reloads the config instance stored by the
repo member of the FlatpakDir, the FlatpakTransaction object still has
FlatpakRemoteState objects stored which were initialized from the old
config.
A consequence of this is that if a remote repository has the
"ostree.deploy-collection-id" key set in its metadata, the next
install/update operation from that remote will fail with the error
message "Can't pull from untrusted non-gpg verified remote", and then
subsequent operations will succeed. This is because during the first
operation Flatpak will add the collection ID to the local configuration
in flatpak_transaction_update_metadata() but then in
flatpak_dir_install() the outdated FlatpakRemoteState object will be
used which still has no collection ID.
So this commit frees all the stored FlatpakRemoteState objects on the
transaction, so they will be recreated when they're needed (based on the
new config).
Closes: #2243
Approved by: alexlarsson
(cherry picked from commit ce78f52fccee6cc14b90bc767057d916c4732c94)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
flatpak_installation_load_app_overrides was returning
freed memory. Oops.
Closes: #2239
Approved by: alexlarsson
(cherry picked from commit fd282a1ab8acfcf6a7ed8a5d47ca528a96c5cc54)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, if flatpak_installed_ref_get_latest_commit() returns NULL
(which means the ref doesn't exist in the local repo) we assume any
remote commit could be an update in
flatpak_installation_list_installed_refs_for_update() when a collection
ID is not configured on the remote. When a collection ID is configured,
if get_latest_commit() returns NULL it causes a crash in
ostree_repo_load_commit(). So this commit prevents the crash and makes
the behavior in the post-collection-id world consistent with the
behavior in the pre-collection-id world.
It's difficult to write a test for this that's not contrived, without
knowing what circumstances led to the disappearance of the ref from the
repo.
Fixes https://github.com/flatpak/flatpak/issues/2216
Closes: #2229
Approved by: alexlarsson
(cherry picked from commit 6b4402b60eb9b24c60cf24f5fcddc78d3dd04ab1)
|
|
|
|
|
|
|
|
|
|
| |
This should be safe to expose without requiring everybody request
it.
Closes: #2226
Approved by: alexlarsson
(cherry picked from commit d6e51ede6db51908f03ebdb3b3ddfec28354855e)
|
|
|
|
|
|
| |
This is expected behavior.
(cherry picked from commit e9f2d11f4a4b9b1d78ab90a36dd791fb79ba6dfc)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In version 0.99.1 (065053775b18e8a0f53cc94c1fb2b6cfa46cc0bc) flatpak
stopped inheriting permissions from the runtime, because that made
the story about application permissions way to complicated. What
we want is to have a static set of permissions for the app that
is frozen at install time.
However, inheriting permissions from the runtime makes a lot of sense
as certain permissions are required from the runtime, in particular this
is used by the kde runtime to read the kdeglobals file, etc.
So, to combine the best of the two worlds, we now do inherit permissions,
but at build-time (and you can disable it if you want). This way
kde apps don't have to repeat themselves, but we still get static
application permissions.
Closes: #2230
Approved by: alexlarsson
(cherry picked from commit 99fbbc25c6bee769bd6d7ef5078e904e9ab9c902)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This exposes a /etc/timezone with the current timezone, as per the old
debian spec: https://wiki.debian.org/TimeZoneChanges
In case we're using the session-helper this will be extracted from
the host config and applied whenever that changes.
Normally timezone info is specified by /etc/localtime being a symlink
into the locale data, and you can look at the symlink value itself.
However, in the sandbox we can't update a symlink in /etc at runtime,
nor can we make it of the canonical form as that would point into the
runtime. This is why /etc/timezone is used.
This fixes https://github.com/flatpak/flatpak/issues/2190
Closes: #2214
Approved by: alexlarsson
(cherry picked from commit 0b6844f39e0385b0a29f762a0f54ae1623a1559e)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This extracts the timezone from the symlink in /etc/localtime as
specified in e.g.
https://www.freedesktop.org/software/systemd/man/localtime.html
If this doesn't exist, or is not a symlink, then it uses the old
debian /etc/timezone as specified in
https://wiki.debian.org/TimeZoneChanges
If nothing else works it falls back to UTC.
Closes: #2214
Approved by: alexlarsson
(cherry picked from commit 6dec2661897bd0fc8b29a53b518427970b5da5f6)
|
|
|
|
|
|
|
|
| |
This makes it easier for third-party tools who want
to have an icon to use for flatpak.
Closes: #1344
(cherry picked from commit 1afa70e54d82724e87a5aecdfac51a7d13b2f02e)
|
|
|
|
|
|
|
|
|
|
| |
flatpak_installation_modify_remote was not saving the nodeps
state. Found while writing FlatpakTransaction tests.
Closes: #2198
Approved by: alexlarsson
(cherry picked from commit de56d3410460d9e363ed931d13acdcdec16d8397)
|
|
|
|
|
|
|
|
|
|
|
| |
This was found while writing transaction tests.
We were passing error, but trying to use the local_error
message.
Closes: #2198
Approved by: alexlarsson
(cherry picked from commit adf896d794363b26a2f07a47d3b82ed26699573d)
|