summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update translation files for 1.14.4 release1.14.4flatpak-1.14.xSimon McVittie2023-03-1623-2346/+2346
| | | | Signed-off-by: Simon McVittie <smcv@collabora.com>
* Prepare v1.14.4Simon McVittie2023-03-162-2/+2
| | | | Signed-off-by: Simon McVittie <smcv@collabora.com>
* Update NEWSSimon McVittie2023-03-161-0/+20
| | | | Signed-off-by: Simon McVittie <smcv@collabora.com>
* run: Prevent TIOCLINUX ioctl, the same as TIOCSTISimon McVittie2023-03-163-1/+20
| | | | | | | | | | | | | | | | The TIOCLINUX ioctl is only available on Linux virtual consoles such as /dev/tty1. It has several Linux-specific functions, one of which is a copy/paste operation which can be used for attacks similar to TIOCSTI. This vulnerability does not affect typical graphical terminal emulators such as xterm, gnome-terminal and Konsole, and Flatpak is primarily designed to be run from a Wayland or X11 graphical environment, so this is relatively unlikely to be a practical problem. CVE-2023-28100, GHSA-7qpw-3vjv-xrqp Resolves: https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp Signed-off-by: Simon McVittie <smcv@debian.org>
* cli-transaction: Escape any special characters in the EOL reasonSimon McVittie2023-03-161-1/+4
| | | | | | CVE-2023-28101, GHSA-h43h-fwqx-mpp8 Signed-off-by: Simon McVittie <smcv@collabora.com>
* Reject paths given to --filesystem/--persist with special charactersRyan Gonzalez2023-03-165-14/+189
| | | | | | | | | | There isn't much in the way of legit reasons for this, but it's a potential security footgun when displaying the text. CVE-2023-28101, GHSA-h43h-fwqx-mpp8 Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com> Co-authored-by: Simon McVittie <smcv@collabora.com>
* Ensure special characters in permissions and metadata are escapedRyan Gonzalez2023-03-168-11/+168
| | | | | | | | | This prevents someone from placing special characters in order to manipulate the appearance of the permissions list. CVE-2023-28101, GHSA-h43h-fwqx-mpp8 Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
* Update Polish translationPiotr Drąg2023-03-061-23/+23
|
* Update translation files for release1.14.3Simon McVittie2023-02-2723-3363/+5017
|
* Prepare v1.14.3Simon McVittie2023-02-272-2/+7
| | | | Signed-off-by: Simon McVittie <smcv@collabora.com>
* transaction: Ignore uninstall operations for no deployDan Nicholson2023-02-273-2/+63
| | | | | | | | | | | | | If `no_deploy` has been set to `TRUE` in a transaction, then the intention is that no changes will be made to the installed flatpaks. Currently that's not the case for explicitly or implicitly added uninstall operations. That's particularly bad for eol-rebase flatpaks since they old version will be automatically removed without the new version being installed. To address this, prevent uninstall operations from being added for no deploy transactions. Closes: #5172 (cherry picked from commit fba3a7d35e7739a6b923f74596d388a3ae7a2cfa)
* Update NEWS for 1.14.xSimon McVittie2023-02-211-0/+6
| | | | Signed-off-by: Simon McVittie <smcv@collabora.com>
* dir: If metadata is syntactically invalid, say which file is the problemSimon McVittie2023-02-211-2/+2
| | | | | | | Similar to the previous commit, but for metadata. Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit be2de97e862e5ca223da40a895e54e7bf24dbfb9)
* dir: If overrides are syntactically invalid, include path in error messageSimon McVittie2023-02-213-3/+9
| | | | | | | | | It's unhelpful to say something like "Key file contains line “x” which is not a key-value pair, group, or comment" without specifying which file we are talking about. Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 3ede5382fa8e7f90d62e72bc72da64277ea254b7)
* list: Show a warning if we can't load the current versionSimon McVittie2023-02-211-2/+8
| | | | | | | | Conceptually similar to the previous commit, except it didn't crash before, just didn't display anything. Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 628750d2de7421fe4b26eebd1a6f27c524eb8a7e)
* list: Handle error in flatpak_dir_load_deployed()Simon McVittie2023-02-211-1/+11
| | | | | | | | | | flatpak_dir_load_deployed() can fail and return NULL. If that happens, there is a semi-installed but broken app, and we should show a warning rather than crashing. Resolves: https://github.com/flatpak/flatpak/issues/5293 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 5e2e771ece06f37b3f9f60089ede718fa8bcaf8e)
* flatpak-run: Unset GDK_BACKENDDan Nicholson2023-02-182-0/+2
| | | | | | | | | | | | | If the `GDK_BACKEND` environment variable is present and it's value does not match the Wayland and X11 socket configuration, then a GTK app will fail to run since it will only consider the display backend from the environment variable. This should probably be extended to cover other display environment variables such as `QT_QPA_PLATFORM` for Qt and `SDL_VIDEODRIVER` for SDL. However, I've only tested this with GTK applications. (cherry picked from commit cc122e297235d68301f2c4c466bed997db05937c)
* Update POTFILES.inPiotr Drąg2023-02-101-0/+1
| | | | | Fixes: 5cd3ec5f "exports: Make _exports_path_expose produce a GError on failure" (cherry picked from commit fa35ebe5137bfa4faf7557864c3ae38d113972da)
* Update NEWS for backport of #5213Simon McVittie2023-02-101-0/+8
| | | | Signed-off-by: Simon McVittie <smcv@collabora.com>
* exports: Test that a symlink to the root directory is rejectedSimon McVittie2023-02-101-0/+9
| | | | | | Reproduces: https://github.com/flatpak/flatpak/issues/1357 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit fa005cdbbfbb52561a02daab92906fb18eb5c6d4)
* exports: Assert that recently-excluded paths are excludedSimon McVittie2023-02-101-0/+5
| | | | | | | Reproduces: https://github.com/flatpak/flatpak/issues/5205 Reproduces: https://github.com/flatpak/flatpak/issues/5207 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 4c792e533d28a9761888bd638d1b3a122072c770)
* exports: Don't export parent or ancestor of reserved directoriesSimon McVittie2023-02-101-0/+13
| | | | | | | | | | | | | | | | | | Previously, --filesystem=/run would prevent apps from starting by breaking our ability to set up /run/flatpak and /run/host. Now it is ignored, with a diagnostic message, resolving #5205 and #5207. Similarly, --filesystem=/symlink-to-root (or --filesystem=host) would have prevented apps from starting if a symlink like `/symlink-to-root -> /` or `/symlink-to-root -> .` exists, and refusing to export the target of that symlink avoids that failure mode, resolving #1357. Resolves: https://github.com/flatpak/flatpak/issues/1357 Resolves: https://github.com/flatpak/flatpak/issues/5205 Resolves: https://github.com/flatpak/flatpak/issues/5207 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit f325564c9a74b1920d6075f19054f3fefaf21b74)
* context: Show a warning if we cannot provide any $HOMESimon McVittie2023-02-101-4/+8
| | | | | | | | | | | | | | | | | | | | | If $HOME is below a reserved path (for example `/usr/home/thompson` for Unix traditionalists) or otherwise cannot be shared, or is a symbolic link to somewhere that cannot be shared, then we will end up running the app with $HOME not existing. This is unexpected, so we should make more noise about it. There are two situations here, both of which get a warning: if we have --filesystem=home or --filesystem=host then we are trying to share the real $HOME with the application, and if we do not, then we are trying to create a directory at the location of the real $HOME and replicate the chain of symlinks (if any) leading from $HOME to that location. Unlike the previous commit, this is not expected to happen during unit testing, so we do not use a g_warning() for this. Diagnoses: https://github.com/flatpak/flatpak/issues/5035 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit b85d30365e186a55415482a9d65d32102946d2f0)
* context: Show a warning when --filesystem exists but can't be sharedSimon McVittie2023-02-101-4/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | If the user gives us a override or command-line argument that we cannot obey, like --filesystem=/usr/share/whatever or --filesystem=/run/flatpak/whatever, then it's confusing that we silently ignore it. We should give them an opportunity to see that their override was ineffective. However, there are a few situations where we still want to keep quiet. If there is a --filesystem argument for something that simply doesn't exist, we don't diagnose the failure to share it: that avoids creating unnecessary noise for apps that opportunistically share locations that might or might not exist, like the way the Steam app on Flathub asks for access to $XDG_RUNTIME_DIR/app/com.discordapp.Discord. Similarly, if we have been asked for --filesystem=host, the root directory is very likely to contain symlinks into a reserved path, like /lib -> usr/lib. We don't need a user-visible warning for that. We actually use the equivalent of g_message() rather than g_warning(), to avoid this being fatal during unit testing (in particular when we do a `flatpak info` on an app that has never been run, which will be unable to share its `.var/app` subdirectory). `app/flatpak-main.c` currently displays them as equivalent to each other anyway. Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit dc7b1e873b658a0d9d3f5478b65da91816c6aef9)
* exports: Move error handling up into callerSimon McVittie2023-02-104-165/+307
| | | | | | | | | | | | | | This lets flatpak_context_export() or other callers decide how they want to handle failure to export each path. For now, the callers in FlatpakExports are still using g_debug() unconditionally, but we can now have somewhat better test coverage. Helps: https://github.com/flatpak/flatpak/issues/1357 Helps: https://github.com/flatpak/flatpak/issues/5035 Helps: https://github.com/flatpak/flatpak/issues/5205 Helps: https://github.com/flatpak/flatpak/issues/5207 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 3f0a2de2a28b5b28f2790b1b0ca8bf330a8a298f)
* exports: Make _exports_path_expose produce a GError on failureSimon McVittie2023-02-101-31/+64
| | | | | | | | | This is a step towards allowing its direct and indirect callers to decide how serious the failure is, and debug or warn accordingly. Helps: https://github.com/flatpak/flatpak/issues/5205 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 1b49de1890dfc92aacd9cb1d30beb1d87432d58a)
* exports: Never try to export /.flatpak-infoSimon McVittie2023-02-101-0/+1
| | | | | | | | Just for completeness, in practice the host system will not have this. Helps: https://github.com/flatpak/flatpak/issues/5205 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 39ba9664fee4753aa51f1db82034cc8d0a2cfff4)
* exports: Never try to export paths below /run/flatpak or /run/hostSimon McVittie2023-02-101-0/+2
| | | | | | | | These directories are reserved for Flatpak's own use. Helps: https://github.com/flatpak/flatpak/issues/5205 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 97fddc7ba5457ea0fbe0ceaeccc6485430bc846e)
* exports, context: List unexported paths one per line in sorted orderSimon McVittie2023-02-102-3/+26
| | | | | | | | This will reduce conflicts when new entries are added. Helps: https://github.com/flatpak/flatpak/issues/5205 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit cee595763da23d6cc4438a87f7fe018431c4c907)
* Update NEWSSimon McVittie2023-02-081-0/+8
| | | | Signed-off-by: Simon McVittie <smcv@collabora.com>
* run: Avoid double-free of gpgconf stdout streamSimon McVittie2023-02-081-1/+1
| | | | | | | | | | g_subprocess_get_stdout_pipe() does not transfer ownership, so the stream still belongs to the GSubprocess and we must not unref it. Fixes: 764e5a4d "Add --socket=gpg-agent" Resolves: https://github.com/flatpak/flatpak/issues/5095 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 64d627968eacc3e93b7bde2ecbded7179f18e14d)
* Update translation files for v1.14.2 release1.14.2Simon McVittie2023-02-0623-874/+874
| | | | Signed-off-by: Simon McVittie <smcv@collabora.com>
* Prepare v1.14.2Simon McVittie2023-02-062-2/+2
| | | | Signed-off-by: Simon McVittie <smcv@collabora.com>
* Update NEWS for 1.14.xSimon McVittie2023-02-061-0/+23
| | | | Signed-off-by: Simon McVittie <smcv@collabora.com>
* CI: Disable Valgrind test for nowPatrick2023-02-061-0/+1
| | | | | | | | This test has consistently failed for months as it takes too long. While it should be looked into its not helpful to show CI as always failing either. (cherry picked from commit 8daa975ab3e11e56b2c168dc62b30f029751dbd2)
* daemons: Treat g_info() as equivalent to g_debug()Simon McVittie2023-01-305-12/+12
| | | | | | | | Same as the previous commit, but for anything that runs in the background. Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit ea584acf200b1ec174fe7d0e6b22016a88930772)
* main: Treat g_info() as equivalent to g_debug()Simon McVittie2023-01-301-3/+3
| | | | | | | | | | | | | | | | | | | | | | | This makes us consistent with the default behaviour of GLib, and its behaviour with G_MESSAGES_DEBUG=all. g_debug() and g_info() are the two lowest priority levels, and GLib normally silences them by default. At the moment, Flatpak uses G_LOG_LEVEL_DEBUG in the flatpak2 domain as its lowest-priority log level (only shown with flatpak -v -v), and G_LOG_LEVEL_DEBUG in the flatpak domain as its second-lowest (shown with flatpak -v or higher). I want to move towards using G_LOG_LEVEL_INFO for flatpak -v messages, and G_LOG_LEVEL_DEBUG for flapak -v -v, so that we don't need a second log domain: this is a policy I've used successfully in Flatpak-derived Steam Runtime code. This change does not fully implement that policy, but gives us a migration path towards it, by allowing us to start using g_info() for flatpak -v messages. Helps: https://github.com/flatpak/flatpak/issues/5001 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit ac4e322629c2a11fd921fc2977bb29f18d072ad3)
* repair: Fix off-by-one error in fancy outputPhaedrus Leeds2023-01-301-1/+1
| | | | | | Fixes https://github.com/flatpak/flatpak/issues/5204 (cherry picked from commit 8ca1604a94dc6a62880263141448f6688cb03205)
* flatpak-run: unset GIO_EXTRA_MODULESLeorize2023-01-302-0/+2
| | | | | | | | | | | | | | | This variable contains paths to load GIO modules from. For the most part, they refer to paths outside of the sandbox or if they happen to be in the sandbox, would contain modules that are incompatible with the sandbox runtime (ie. different libc). While I've not found programs that would crash outright, it may cause unexpected behaviors (eg. Apostrophe not being able to render math in preview panel). This variable is set by NixOS for its dependency boxing. (cherry picked from commit df0b9d98b53b7486a0a23438a686af3e5d892cfd)
* flatpak-run: unset XKB_CONFIG_ROOTLeorize2023-01-302-0/+2
| | | | | | | | | | | | | | | This variable is typically used to configure the use of a custom set of XKB definitions. In those cases, it's mostly meant for the X11 server or Wayland compositor. NixOS is known to employ this variable for their custom XKB layout implementation. When the path it points to is unreachable (due to the sandbox), most GTK+/Qt applications will crash on Wayland. Unsetting this does not seem to negatively impact the use of custom XKB layouts with Flatpak applications. (cherry picked from commit 751ff11d3a219701a678b5780af532e5e7c15720)
* Block KRB5CCNAME from inheriting into sandboxMichael Catanzaro2023-01-302-1/+4
| | | | | | | | | | | | | | | | | If this environment variable is set on the host, it's going to mess up authentication in the sandbox. For example, if the host has: KRB5CCNAME=KCM: then the sandboxed process will try to use the host KCM socket, which is not available in the sandboxed environment, rather than the gssproxy socket that we want it to use. We need to unset it to ensure that whatever configuration we ship in the runtime gets used instead. We have switched the GNOME runtime to use an empty krb5.conf and it works as long as we don't break it with this environment variable meant for the host. (cherry picked from commit 1c32317841f2f77e69489e006648a0e58af247a1)
* profile.d: Only add new directories to XDG_DATA_DIRS in fishMartin Kühl2023-01-301-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | Previously in a0505f52d993837ce7ce96801f54eb37d55dadfb the profile script was modified to preserve XDG_DATA_DIRS. This had the side-effect of making the script not idempotent, adding duplicate entries for every installation every time it's sourced. On my current system that results in this value: /home/mkhl/.local/share/flatpak/exports/share /var/lib/flatpak/exports/share /home/mkhl/.local/share/flatpak/exports/share /var/lib/flatpak/exports/share /usr/local/share /usr/share which in turn has the side-effect of the GNOME search settings showing two entries for every application installed via flatpak. This change makes the script check that an entry is new before adding it. It also uses `set -p` (short for `--prepend`) to add them. N.B. `set -p VAR val` is equivalent to `set VAR val $VAR` `$var[-1..1]` reverses the order of elements so after iterating the first element of `$installations` becomes the first element of `$XDG_DATA_DIRS` (cherry picked from commit 16707a1937b0370f37a1ab84c9ca0a30a33d6b95)
* utils: Unmap the old summary.idx file before trying to replace itForest2023-01-301-0/+4
| | | | | | | | | | | | | | | | | | | | Exporting to an existing repo on a Samba filesystem failed with EACCES when libglnx called renameat() to replace the old summary.idx file. error: renameat: Permission denied This occurred even when the user had appropriate permissions to the file and its ancestor directories. The problem was that flatpak had mapped the old file into memory for reading, and still held a reference to that mapping when attempting to replace the underlying file. Apparently this works on some filesystems, but not on cifs. We therefore release the memory mapping before replacing the underlying file. Fixes #5257 Co-authored-by: Patrick <tingping@tingping.se> (cherry picked from commit 01910ad12fd840a8667879f9a479a66e441cccdd)
* Update translation files for v1.14.11.14.1Simon McVittie2022-11-1823-2592/+2591
| | | | Signed-off-by: Simon McVittie <smcv@collabora.com>
* Prepare v1.14.1Simon McVittie2022-11-182-2/+2
| | | | Signed-off-by: Simon McVittie <smcv@collabora.com>
* Revert ".gitmodules: Temporarily fetch from Github mirror of libglnx"Simon McVittie2022-11-181-1/+1
| | | | This reverts commit 7cb9eb3ebc1627d6a4145abf3a72382be9562b1a.
* Revert ".gitmodules: Temporarily fetch from my Github fork of v-s-c"Simon McVittie2022-11-181-1/+1
| | | | This reverts commit bdfebb44da96a5fd4df745f4f53161e08e2927b2.
* .gitmodules: Temporarily fetch from my Github fork of v-s-cSimon McVittie2022-11-171-1/+1
| | | | | | | | gitlab.gnome.org is currently down, so use a mirror. The specific commit we are using has not changed. Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit bdfebb44da96a5fd4df745f4f53161e08e2927b2)
* .gitmodules: Temporarily fetch from Github mirror of libglnxSimon McVittie2022-11-171-1/+1
| | | | | | | | gitlab.gnome.org is currently down, so use a mirror. The specific commit we are using has not changed. Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 7cb9eb3ebc1627d6a4145abf3a72382be9562b1a)
* .gitmodules: Canonicalize URL of bubblewrapSimon McVittie2022-11-171-1/+2
| | | | | | | | | | The project was moved to a new namespace a while ago, and is now using the main branch rather than master. The specific commit we are using has not changed. Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit f9a7d120144bc07b6a65e542e449d9d4bbd8a808)
View Lorry Controller Status