| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Philip Withnall <withnall@endlessm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the user’s OARS filter to prevent installation or upgrade of
apps which have more extreme content than the user is allowed to see.
This uses libmalcontent to load the user’s enforced OARS filter, which
describes the extremeness of each type of content the user is allowed to
see. If an app they are trying to install exceeds the filter value in
any OARS section, installation is disallowed and an error is returned.
libmalcontent stores the parental controls policy per-user in
accountsservice, which enforces access control on the policies.
The app filter is also allowed to prevent app installation entirely,
which overrides the OARS values. This is independent from the app-install
polkit action, which determines whether an unprivileged user may install
an app system-wide. Being stored in accountsservice, the new boolean is
also easier to set per-user without having to programmatically write a
polkit JS policy file which handles multiple users (and parse it back
again).
The parental controls checks are done at deploy time, either in the
`flatpak` process (for user repositories) or in the
`flatpak-system-helper` (for system repositories). The checks use
content rating data extracted from the app’s AppData XML and stored in
the `FlatpakDeploy` cache. The checks are passed through polkit (even
for user repositories) so that users can get an admin override to
install apps which would otherwise be too extreme. This uses the new
`org.freedesktop.Flatpak.parental-controls` polkit rule.
The checks have to be done at deploy time, as that’s when the AppData
XML for the app is parsed. The downside of this arrangement is that an
app must be entirely downloaded before the parental checks can be done.
This won’t be much of an issue on normal desktops, however, since we can
assume that gnome-software will check an app’s appropriateness before
showing it to the user in the first place.
Parental controls are not enforced for non-apps/runtimes, which includes
the ostree-metadata and appstream/* refs.
One thorny issue is that flatpak unit tests may be run in an environment
with no system D-Bus available to connect to (a Jenkins instance, for
example), which means the call to `mct_manager_get_app_filter()` in
`flatpak_dir_check_parental_controls()` fails.
So this commit skips the parental controls check if the system bus is
unavailable and the environment variable
`FLATPAK_SYSTEM_HELPER_ON_SESSION` is set, since the testlibrary already
sets that variable so that the system-helper will be started on the
session bus.
The feature can be tested using something like:
```
$ malcontent-client set philip \
violence-realistic=none app/org.freedesktop.Bustle/x86_64/stable
App filter for user 1000 set
$ flatpak run org.freedesktop.Bustle
error: Running app/org.freedesktop.Bustle/x86_64/stable is not allowed by the policy set by your administrator
$ flatpak --user install flathub io.github.FreeDM
error: Failed to install io.github.FreeDM: Installing app/io.github.FreeDM/x86_64/stable is not allowed by the policy set by your administrator
```
Includes work by André Magalhães and Umang Jain.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I realized that these messages are a bit confusing, with
keep permissions and implications. We end up asking a
question about one ref, but then use the permission we optained
to operate on other refs. This will get a bit worse with
the new hints, so go back to more generic messages that
don't talk about the details. The ultimate goal here is
less messages, anyway.
Closes: #2384
Approved by: alexlarsson
|
| |
|
|
|
|
|
|
|
|
| |
This action is used for UpdateSummary, GenerateOciSummary and
when updating the ostree-metadata branch.
Closes: #2383
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
| |
Arrange things so that
app-install > app-update > runtime-install > runtime-update
app-uninstall > runtime-uninstall
Closes: #2383
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
|
|
|
| |
Originally the modify-repo action was only used by the RemoveLocalRef
method, which has "remote" and "ref" parameters, but now other methods
use it which don't have such parameters. So this commit modifies
flatpak_authorize_method_handler() so that we're not trying to pass
information along to polkit that we might not have, and modifies the
message shown by polkit to be more accurate.
Closes: #2351
Approved by: matthiasclasen
|
|
|
|
|
|
|
|
| |
As pointed out in #1269, we also install polkit rules
which affect this.
Closes: #2287
Approved by: matthiasclasen
|
|
|
|
|
|
|
|
|
|
|
| |
Update the user-visible messages to include some of
the details that are available. An informed user is
a happy user.
String change!
Closes: #2287
Approved by: matthiasclasen
|
|
|
|
|
|
|
|
| |
Make the security comments for our polkit rules match
the actual defaults.
Closes: #2287
Approved by: matthiasclasen
|
|
|
|
|
| |
Closes: #1943
Approved by: alexlarsson
|
|
|
|
|
| |
Closes: #1123
Approved by: alexlarsson
|
|
|
|
|
|
|
| |
This depends on the modify-repo privilege
Closes: #1034
Approved by: alexlarsson
|
|
|
|
|
|
|
|
|
| |
We download the summary and send it to the system helper, it verifies
the checksum and applies the changes, with the same polkit permissions
required as for an app update (i.e. typically none).
This allows us to update metadata automatically, without permission
requests.
|
|
|
|
|
|
|
| |
policy
This will avoid clients such as GNOME Software from asking for the password
repeateadly when configuring different repos one after another.
|
| |
|
|
|
|
|
|
|
|
| |
Drop the intltool dependency that was recently added, and use
upstream gettext and its its features for the same purpose.
Note that polkit currently does not install .its files (I've
sent a patch). Until that is in place, this change has the
effect of installing the untranslated policy file.
|
| |
|
| |
|
| |
|
| |
|
|
|