summaryrefslogtreecommitdiff
path: root/system-helper/org.freedesktop.Flatpak.policy.in
Commit message (Collapse)AuthorAgeFilesLines
* system-helper: Tweak documentation for parental controlsPhilip Withnall2019-10-031-1/+3
| | | | Signed-off-by: Philip Withnall <withnall@endlessm.com>
* dir: Support filtering app installs/upgrades by user’s OARS settingsPhilip Withnall2019-10-031-0/+57
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use the user’s OARS filter to prevent installation or upgrade of apps which have more extreme content than the user is allowed to see. This uses libmalcontent to load the user’s enforced OARS filter, which describes the extremeness of each type of content the user is allowed to see. If an app they are trying to install exceeds the filter value in any OARS section, installation is disallowed and an error is returned. libmalcontent stores the parental controls policy per-user in accountsservice, which enforces access control on the policies. The app filter is also allowed to prevent app installation entirely, which overrides the OARS values. This is independent from the app-install polkit action, which determines whether an unprivileged user may install an app system-wide. Being stored in accountsservice, the new boolean is also easier to set per-user without having to programmatically write a polkit JS policy file which handles multiple users (and parse it back again). The parental controls checks are done at deploy time, either in the `flatpak` process (for user repositories) or in the `flatpak-system-helper` (for system repositories). The checks use content rating data extracted from the app’s AppData XML and stored in the `FlatpakDeploy` cache. The checks are passed through polkit (even for user repositories) so that users can get an admin override to install apps which would otherwise be too extreme. This uses the new `org.freedesktop.Flatpak.parental-controls` polkit rule. The checks have to be done at deploy time, as that’s when the AppData XML for the app is parsed. The downside of this arrangement is that an app must be entirely downloaded before the parental checks can be done. This won’t be much of an issue on normal desktops, however, since we can assume that gnome-software will check an app’s appropriateness before showing it to the user in the first place. Parental controls are not enforced for non-apps/runtimes, which includes the ostree-metadata and appstream/* refs. One thorny issue is that flatpak unit tests may be run in an environment with no system D-Bus available to connect to (a Jenkins instance, for example), which means the call to `mct_manager_get_app_filter()` in `flatpak_dir_check_parental_controls()` fails. So this commit skips the parental controls check if the system bus is unavailable and the environment variable `FLATPAK_SYSTEM_HELPER_ON_SESSION` is set, since the testlibrary already sets that variable so that the system-helper will be started on the session bus. The feature can be tested using something like: ``` $ malcontent-client set philip \ violence-realistic=none app/org.freedesktop.Bustle/x86_64/stable App filter for user 1000 set $ flatpak run org.freedesktop.Bustle error: Running app/org.freedesktop.Bustle/x86_64/stable is not allowed by the policy set by your administrator $ flatpak --user install flathub io.github.FreeDM error: Failed to install io.github.FreeDM: Installing app/io.github.FreeDM/x86_64/stable is not allowed by the policy set by your administrator ``` Includes work by André Magalhães and Umang Jain. Signed-off-by: Philip Withnall <withnall@endlessm.com>
* Revise polkit messages againMatthias Clasen2018-12-061-9/+9
| | | | | | | | | | | | | I realized that these messages are a bit confusing, with keep permissions and implications. We end up asking a question about one ref, but then use the permission we optained to operate on other refs. This will get a bit worse with the new hints, so go back to more generic messages that don't talk about the details. The ultimate goal here is less messages, anyway. Closes: #2384 Approved by: alexlarsson
* system-helper: Fix a copy paste errorMatthew Leeds2018-12-041-1/+1
|
* Add a update-metadata action to the polkit policyMatthias Clasen2018-12-041-0/+19
| | | | | | | | This action is used for UpdateSummary, GenerateOciSummary and when updating the ostree-metadata branch. Closes: #2383 Approved by: alexlarsson
* Add imply annotations to the polkit policyMatthias Clasen2018-12-041-0/+5
| | | | | | | | | | Arrange things so that app-install > app-update > runtime-install > runtime-update app-uninstall > runtime-uninstall Closes: #2383 Approved by: alexlarsson
* system-helper: Correct polkit message for modify-repoMatthew Leeds2018-11-301-1/+1
| | | | | | | | | | | | Originally the modify-repo action was only used by the RemoveLocalRef method, which has "remote" and "ref" parameters, but now other methods use it which don't have such parameters. So this commit modifies flatpak_authorize_method_handler() so that we're not trying to pass information along to polkit that we might not have, and modifies the message shown by polkit to be more accurate. Closes: #2351 Approved by: matthiasclasen
* Amend the policy comments furtherMatthias Clasen2018-11-061-0/+10
| | | | | | | | As pointed out in #1269, we also install polkit rules which affect this. Closes: #2287 Approved by: matthiasclasen
* Update polkit policy descriptionsMatthias Clasen2018-11-061-11/+11
| | | | | | | | | | | Update the user-visible messages to include some of the details that are available. An informed user is a happy user. String change! Closes: #2287 Approved by: matthiasclasen
* Correct polkit policy commentsMatthias Clasen2018-11-061-9/+25
| | | | | | | | Make the security comments for our polkit rules match the actual defaults. Closes: #2287 Approved by: matthiasclasen
* system-helper: Update outdated vendor_urlMatthew Leeds2018-08-071-1/+1
| | | | | Closes: #1943 Approved by: alexlarsson
* Add system-helper support for configuring language.Alexander Larsson2017-10-201-0/+11
| | | | | Closes: #1123 Approved by: alexlarsson
* system-helper: Add RemoveLocalRef helper functionSam Spilsbury2017-09-281-0/+15
| | | | | | | This depends on the modify-repo privilege Closes: #1034 Approved by: alexlarsson
* remote-modify: Implement --update-metadata as a system-helper methodAlexander Larsson2017-05-091-0/+15
| | | | | | | | | We download the summary and send it to the system helper, it verifies the checksum and applies the changes, with the same polkit permissions required as for an app update (i.e. typically none). This allows us to update metadata automatically, without permission requests.
* Use an allow_active=auth_admin_keep policy default for the configure-remote ↵Mario Sanchez Prada2016-11-091-1/+1
| | | | | | | policy This will avoid clients such as GNOME Software from asking for the password repeateadly when configuring different repos one after another.
* system-helper: Fix typo in action descriptionSebastian Rasmussen2016-09-151-1/+1
|
* Use upstream gettextMatthias Clasen2016-07-151-18/+18
| | | | | | | | Drop the intltool dependency that was recently added, and use upstream gettext and its its features for the same purpose. Note that polkit currently does not install .its files (I've sent a patch). Until that is in place, this change has the effect of installing the untranslated policy file.
* system-helper: Handle installing bundlesAlexander Larsson2016-06-031-0/+11
|
* system-helper: Support add/modify/delete of remotesAlexander Larsson2016-05-131-0/+11
|
* system-helper: Support uninstallAlexander Larsson2016-05-121-0/+22
|
* system-helper: Add support for updating appstream branchAlexander Larsson2016-05-111-0/+18
|
* Rename everything but the on-disk location to flatpakAlexander Larsson2016-05-091-0/+86
View Lorry Controller Status