diff options
author | Alexander Larsson <alexl@redhat.com> | 2016-04-29 11:39:39 +0200 |
---|---|---|
committer | Alexander Larsson <alexl@redhat.com> | 2016-04-29 15:52:44 +0200 |
commit | 4c3bf179e2e4a2a298cd1db1d045adaf3f564532 (patch) | |
tree | f0dfce3e32b0cdd2119b6bfd6860488aa5edcf5e /app | |
parent | ee7be7f82dc72bc4bbbc9fce0ee66fa232baf7dc (diff) | |
download | xdg-app-4c3bf179e2e4a2a298cd1db1d045adaf3f564532.tar.gz |
Use bubblewrap instead of xdg-app-helper
Bubblewrap is a new tool from project atomic. Its similar to the old
xdg-app-helper, but even more minimal, and a bit more generic. Its designed
to be easy to git submodule install, but at some point we will probably
support using the system installed version too.
Using bubblewraps lets us share the load of security mainainance and
allows other people to use bubblewrap to do their own unprivileged
sandboxes.
Diffstat (limited to 'app')
-rw-r--r-- | app/xdg-app-builtins-build.c | 55 |
1 files changed, 35 insertions, 20 deletions
diff --git a/app/xdg-app-builtins-build.c b/app/xdg-app-builtins-build.c index 95080c2..ea49b47 100644 --- a/app/xdg-app-builtins-build.c +++ b/app/xdg-app-builtins-build.c @@ -44,6 +44,18 @@ static GOptionEntry options[] = { { NULL } }; +static void +add_args (GPtrArray *argv_array, ...) +{ + va_list args; + const gchar *arg; + + va_start (args, argv_array); + while ((arg = va_arg (args, const gchar *))) + g_ptr_array_add (argv_array, g_strdup (arg)); + va_end (args); +} + gboolean xdg_app_builtin_build (int argc, char **argv, GCancellable *cancellable, GError **error) { @@ -146,16 +158,22 @@ xdg_app_builtin_build (int argc, char **argv, GCancellable *cancellable, GError { custom_usr = TRUE; runtime_files = g_object_ref (usr); - g_ptr_array_add (argv_array, g_strdup ("-W")); } else runtime_files = xdg_app_deploy_get_files (runtime_deploy); - g_ptr_array_add (argv_array, g_strdup ("-wrc")); + add_args (argv_array, + custom_usr ? "--bind" : "--ro-bind", gs_file_get_path_cached (runtime_files), "/usr", + "--bind", gs_file_get_path_cached (app_files), "/app", + NULL); + + if (!xdg_app_run_setup_base_argv (argv_array, runtime_files, NULL, runtime_ref_parts[2], XDG_APP_RUN_FLAG_DEVEL, error)) + return FALSE; - /* Pass the arch for seccomp */ - g_ptr_array_add (argv_array, g_strdup ("-A")); - g_ptr_array_add (argv_array, g_strdup (runtime_ref_parts[2])); + /* After setup_base to avoid conflicts with /var symlinks */ + add_args (argv_array, + "--bind", gs_file_get_path_cached (var), "/var", + NULL); app_context = xdg_app_context_new (); if (!xdg_app_context_load_metadata (app_context, runtime_metakey, error)) @@ -165,7 +183,9 @@ xdg_app_builtin_build (int argc, char **argv, GCancellable *cancellable, GError xdg_app_context_allow_host_fs (app_context); xdg_app_context_merge (app_context, arg_context); - xdg_app_run_add_environment_args (argv_array, NULL, NULL, app_id, + envp = xdg_app_run_get_minimal_env (TRUE); + envp = xdg_app_run_apply_env_vars (envp, app_context); + xdg_app_run_add_environment_args (argv_array, &envp, NULL, NULL, app_id, app_context, NULL); if (!custom_usr && @@ -174,37 +194,32 @@ xdg_app_builtin_build (int argc, char **argv, GCancellable *cancellable, GError for (i = 0; opt_bind_mounts != NULL && opt_bind_mounts[i] != NULL; i++) { - if (strchr (opt_bind_mounts[i], '=') == NULL) + char *split = strchr (opt_bind_mounts[i], '='); + if (split == NULL) { g_set_error (error, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT, "Missing '=' in bind mount option '%s'", opt_bind_mounts[i]); return FALSE; } - g_ptr_array_add (argv_array, g_strdup ("-B")); - g_ptr_array_add (argv_array, g_strdup (opt_bind_mounts[i])); + *split++ = 0; + add_args (argv_array, + "--bind", split, opt_bind_mounts[i], + NULL); } if (opt_build_dir != NULL) { - g_ptr_array_add (argv_array, g_strdup ("-P")); - g_ptr_array_add (argv_array, g_strdup (opt_build_dir)); + add_args (argv_array, + "--chdir", opt_build_dir, + NULL); } - g_ptr_array_add (argv_array, g_strdup ("-a")); - g_ptr_array_add (argv_array, g_file_get_path (app_files)); - g_ptr_array_add (argv_array, g_strdup ("-v")); - g_ptr_array_add (argv_array, g_file_get_path (var)); - g_ptr_array_add (argv_array, g_file_get_path (runtime_files)); - g_ptr_array_add (argv_array, g_strdup (command)); for (i = 2; i < rest_argc; i++) g_ptr_array_add (argv_array, g_strdup (argv[rest_argv_start + i])); g_ptr_array_add (argv_array, NULL); - envp = xdg_app_run_get_minimal_env (TRUE); - envp = xdg_app_run_apply_env_vars (envp, app_context); - if (!execve (HELPER, (char **)argv_array->pdata, envp)) { g_set_error (error, G_IO_ERROR, g_io_error_from_errno (errno), "Unable to start app"); |