forked from Mirrors/flatpak-builder
Move $XDG_RUNTIME_DIR/flatpak-info to /.flatpak-info and make it read-only
The old location keeps working because we create a symlink. The interesting part of this is that the sandbox now can't modify, remove or replace the file, and it is in a fixed position. This means that given a sandboxed pid, we can find this file as "/proc/$pid/root/.flatpak-info". This is very nice for two reasons: * We can use this instead of the cgroup to find out if a pid is sandboxed or not. This means we can drop the dependency on systemd --user for this. * We can get more information about the peer process that the app id. For instance, we can see what permissions the sandboxed app has.tingping/wmclass
parent
edb2749e3e
commit
32c571ae79
|
@ -2559,7 +2559,7 @@ flatpak_run_add_app_info_args (GPtrArray *argv_array,
|
|||
g_autoptr(GFile) files = NULL;
|
||||
g_autofree char *files_path = NULL;
|
||||
g_autofree char *fd_str = NULL;
|
||||
g_autofree char *dest = g_strdup_printf ("/run/user/%d/flatpak-info", getuid ());
|
||||
g_autofree char *old_dest = g_strdup_printf ("/run/user/%d/flatpak-info", getuid ());
|
||||
|
||||
close (fd);
|
||||
|
||||
|
@ -2589,7 +2589,10 @@ flatpak_run_add_app_info_args (GPtrArray *argv_array,
|
|||
if (fd_array)
|
||||
g_array_append_val (fd_array, fd);
|
||||
|
||||
add_args (argv_array, "--file", fd_str, dest, NULL);
|
||||
add_args (argv_array,
|
||||
"--ro-bind-data", fd_str, "/.flatpak-info",
|
||||
"--symlink", "../../../.flatpak-info", old_dest,
|
||||
NULL);
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
|
|
Loading…
Reference in New Issue