marko10_000
/
flatpak-builder
forked from Mirrors/flatpak-builder
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use bubblewrap instead of xdg-app-helper 

Bubblewrap is a new tool from project atomic. Its similar to the old
xdg-app-helper, but even more minimal, and a bit more generic. Its designed
to be easy to git submodule install, but at some point we will probably
support using the system installed version too.

Using bubblewraps lets us share the load of security mainainance and
allows other people to use bubblewrap to do their own unprivileged
sandboxes.
tingping/wmclass
Alexander Larsson 2016-04-29 11:39:39 +02:00
parent ee7be7f82d
commit 4c3bf179e2
6 changed files with 852 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile.am
View File

@ -35,7 +35,7 @@ AM_CPPFLAGS = \
-DXDG_APP_BASEDIR=\"$(pkgdatadir)\" \
-DXDG_APP_TRIGGERDIR=\"$(pkgdatadir)/triggers\" \
-DSYSTEM_FONTS_DIR=\"$(SYSTEM_FONTS_DIR)\" \
-DHELPER=\"$(bindir)/xdg-app-helper\" \
-DHELPER=\"$(libdir)/xdg-app/bwrap\" \
-DDBUSPROXY=\"$(libexecdir)/xdg-dbus-proxy\" \
-DG_LOG_DOMAIN=\"xdg-app\" \
-I$(srcdir)/libglnx \

55
app/xdg-app-builtins-build.c
View File

@ -44,6 +44,18 @@ static GOptionEntry options[] = {
{ NULL }
};
static void
add_args (GPtrArray *argv_array, ...)
{
va_list args;
const gchar *arg;
va_start (args, argv_array);
while ((arg = va_arg (args, const gchar *)))
g_ptr_array_add (argv_array, g_strdup (arg));
va_end (args);
}
gboolean
xdg_app_builtin_build (int argc, char **argv, GCancellable *cancellable, GError **error)
{
@ -146,16 +158,22 @@ xdg_app_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
{
custom_usr = TRUE;
runtime_files = g_object_ref (usr);
g_ptr_array_add (argv_array, g_strdup ("-W"));
}
else
runtime_files = xdg_app_deploy_get_files (runtime_deploy);
g_ptr_array_add (argv_array, g_strdup ("-wrc"));
add_args (argv_array,
custom_usr ? "--bind" : "--ro-bind", gs_file_get_path_cached (runtime_files), "/usr",
"--bind", gs_file_get_path_cached (app_files), "/app",
NULL);
/* Pass the arch for seccomp */
g_ptr_array_add (argv_array, g_strdup ("-A"));
g_ptr_array_add (argv_array, g_strdup (runtime_ref_parts[2]));
if (!xdg_app_run_setup_base_argv (argv_array, runtime_files, NULL, runtime_ref_parts[2], XDG_APP_RUN_FLAG_DEVEL, error))
return FALSE;
/* After setup_base to avoid conflicts with /var symlinks */
add_args (argv_array,
"--bind", gs_file_get_path_cached (var), "/var",
NULL);
app_context = xdg_app_context_new ();
if (!xdg_app_context_load_metadata (app_context, runtime_metakey, error))
@ -165,7 +183,9 @@ xdg_app_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
xdg_app_context_allow_host_fs (app_context);
xdg_app_context_merge (app_context, arg_context);
xdg_app_run_add_environment_args (argv_array, NULL, NULL, app_id,
envp = xdg_app_run_get_minimal_env (TRUE);
envp = xdg_app_run_apply_env_vars (envp, app_context);
xdg_app_run_add_environment_args (argv_array, &envp, NULL, NULL, app_id,
app_context, NULL);
if (!custom_usr &&
@ -174,37 +194,32 @@ xdg_app_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
for (i = 0; opt_bind_mounts != NULL && opt_bind_mounts[i] != NULL; i++)
{
if (strchr (opt_bind_mounts[i], '=') == NULL)
char *split = strchr (opt_bind_mounts[i], '=');
if (split == NULL)
{
g_set_error (error, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT, "Missing '=' in bind mount option '%s'", opt_bind_mounts[i]);
return FALSE;
}
g_ptr_array_add (argv_array, g_strdup ("-B"));
g_ptr_array_add (argv_array, g_strdup (opt_bind_mounts[i]));
*split++ = 0;
add_args (argv_array,
"--bind", split, opt_bind_mounts[i],
NULL);
}
if (opt_build_dir != NULL)
{
g_ptr_array_add (argv_array, g_strdup ("-P"));
g_ptr_array_add (argv_array, g_strdup (opt_build_dir));
add_args (argv_array,
"--chdir", opt_build_dir,
NULL);
}
g_ptr_array_add (argv_array, g_strdup ("-a"));
g_ptr_array_add (argv_array, g_file_get_path (app_files));
g_ptr_array_add (argv_array, g_strdup ("-v"));
g_ptr_array_add (argv_array, g_file_get_path (var));
g_ptr_array_add (argv_array, g_file_get_path (runtime_files));
g_ptr_array_add (argv_array, g_strdup (command));
for (i = 2; i < rest_argc; i++)
g_ptr_array_add (argv_array, g_strdup (argv[rest_argv_start + i]));
g_ptr_array_add (argv_array, NULL);
envp = xdg_app_run_get_minimal_env (TRUE);
envp = xdg_app_run_apply_env_vars (envp, app_context);
if (!execve (HELPER, (char **)argv_array->pdata, envp))
{
g_set_error (error, G_IO_ERROR, g_io_error_from_errno (errno), "Unable to start app");

3
common/Makefile.am.inc
View File

@ -50,9 +50,10 @@ libxdgapp_common_la_CFLAGS = \
$(OSTREE_CFLAGS) \
$(SOUP_CFLAGS) \
$(XAUTH_CFLAGS) \
$(LIBSECCOMP_CFLAGS) \
-I$(srcdir)/dbus-proxy \
$(NULL)
libxdgapp_common_la_LIBADD = libglnx.la $(BASE_LIBS) $(OSTREE_LIBS) $(SOUP_LIBS) $(XAUTH_LIBS)
libxdgapp_common_la_LIBADD = libglnx.la $(BASE_LIBS) $(OSTREE_LIBS) $(SOUP_LIBS) $(XAUTH_LIBS) $(LIBSECCOMP_LIBS)
bin_PROGRAMS += \
xdg-app-helper \

20
common/xdg-app-dir.c
View File

@ -1785,14 +1785,22 @@ xdg_app_dir_run_triggers (XdgAppDir *self,
g_ptr_array_add (argv_array, g_file_get_path (self->basedir));
#else
g_ptr_array_add (argv_array, g_strdup (HELPER));
g_ptr_array_add (argv_array, g_strdup ("-a"));
g_ptr_array_add (argv_array, g_strdup ("--unshare-ipc"));
g_ptr_array_add (argv_array, g_strdup ("--unshare-net"));
g_ptr_array_add (argv_array, g_strdup ("--unshare-pid"));
g_ptr_array_add (argv_array, g_strdup ("--ro-bind"));
g_ptr_array_add (argv_array, g_strdup ("/"));
g_ptr_array_add (argv_array, g_strdup ("/"));
g_ptr_array_add (argv_array, g_strdup ("--proc"));
g_ptr_array_add (argv_array, g_strdup ("/proc"));
g_ptr_array_add (argv_array, g_strdup ("--dev"));
g_ptr_array_add (argv_array, g_strdup ("/dev"));
g_ptr_array_add (argv_array, g_strdup ("--bind"));
g_ptr_array_add (argv_array, g_file_get_path (self->basedir));
g_ptr_array_add (argv_array, g_file_get_path (self->basedir));
g_ptr_array_add (argv_array, g_strdup ("-e"));
g_ptr_array_add (argv_array, g_strdup ("-F"));
g_ptr_array_add (argv_array, g_strdup ("/usr"));
g_ptr_array_add (argv_array, g_file_get_path (child));
g_ptr_array_add (argv_array, g_strdup ("/app"));
#endif
g_ptr_array_add (argv_array, g_file_get_path (child));
g_ptr_array_add (argv_array, g_file_get_path (self->basedir));
g_ptr_array_add (argv_array, NULL);
if (!g_spawn_sync ("/",

982
common/xdg-app-run.c
View File

File diff suppressed because it is too large Load Diff

7
common/xdg-app-run.h
View File

@ -64,6 +64,7 @@ gboolean xdg_app_run_add_extension_args (GPtrArray *argv_array,
GCancellable *cancellable,
GError **error);
void xdg_app_run_add_environment_args (GPtrArray *argv_array,
char ***envp_p,
GPtrArray *session_bus_proxy_argv,
GPtrArray *system_bus_proxy_argv,
const char *app_id,
@ -88,6 +89,12 @@ typedef enum {
XDG_APP_RUN_FLAG_LOG_SYSTEM_BUS = (1<<3),
} XdgAppRunFlags;
gboolean xdg_app_run_setup_base_argv (GPtrArray *argv_array,
GFile *runtime_files,
GFile *app_id_dir,
const char *arch,
XdgAppRunFlags flags,
GError **error);
gboolean xdg_app_run_app (const char *app_ref,
XdgAppDeploy *app_deploy,
XdgAppContext *extra_context,