This ensures it’s always included in the build, regardless of whether
someone forgets to #include it from a C file.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Previously, the mandatory location, directory and branch positional
arguments were passed as part of the varargs. This meant the varargs
were conflating flags and positional arguments, making it harder to add
new positional arguments.
Move the mandatory positional arguments to separate parameters for
do_export(). This introduces no functional changes, but makes later
commits easier.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Any build-args specified in the manifest should be used during the
cleanup and platform-cleanup stages. This is because if you are using
QEMU to build for another architecture, for example, you need to pass
--bind-mount in the build-args, and the bind mount also needs to be
present while running cleanup commands.
Factor out a common GVariant child getter from all the print_*()
functions. This will make upcoming changes a little easier to integrate.
This introduces no functional changes.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
These will be useful in upcoming tests, as they are in the right format
to be substituted into a .flatpakref file.
Generated using `gpg2 --homedir test-keyring --armor --export
${FL_GPG_ID}`, then stripping the packet header and removing line
breaks.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
This mirrors the same environment variable in OSTree’s unit tests, which
keeps the temporary directory around after tests have completed (or
failed) so the developer can examine it.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
If you inherit an extension, and it has no explicit version, then
use the version of the parent, as that is what would automatically
be used for the parent.
Instead of constantly looking at the option we change the
manifest value if its unset. This means we can access the
default branch outside of builder-main.c, and that we get
it into the serialized manifest in the build.
Unless forced by the FLATPAK_OSTREE_REPO_MODE env var, we default cache
repos to bare-user mode. Otherwise it can lead to permissions problems
because, e.g. if the system repo is configured as a "bare" repo, then
the cache repo will be too and this will lead to fchown calls even if
the user is non-privileged.
With the latest ostree, pull --mirror does not mirror the
summary for partial pulls, so system-wide installs fail. We
fix it by manually updating the summary.
This uses the new libostree APIs that landed recently to ensure
that we reject any files with mode outside of `0775` for system
helper pulls, and we also mask directory modes during checkout.
However, this does *not* fix up any already downloaded content.
For that, one could uninstall/reinstall; or a future patch could
do a one-time fixup pass.
Note that I am not aware of a way for flatpak applications to escalate their
privileges directly with this flaw; the bubblewrap `PR_SET_NO_NEW_PRIVS` turns
of setuid. However, in combination with code execution on the host via another
mechanism (e.g. unsandboxed app), a setuid app injected could be used to gain
full host privileges.
At this time we're not aware of any flatpak content exploiting this issue.
Closes: https://github.com/flatpak/flatpak/issues/845
Installing build dependencies directly on a host should be
considered an anti-pattern. Steal some of the bits from
rpm-ostree's PAPR bits.
Another benefit here is we avoid duplicating the build dependencies again, since
we start using `yum-builddep.
We only have one context now, `f25-primary`, rather than having Clang
show up as a separate thing, since IMO it's not worth its own context.
This goes into a big old topic about Unix homedir permissions; it's not uncommon
for general purpose OS vendors to have homedirs be 0755. In that case,
applications need to ensure confidentiality for data requiring it (classically
e.g. `~/.ssh`) by making the dirs `0700`.
While most of the data in the flatpak per-user dir probably isn't confidential
(debatably) we have a different issue; if container content includes suid or
world-writable files/dirs, then having that data accessible to other users
is obviously problematic.
We're going to fix flatpak/ostree to not create files with those modes
to begin with, but this simple fix closes off the attack route for
the per-user directory.
A different fix will be necessary for the system-wide repo.
See: https://github.com/flatpak/flatpak/pull/837
Looking at the git history, this code originally retried on
some cases for pull, then stopped doing so, then a later commit
added code after it, which made it incorrect.
Just do an early return again and drop the `res` variable.
This canonicalizes the file modes for directories to 0755, and
for files to 0755 for executables or 0644 otherwise.
This means we never get files/dirs writable by non-root in the
system repo, and we never get setuid/setgid/sticky-bit, all
which could potentially be a problem if we store them in the
system repo.
See https://github.com/flatpak/flatpak/pull/837 for some discussion
about this.
They were being set to an uninitialised set of flags from cxxflags.
Spotted as a compiler warning.
Signed-off-by: Philip Withnall <withnall@endlessm.com>