9a0dcf6470
Add copies of new glib APIs that we use
2015-02-08 17:08:11 +01:00
3ef9c13598
Set PR_SET_NO_NEW_PRIVS
...
This means no process in the app can gain any kind of extra
privs during exec() (for instance setuid of file caps).
2015-02-08 11:32:17 +01:00
79b12777bf
Add all (unused) args to prctl call
2015-02-08 11:32:17 +01:00
a2f9562989
Teach completion about --runtime
2015-02-08 11:32:17 +01:00
4fad768593
Merge pull request #48 from matthiasclasen/prefix-ostree-errors
...
Prefix many ostree error messages
2015-02-08 01:15:59 +01:00
6a7b43a3c5
Merge pull request #49 from matthiasclasen/quote-args
...
Quote commandline arguments
2015-02-08 01:14:59 +01:00
b2ec77fb2f
Don't run xdg-app-helper as root
...
Instead of running as root we setuid to the real user, after
having assured that we have the minimum amount of capabilities
required (which we then drop at the end).
This means we create all files as the actual user, and we never
risk somehow reading a file that otherwise only root could read.
2015-02-08 01:09:44 +01:00
f412d38458
Quote commandline arguments
...
We don't expect branch or arch names to contain spaces. But if
they do, we should not fall over needlessly.
2015-02-07 18:38:29 +01:00
41ea4e4ebc
Prefix many ostree error messages
...
Some of the ostree error messages don't contain sufficient detail
to be useful, so use g_prefix_error to add some context.
2015-02-07 18:02:04 +01:00
f8e4343ff5
Merge pull request #43 from matthiasclasen/remote-title
...
Add a --title option to add-remote
2015-02-07 15:10:30 +01:00
ab91bbf925
Merge pull request #46 from matthiasclasen/run-env
...
Add a --forbid option to run
2015-02-07 13:26:13 +01:00
2a1246d136
Add a prefix to the config key
...
This seems to be the common practice for git addons.
Colin recommends that we do the same for ostree config keys.
2015-02-07 12:01:48 +01:00
763b378590
Add some debug spew
...
Show the access we allow.
2015-02-06 17:43:53 +01:00
c313cafbae
Add a --forbid option to run
...
This allows to restrict the access that the app gets out of
the sandbox. We allow an access if the app requests it (in its
metadata) and the user doesn't forbid it (with this option).
2015-02-06 17:39:20 +01:00
0abf45b01b
Merge pull request #44 from matthiasclasen/run-runtime
...
run-runtinme
2015-02-06 16:15:55 +01:00
e5ee197b81
Add a --runtime option to run
...
The --runtime option lets us completely override the runtime that
is specified in the application metadata. This is useful for testing
compatibility of an application with runtimes.
2015-02-06 12:11:26 +01:00
287a93742f
Put system installed apps/runtimes in localstatedir (/var)
2015-02-06 11:59:38 +01:00
3afe98d614
Try /tmp for .xdg-app-root if /run/user not available
2015-02-06 11:58:57 +01:00
61ababa60e
Make /proc/sysrq-trigger /proc/irq, /proc/bus read-only
...
We should normally not have any rights to write here, but if
we do that is pretty bad, so might as well cover them read-only
like e.g. docker does.
2015-02-06 11:21:01 +01:00
06608ba7d5
Add a --title option to add-remote
...
This stores a string in the remote configuration which can
be used in UIs when talking about the remote.
2015-02-06 11:11:10 +01:00
4903fe100d
Remove unused removed dirs after install/uninstall
2015-02-05 22:50:38 +01:00
6ea2391583
During undeploy, keep files around if they are in use
...
We check for a lock on the .ref file to detect if anything
is using a partilular checkout before we remove it.
2015-02-05 22:47:48 +01:00
f1091127c5
Add locking of .ref files while a runtime/app is in use
2015-02-05 18:42:36 +01:00
7c8fb83f20
Create files/.ref when deploying
...
This will be used later to avoid deleting active mounts.
They have to be created during deploy, because we are
then guaranteed to be able to write to the directory,
and we don't want the resulting file to be hardlinked
to any other deployment (as then locks could be shared).
2015-02-05 18:34:02 +01:00
c4324ab630
Use a pid namespace
...
For the fully sandboxed case we *need* a pid sandbox, so we might as
well always use one to get the same setup always. There should really
be no need for a normal "app" to see host processes.
The other nice thing about this is that we get somewhere to run code
when the app stops, which means we can do things like delay uninstall
while apps are running.
The unfortunate drawback of this is that we get 2 extra processes per
app, one is the pid1 in the sandbox, and the other is the monitor
process to return the exit code to the spawner of xdg-appp-helper.
2015-02-05 17:36:43 +01:00
6f023b4ee3
Clean up namespace initialization
...
Rather than do the fork workaround we make / rslave, which means
we will still get new mounts/unmounts propagated to us from the root,
but will not leak any mounts to the host.
We also use a single directory in the users run dir as the mountpoint
for the tmpfs.
2015-02-05 11:34:43 +01:00
55a3f413c2
build-finish: Don't error out on exports
...
gs_shutil_cp_a dies if the target exists, so only create the
parent dir before copying.
2015-02-03 10:53:02 +01:00
bc460da1c5
Don't make dconf runtime dir readonly
...
This breaks dconf
2015-02-03 10:52:34 +01:00
f66c232edf
Mount /run/user/$uid/dconf if the app has access to $HOME
...
This is needed because while the dconf database is stored in
the home dir, the run dir is used to trigger re-mapping of the
database files.
2015-02-03 09:29:51 +01:00
ab3709aa83
Fix warning
2015-02-02 11:02:41 +01:00
db2019a8ff
Merge pull request #41 from matthiasclasen/repo-update-manpage
...
Add repo-update man page to the build
2015-01-30 09:52:58 +01:00
6c362273c3
Merge pull request #42 from matthiasclasen/kill-dotref
...
Don't create a useless .ref file
2015-01-30 09:51:13 +01:00
b01a6e3523
Don't create a useless .ref file
...
This serves no purpose.
2015-01-29 21:16:34 -05:00
33e31213bd
Add repo-update man page to the build
2015-01-29 14:42:31 -05:00
e28eaf1c1d
Merge remote-tracking branch 'upstream/master'
2015-01-29 14:40:46 -05:00
6417994d37
Revert "Fix a copy-paste error"
...
This reverts commit 1e36721951
2015-01-29 14:39:26 -05:00
c83e3a7f83
Properly handle the session daemon not running
2015-01-29 15:11:51 +01:00
2c50ebad51
Remove duplicated manpage
2015-01-29 11:23:20 +01:00
57254de73a
If the monitor dir is available, set the TZ env into it
...
This means we'll pull in changes from the timezone on the
host system.
2015-01-28 20:03:13 +01:00
a36122edc9
Make the /etc handling optional
...
The gnome-sdk-image build need to actually write to /etc, so
we need to keep supporting it being a link to usr/etc.
2015-01-28 20:03:13 +01:00
3a56d3f465
Call out to the session helper and get the monitor dir
2015-01-28 20:03:13 +01:00
fca4a16209
Add xdg-app-session-helper
...
This is a small app that makes copies of various system files to a directory
in /run so that the app sandbox can receive updates to these. This solves
the issue that we can't generally bind-mount say /etc/resolv.conf, because
it will be replaced with rename-over.
2015-01-28 20:03:13 +01:00
8fdc60ed7a
xdg-app-helper: Make /etc a real directory
...
This makes /etc a real directory, with required files like passwd and
symlinks to all the other files in usr/etc.
This is required because we need to make /etc/localtime an actual
symlink whose value depends on the host state.
2015-01-28 20:03:13 +01:00
1e36721951
Fix a copy-paste error
...
Build the repo-update man page, not the repo-contents man page twice.
2015-01-28 09:00:27 -05:00
654ab3405e
Merge pull request #38 from matthiasclasen/repo-update
...
Separate out repo-updating command
2015-01-26 13:16:17 +01:00
6cf3a9ecfe
Merge pull request #39 from matthiasclasen/run-error
...
Don't leak an error
2015-01-26 13:15:34 +01:00
45aabf06d9
Don't leak an ignored error
...
Runtime metadata is optional, so don't leak an error we get
when the file is not found. Properly ignore it by passing NULL
as the error.
2015-01-25 11:07:03 -05:00
a4a25a4a64
Add some debug output to the run command
...
Show where the used applications and runtimes are located.
2015-01-24 22:20:22 -05:00
6c2f2fafa1
Add completion for repo-update
2015-01-24 22:01:57 -05:00
29151659ae
Document repo-update
2015-01-24 21:54:55 -05:00
Alexander Larsson