This was using libflatpak which is the public API, instead of the internal
library, so it was breaking in all sorts of mysterious ways. This is fixed
by just directly calling the lowlevel common/* APIs.
Also, it didn't properly handle the case where the sandboxed app passed a
path that was not in /app, this should be allowed if the fd validation
passes, that is the whole point of the checks after all.
When the document portal is called from within the sandbox with an
app-private file path, translate the path to a document portal URI in
order to make it available to other applications.
As soon as we get our D-Bus name, we can start receiving method calls. If
we reply immediately, callers will think our mount point is ready.
In particular, if FUSE is unavailable, we want "flatpak run" to proceed
with no document portal; it currently tries and fails to bind-mount the
nonexistent document portal mount-point into the container.
Signed-off-by: Simon McVittie <smcv@debian.org>
The xdp-impl-dbus.h header no longer exists - it came from an
earlier version of the document commands branch where I introduced
a separate interface. Just drop the include, it is not needed.
The magic inode numbers we used before are problematic.
The inode nrs are tied to the file names, so inode changes on rename, which breaks posix expectations.
Also, it relied on 64bit inode space which is not true on i386.
So, this is a new implementation that uses a more traditional approach
of dynamically allocating inodes as needed.
These document id will not be shared for multiple users. The main
difference is this this makes it safe for the creating app to delete
the document if he wants to (i.e. for temporary docs), and thus we can
grant this additional permission for the calling app.
In order to be robust against symlink attacks (i.e. make a document
for a path, then replace it with a symlink somewhere else and have the
portal read that instead) we store the parent dev/ino when we create
the document id and always verify that (atomically with the *at
syscalls) on each use.
Also, we pass O_PATH fds when creating documents, as it allows us
to be a bit safer. For instance we can verify that the fd is a O_PATH
fd before doing any ops on it, and it makes it possible to avoid other
symlink trickery.
Also, we drop the double add methods, and just use the O_PATH version.