forked from Mirrors/flatpak-builder
906b3b5871
If the downloaded app has a "xa.extra-data-sources" property in the commit, then we download these as part of the pull operation and store the result in the commitmeta object in the repo. Then during deploy we look at the xa.extra-data-sources properties again and extract them from the commitmeta into /app/extra in the app, and afterwards we run /app/bin/apply_extra in a minimal sandbox that has read-write access to /app/extra, but nowhere else. There are some complexities: We need to re-verify when extracting, because the commitmeta is not really signed, so we could have picked up random stuff there from the upstream repo, or from an attacker misusing the system-helper local install codepath. When using the system-helper the pull will fail if the commitmeta is to large, so we have some code in this case to manually transfer the larger commitmeta on the side to the local-pull code. |
||
|---|---|---|
| .. | ||
| Makefile.am.inc | ||
| flatpak-system-helper.c | ||
| flatpak-system-helper.service.in | ||
| org.freedesktop.Flatpak.SystemHelper.conf | ||
| org.freedesktop.Flatpak.SystemHelper.service.in | ||
| org.freedesktop.Flatpak.policy.in | ||
| org.freedesktop.Flatpak.rules.in | ||