From 7e1fba3ae13f142bd705e9ccb8901f6ea1cac13f Mon Sep 17 00:00:00 2001 From: Harald Sitter Date: Thu, 20 Feb 2025 03:17:10 +0100 Subject: [PATCH] exports: add host-complete host-complete is the sledgehammer permission for file browser and similar apps that the user might want to give full access to. this works same as the existing host keywords by mounting into /run/host/complete. applications will need adjustments to essentially treat that path as "root". since this opens the door to all sorts of malicious software I'd advise putting this permission under tight review in flatpak repositories. Resolves: #5723 --- common/flatpak-context.c | 11 +++++++++-- common/flatpak-exports-private.h | 2 ++ common/flatpak-exports.c | 25 +++++++++++++++++++++++++ doc/flatpak-build-finish.xml | 4 ++-- doc/flatpak-build.xml | 4 ++-- doc/flatpak-metadata.xml | 15 ++++++++++++++- doc/flatpak-override.xml | 4 ++-- doc/flatpak-run.xml | 2 +- 8 files changed, 57 insertions(+), 10 deletions(-) diff --git a/common/flatpak-context.c b/common/flatpak-context.c index c2038cd24e..943752eb83 100644 --- a/common/flatpak-context.c +++ b/common/flatpak-context.c @@ -94,6 +94,7 @@ const char *flatpak_context_special_filesystems[] = { "host-etc", "host-os", "host-reset", + "host-complete", NULL }; @@ -1033,7 +1034,7 @@ flatpak_context_parse_filesystem (const char *filesystem_and_mode, } g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED, - _("Unknown filesystem location %s, valid locations are: host, host-os, host-etc, home, xdg-*[/…], ~/dir, /dir"), filesystem); + _("Unknown filesystem location %s, valid locations are: host, host-os, host-etc, host-complete, home, xdg-*[/…], ~/dir, /dir"), filesystem); return FALSE; } @@ -2839,7 +2840,7 @@ flatpak_context_export (FlatpakContext *context, { gboolean home_access = FALSE; g_autoptr(GString) xdg_dirs_conf = NULL; - FlatpakFilesystemMode fs_mode, os_mode, etc_mode, home_mode; + FlatpakFilesystemMode fs_mode, os_mode, etc_mode, complete_mode, home_mode; GHashTableIter iter; gpointer key, value; g_autoptr(GError) local_error = NULL; @@ -2906,6 +2907,12 @@ flatpak_context_export (FlatpakContext *context, if (etc_mode != FLATPAK_FILESYSTEM_MODE_NONE) flatpak_exports_add_host_etc_expose (exports, etc_mode); + complete_mode = MAX (GPOINTER_TO_INT (g_hash_table_lookup (context->filesystems, "host-complete")), + fs_mode); + + if (complete_mode != FLATPAK_FILESYSTEM_MODE_NONE) + flatpak_exports_add_host_complete_expose (exports, complete_mode); + home_mode = GPOINTER_TO_INT (g_hash_table_lookup (context->filesystems, "home")); if (home_mode != FLATPAK_FILESYSTEM_MODE_NONE) { diff --git a/common/flatpak-exports-private.h b/common/flatpak-exports-private.h index 5be4978f3a..bb6f5753d3 100644 --- a/common/flatpak-exports-private.h +++ b/common/flatpak-exports-private.h @@ -43,6 +43,8 @@ void flatpak_exports_add_host_etc_expose (FlatpakExports *exports, FlatpakFilesystemMode mode); void flatpak_exports_add_host_os_expose (FlatpakExports *exports, FlatpakFilesystemMode mode); +void flatpak_exports_add_host_complete_expose (FlatpakExports *exports, + FlatpakFilesystemMode mode); gboolean flatpak_exports_add_path_expose (FlatpakExports *exports, FlatpakFilesystemMode mode, const char *path, diff --git a/common/flatpak-exports.c b/common/flatpak-exports.c index b6fb9d1a7a..1196ec3cf7 100644 --- a/common/flatpak-exports.c +++ b/common/flatpak-exports.c @@ -157,6 +157,7 @@ struct _FlatpakExports FlatpakFilesystemMode host_etc; FlatpakFilesystemMode host_os; int host_fd; + FlatpakFilesystemMode host_complete; FlatpakExportsTestFlags test_flags; }; @@ -643,6 +644,20 @@ flatpak_exports_append_bwrap_args (FlatpakExports *exports, etc_bind_mode, "/etc", "/run/host/etc", NULL); } + g_assert (exports->host_complete >= FLATPAK_FILESYSTEM_MODE_NONE); + g_assert (exports->host_complete <= FLATPAK_FILESYSTEM_MODE_LAST); + + if (exports->host_complete != FLATPAK_FILESYSTEM_MODE_NONE) + { + const char *complete_bind_mode = "--bind"; + + if (exports->host_complete == FLATPAK_FILESYSTEM_MODE_READ_ONLY) + complete_bind_mode = "--ro-bind"; + + flatpak_bwrap_add_args (bwrap, + complete_bind_mode, "/", "/run/host/complete", NULL); + } + /* As per the os-release specification https://www.freedesktop.org/software/systemd/man/os-release.html * always read-only bind-mount /etc/os-release if it exists, or /usr/lib/os-release as a fallback from * the host into the application's /run/host */ @@ -1134,3 +1149,13 @@ flatpak_exports_add_host_os_expose (FlatpakExports *exports, exports->host_os = mode; } + +void +flatpak_exports_add_host_complete_expose (FlatpakExports *exports, + FlatpakFilesystemMode mode) +{ + g_return_if_fail (mode > FLATPAK_FILESYSTEM_MODE_NONE); + g_return_if_fail (mode <= FLATPAK_FILESYSTEM_MODE_LAST); + + exports->host_complete = mode; +} diff --git a/doc/flatpak-build-finish.xml b/doc/flatpak-build-finish.xml index fc85fadaff..f0a3e773b0 100644 --- a/doc/flatpak-build-finish.xml +++ b/doc/flatpak-build-finish.xml @@ -234,7 +234,7 @@ Allow the application access to a subset of the filesystem. This updates the [Context] group in the metadata. - FS can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download, + FS can be one of: home, host, host-os, host-etc, host-complete, xdg-desktop, xdg-documents, xdg-download, xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, xdg-run, xdg-config, xdg-cache, xdg-data, an absolute path, or a homedir-relative path like ~/dir or paths relative to the xdg dirs, like xdg-download/subdir. @@ -254,7 +254,7 @@ Remove access to the specified subset of the filesystem from the application. This overrides to the Context section from the application metadata. - FILESYSTEM can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download, + FILESYSTEM can be one of: home, host, host-os, host-etc, host-complete, xdg-desktop, xdg-documents, xdg-download, xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, an absolute path, or a homedir-relative path like ~/dir. This option can be used multiple times. diff --git a/doc/flatpak-build.xml b/doc/flatpak-build.xml index be432c868a..da4cdafad2 100644 --- a/doc/flatpak-build.xml +++ b/doc/flatpak-build.xml @@ -223,7 +223,7 @@ Allow the application access to a subset of the filesystem. This overrides to the Context section from the application metadata. - FILESYSTEM can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download, + FILESYSTEM can be one of: home, host, host-os, host-etc, host-complete, xdg-desktop, xdg-documents, xdg-download, xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, xdg-run, xdg-config, xdg-cache, xdg-data, an absolute path, or a homedir-relative path like ~/dir or paths relative to the xdg dirs, like xdg-download/subdir. @@ -243,7 +243,7 @@ Remove access to the specified subset of the filesystem from the application. This overrides to the Context section from the application metadata. - FILESYSTEM can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download, + FILESYSTEM can be one of: home, host, host-os, host-etc, host-complete xdg-desktop, xdg-documents, xdg-download, xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, an absolute path, or a homedir-relative path like ~/dir. This option can be used multiple times. diff --git a/doc/flatpak-metadata.xml b/doc/flatpak-metadata.xml index 01373fb17d..9b8d077d55 100644 --- a/doc/flatpak-metadata.xml +++ b/doc/flatpak-metadata.xml @@ -344,6 +344,19 @@ Available since 1.7. + + + The complete host operating system /. + + + To avoid conflicting with the Flatpak + runtime, this is mounted in the sandbox + at /run/host/complete. + + + Available since TBD. + + , , , @@ -728,7 +741,7 @@ The default policy for the session bus only allows the application to own its own application ID, its - subnames and its own application id as a subname of + subnames and its own application id as a subname of "org.mpris.MediaPlayer2". For instance if the app is called "org.my.App", it can only own "org.my.App", "org.my.App.*" and "org.mpris.MediaPlayer2.org.my.App". diff --git a/doc/flatpak-override.xml b/doc/flatpak-override.xml index a642109dfa..a14f5ca6d7 100644 --- a/doc/flatpak-override.xml +++ b/doc/flatpak-override.xml @@ -51,7 +51,7 @@ flatpak override. - The application overrides are saved in text files residing in $XDG_DATA_HOME/flatpak/overrides in user mode. + The application overrides are saved in text files residing in $XDG_DATA_HOME/flatpak/overrides in user mode. If the application ID APP is not specified @@ -211,7 +211,7 @@ Allow the application access to a subset of the filesystem. This overrides to the Context section from the application metadata. - FILESYSTEM can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download, + FILESYSTEM can be one of: home, host, host-os, host-etc, host-complete, xdg-desktop, xdg-documents, xdg-download, xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, xdg-run, xdg-config, xdg-cache, xdg-data, an absolute path, or a homedir-relative path like ~/dir or paths diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml index 20899c8391..baf0ea879f 100644 --- a/doc/flatpak-run.xml +++ b/doc/flatpak-run.xml @@ -402,7 +402,7 @@ Allow the application access to a subset of the filesystem. This overrides to the Context section from the application metadata. - FILESYSTEM can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download, + FILESYSTEM can be one of: home, host, host-os, host-etc, host-complete, xdg-desktop, xdg-documents, xdg-download, xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, xdg-run, xdg-config, xdg-cache, xdg-data, an absolute path, or a homedir-relative path like ~/dir or paths