Skip to content

Commit 445bdde

Browse files
committed
Make --nofilesystem=host/home remove access to subdirs of those
Previously --nofilesystem=host only removed specifically access to the `host` permissions, and not necessarily other filesystems (like `home` or `/some/path`). This isn't very useful to limit access because you don't know what other filesystems the app may have access too. We change this to mean that `--nofilesystem=host` removes *all* filesystem access from the parent layer, and `--nofilesystem=home` removes all file access to the homedir and paths inside it. The available layers are, in order: * app permissions * overrides * commandline args This allows you to start from scratch with the filesystem permissions in the overrides or the commandline. This is a small change in behaviour, but not a lot of things use --nofilesystem, and the ones that do probably expects this behaviour.
1 parent 54ec1a4 commit 445bdde

File tree

1 file changed

+62
-0
lines changed

1 file changed

+62
-0
lines changed

Diff for: common/flatpak-context.c

+62
Original file line numberDiff line numberDiff line change
@@ -852,6 +852,31 @@ flatpak_context_parse_filesystem (const char *filesystem_and_mode,
852852
return FALSE;
853853
}
854854

855+
/* Note: This only works with valid keys, i.e. they passed flatpak_context_parse_filesystem */
856+
static gboolean
857+
flatpak_filesystem_key_in_home (const char *filesystem)
858+
{
859+
/* "home" is definitely in home */
860+
if (strcmp (filesystem, "home") == 0)
861+
return TRUE;
862+
863+
/* All the other special fs:es are non-home.
864+
* Note: This considers absolute paths that are in the homedir as non-home.
865+
*/
866+
if (g_strv_contains (flatpak_context_special_filesystems, filesystem) ||
867+
g_str_has_prefix (filesystem, "/"))
868+
return FALSE;
869+
870+
/* Files in xdg-run are not in home */
871+
if (g_str_has_prefix (filesystem, "xdg-run"))
872+
return FALSE;
873+
874+
/* All remaining keys (~/, xdg-data, etc) are considered in home,
875+
* Note: technically $XDG_HOME_DATA could point outside the homedir, but we ignore that.
876+
*/
877+
return TRUE;
878+
}
879+
855880
static void
856881
flatpak_context_take_filesystem (FlatpakContext *context,
857882
char *fs,
@@ -866,6 +891,8 @@ flatpak_context_merge (FlatpakContext *context,
866891
{
867892
GHashTableIter iter;
868893
gpointer key, value;
894+
gboolean no_home = FALSE;
895+
gboolean no_host = FALSE;
869896

870897
context->shares &= ~other->shares_valid;
871898
context->shares |= other->shares;
@@ -888,6 +915,41 @@ flatpak_context_merge (FlatpakContext *context,
888915
while (g_hash_table_iter_next (&iter, &key, &value))
889916
g_hash_table_insert (context->persistent, g_strdup (key), value);
890917

918+
/* We first handle all negative home and host as they override other
919+
keys than themselves from the parent */
920+
if (g_hash_table_lookup_extended (other->filesystems,
921+
"host",
922+
NULL, &value))
923+
{
924+
FlatpakFilesystemMode host_mode = GPOINTER_TO_INT (value);
925+
if (host_mode == FLATPAK_FILESYSTEM_MODE_NONE)
926+
no_host = TRUE;
927+
}
928+
929+
if (g_hash_table_lookup_extended (other->filesystems,
930+
"home",
931+
NULL, &value))
932+
{
933+
FlatpakFilesystemMode home_mode = GPOINTER_TO_INT (value);
934+
if (home_mode == FLATPAK_FILESYSTEM_MODE_NONE)
935+
no_home = TRUE;
936+
}
937+
938+
if (no_host)
939+
{
940+
g_hash_table_remove_all (context->filesystems);
941+
}
942+
else if (no_home)
943+
{
944+
g_hash_table_iter_init (&iter, context->filesystems);
945+
while (g_hash_table_iter_next (&iter, &key, &value))
946+
{
947+
if (flatpak_filesystem_key_in_home ((const char *)key))
948+
g_hash_table_iter_remove (&iter);
949+
}
950+
}
951+
952+
/* Then set the new ones, which includes propagating the nohost and nohome ones. */
891953
g_hash_table_iter_init (&iter, other->filesystems);
892954
while (g_hash_table_iter_next (&iter, &key, &value))
893955
g_hash_table_insert (context->filesystems, g_strdup (key), value);

0 commit comments

Comments
 (0)