[gnome-software/wip/hughsie/sandbox-escape: 6/6] Notify the user when an application can escape the sandbox
- From: Kalev Lember <klember src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-software/wip/hughsie/sandbox-escape: 6/6] Notify the user when an application can escape the sandbox
- Date: Mon, 15 Jul 2019 07:43:56 +0000 (UTC)
commit 66939691a7e0f7846570bc280e2b80f210077cd2
Author: Richard Hughes <richard hughsie com>
Date: Fri Jul 12 15:29:21 2019 +0100
Notify the user when an application can escape the sandbox
Fixes https://gitlab.gnome.org/GNOME/gnome-software/issues/704
lib/gs-app.h | 1 +
plugins/flatpak/gs-flatpak.c | 6 +++++-
src/gs-details-page.c | 1 +
src/gs-update-dialog.c | 1 +
4 files changed, 8 insertions(+), 1 deletion(-)
---
diff --git a/lib/gs-app.h b/lib/gs-app.h
index cc3aa9cc..12cba966 100644
--- a/lib/gs-app.h
+++ b/lib/gs-app.h
@@ -146,6 +146,7 @@ typedef enum {
GS_APP_PERMISSIONS_DOWNLOADS_READ = 1 << 10,
GS_APP_PERMISSIONS_SETTINGS = 1 << 11,
GS_APP_PERMISSIONS_X11 = 1 << 12,
+ GS_APP_PERMISSIONS_ESCAPE_SANDBOX = 1 << 13,
/*< private >*/
GS_APP_PERMISSIONS_LAST
} GsAppPermissions;
diff --git a/plugins/flatpak/gs-flatpak.c b/plugins/flatpak/gs-flatpak.c
index a62355ed..d7969c95 100644
--- a/plugins/flatpak/gs-flatpak.c
+++ b/plugins/flatpak/gs-flatpak.c
@@ -148,6 +148,11 @@ perms_from_metadata (GKeyFile *keyfile)
permissions |= GS_APP_PERMISSIONS_SETTINGS;
g_free (str);
+ str = g_key_file_get_string (keyfile, "Session Bus Policy", "org.freedesktop.Flatpak", NULL);
+ if (str != NULL && g_str_equal (str, "talk"))
+ permissions |= GS_APP_PERMISSIONS_ESCAPE_SANDBOX;
+ g_free (str);
+
/* no permissions set */
if (permissions == GS_APP_PERMISSIONS_UNKNOWN)
return GS_APP_PERMISSIONS_NONE;
@@ -188,7 +193,6 @@ gs_flatpak_set_update_permissions (GsFlatpak *self, GsApp *app, FlatpakInstalled
g_bytes_get_data (bytes, NULL),
g_bytes_get_size (bytes),
0, NULL);
-
permissions = perms_from_metadata (keyfile) & ~perms_from_metadata (old_keyfile);
}
diff --git a/src/gs-details-page.c b/src/gs-details-page.c
index 5784250a..b80a4438 100644
--- a/src/gs-details-page.c
+++ b/src/gs-details-page.c
@@ -955,6 +955,7 @@ static struct {
{ GS_APP_PERMISSIONS_DOWNLOADS_READ, N_("Downloads folder"), N_("Can view files") },
{ GS_APP_PERMISSIONS_SETTINGS, N_("Settings"), N_("Can view and change any settings") },
{ GS_APP_PERMISSIONS_X11, N_("Legacy display system"), N_("Uses an old, insecure display system") },
+ { GS_APP_PERMISSIONS_ESCAPE_SANDBOX, N_("Sandbox escape"), N_("Can escape the sandbox and circumvent any
other restrictions") },
};
static void
diff --git a/src/gs-update-dialog.c b/src/gs-update-dialog.c
index 56460db0..7d9f0a77 100644
--- a/src/gs-update-dialog.c
+++ b/src/gs-update-dialog.c
@@ -101,6 +101,7 @@ static struct {
{ GS_APP_PERMISSIONS_DOWNLOADS_READ, N_("Downloads folder"), N_("Can view files") },
{ GS_APP_PERMISSIONS_SETTINGS, N_("Settings"), N_("Can view and change any settings") },
{ GS_APP_PERMISSIONS_X11, N_("Legacy display system"), N_("Uses an old, insecure display system") },
+ { GS_APP_PERMISSIONS_ESCAPE_SANDBOX, N_("Sandbox escape"), N_("Can escape the sandbox and circumvent any
other restrictions") },
};
static void
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]