[gnome-software/1701-permissions-context-tile-says-has-access-to-no-files-even-if-flatpak-app-has-access-to] gs-details-page: "Cannot access the file system at all" shown incorrectly
- From: Milan Crha <mcrha src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-software/1701-permissions-context-tile-says-has-access-to-no-files-even-if-flatpak-app-has-access-to] gs-details-page: "Cannot access the file system at all" shown incorrectly
- Date: Fri, 8 Apr 2022 08:04:22 +0000 (UTC)
commit 393e624707beb3af4c75e3af420142256837c3e6
Author: Milan Crha <mcrha redhat com>
Date: Fri Apr 8 10:00:13 2022 +0200
gs-details-page: "Cannot access the file system at all" shown incorrectly
It was more like "Cannot access the files/dirs known to the Software",
than a generic file system. Let the Flatpak check also for the "other"
files and set the flag for it, which is used in the GUI.
Closes https://gitlab.gnome.org/GNOME/gnome-software/-/issues/1701
lib/gs-app.h | 1 +
plugins/flatpak/gs-flatpak.c | 52 ++++++++++++++++++++++++++++--------------
src/gs-app-context-bar.c | 7 ++++++
src/gs-app-details-page.c | 1 +
src/gs-safety-context-dialog.c | 13 +++++++++++
5 files changed, 57 insertions(+), 17 deletions(-)
---
diff --git a/lib/gs-app.h b/lib/gs-app.h
index 325dfd86d..548fc403a 100644
--- a/lib/gs-app.h
+++ b/lib/gs-app.h
@@ -205,6 +205,7 @@ typedef enum {
GS_APP_PERMISSIONS_SETTINGS = 1 << 11,
GS_APP_PERMISSIONS_X11 = 1 << 12,
GS_APP_PERMISSIONS_ESCAPE_SANDBOX = 1 << 13,
+ GS_APP_PERMISSIONS_FILESYSTEM_OTHER = 1 << 14,
GS_APP_PERMISSIONS_LAST /*< skip >*/
} GsAppPermissions;
diff --git a/plugins/flatpak/gs-flatpak.c b/plugins/flatpak/gs-flatpak.c
index b67bc91e9..d62e1a26d 100644
--- a/plugins/flatpak/gs-flatpak.c
+++ b/plugins/flatpak/gs-flatpak.c
@@ -241,23 +241,41 @@ perms_from_metadata (GKeyFile *keyfile)
g_strfreev (strv);
strv = g_key_file_get_string_list (keyfile, "Context", "filesystems", NULL, NULL);
- if (strv != NULL && (g_strv_contains ((const gchar * const *)strv, "home") ||
- g_strv_contains ((const gchar * const *)strv, "home:rw")))
- permissions |= GS_APP_PERMISSIONS_HOME_FULL;
- else if (strv != NULL && g_strv_contains ((const gchar * const *)strv, "home:ro"))
- permissions |= GS_APP_PERMISSIONS_HOME_READ;
- if (strv != NULL && (g_strv_contains ((const gchar * const *)strv, "host") ||
- g_strv_contains ((const gchar * const *)strv, "host:rw")))
- permissions |= GS_APP_PERMISSIONS_FILESYSTEM_FULL;
- else if (strv != NULL && g_strv_contains ((const gchar * const *)strv, "host:ro"))
- permissions |= GS_APP_PERMISSIONS_FILESYSTEM_READ;
- if (strv != NULL && (g_strv_contains ((const gchar * const *)strv, "xdg-download") ||
- g_strv_contains ((const gchar * const *)strv, "xdg-download:rw")))
- permissions |= GS_APP_PERMISSIONS_DOWNLOADS_FULL;
- else if (strv != NULL && g_strv_contains ((const gchar * const *)strv, "xdg-download:ro"))
- permissions |= GS_APP_PERMISSIONS_DOWNLOADS_READ;
- if (strv != NULL && g_strv_contains ((const gchar * const *)strv,
"xdg-data/flatpak/overrides:create"))
- permissions |= GS_APP_PERMISSIONS_ESCAPE_SANDBOX;
+ if (strv != NULL) {
+ struct {
+ const gchar *key;
+ GsAppPermissions perm;
+ } filesystems_access[] = {
+ { "home", GS_APP_PERMISSIONS_HOME_FULL },
+ { "home:rw", GS_APP_PERMISSIONS_HOME_FULL },
+ { "home:ro", GS_APP_PERMISSIONS_HOME_READ },
+ { "host", GS_APP_PERMISSIONS_FILESYSTEM_FULL },
+ { "host:rw", GS_APP_PERMISSIONS_FILESYSTEM_FULL },
+ { "host:ro", GS_APP_PERMISSIONS_FILESYSTEM_READ },
+ { "xdg-download", GS_APP_PERMISSIONS_DOWNLOADS_FULL },
+ { "xdg-download:rw", GS_APP_PERMISSIONS_DOWNLOADS_FULL },
+ { "xdg-download:ro", GS_APP_PERMISSIONS_DOWNLOADS_READ },
+ { "xdg-data/flatpak/overrides:create", GS_APP_PERMISSIONS_ESCAPE_SANDBOX }
+ };
+ guint filesystems_hits = 0;
+
+ for (guint i = 0; i < G_N_ELEMENTS (filesystems_access); i++) {
+ if (g_strv_contains ((const gchar * const *) strv, filesystems_access[i].key)) {
+ permissions |= filesystems_access[i].perm;
+ filesystems_hits++;
+ }
+ }
+
+ if ((permissions & GS_APP_PERMISSIONS_HOME_FULL) != 0)
+ permissions = permissions & ~GS_APP_PERMISSIONS_HOME_READ;
+ if ((permissions & GS_APP_PERMISSIONS_FILESYSTEM_FULL) != 0)
+ permissions = permissions & ~GS_APP_PERMISSIONS_FILESYSTEM_READ;
+ if ((permissions & GS_APP_PERMISSIONS_DOWNLOADS_FULL) != 0)
+ permissions = permissions & ~GS_APP_PERMISSIONS_DOWNLOADS_READ;
+
+ if (g_strv_length (strv) > filesystems_hits)
+ permissions |= GS_APP_PERMISSIONS_FILESYSTEM_OTHER;
+ }
g_strfreev (strv);
str = g_key_file_get_string (keyfile, "Session Bus Policy", "ca.desrt.dconf", NULL);
diff --git a/src/gs-app-context-bar.c b/src/gs-app-context-bar.c
index ea1e8938f..0e88aecd6 100644
--- a/src/gs-app-context-bar.c
+++ b/src/gs-app-context-bar.c
@@ -333,6 +333,13 @@ update_safety_tile (GsAppContextBar *self)
* It’s used in a context tile, so should be short. */
_("Can read your downloads"));
break;
+ case GS_APP_PERMISSIONS_FILESYSTEM_OTHER:
+ add_to_safety_rating (&chosen_rating, descriptions,
+ SAFETY_POTENTIALLY_UNSAFE,
+ /* Translators: This indicates an app can access data in the
system unknown to the Software.
+ * It’s used in a context tile, so should be short. */
+ _("Can access arbitrary files"));
+ break;
case GS_APP_PERMISSIONS_SETTINGS:
add_to_safety_rating (&chosen_rating, descriptions,
SAFETY_POTENTIALLY_UNSAFE,
diff --git a/src/gs-app-details-page.c b/src/gs-app-details-page.c
index 3b74e84d0..6eb39317d 100644
--- a/src/gs-app-details-page.c
+++ b/src/gs-app-details-page.c
@@ -73,6 +73,7 @@ static const struct {
{ GS_APP_PERMISSIONS_HOME_READ, N_("Home folder"), N_("Can view files") },
{ GS_APP_PERMISSIONS_FILESYSTEM_FULL, N_("File system"), N_("Can view, edit and create files") },
{ GS_APP_PERMISSIONS_FILESYSTEM_READ, N_("File system"), N_("Can view files") },
+ { GS_APP_PERMISSIONS_FILESYSTEM_OTHER, N_("File system"), N_("Can access arbitrary files") },
{ GS_APP_PERMISSIONS_DOWNLOADS_FULL, N_("Downloads folder"), N_("Can view, edit and create files") },
{ GS_APP_PERMISSIONS_DOWNLOADS_READ, N_("Downloads folder"), N_("Can view files") },
{ GS_APP_PERMISSIONS_SETTINGS, N_("Settings"), N_("Can view and change any settings") },
diff --git a/src/gs-safety-context-dialog.c b/src/gs-safety-context-dialog.c
index 3b82b626a..1cb955f1c 100644
--- a/src/gs-safety-context-dialog.c
+++ b/src/gs-safety-context-dialog.c
@@ -279,10 +279,23 @@ update_permissions_list (GsSafetyContextDialog *self)
_("Download Folder Read Access"),
_("Can read all data in your downloads directory"),
NULL, NULL, NULL);
+ add_permission_row (self->permissions_list, &chosen_rating,
+ ((permissions & GS_APP_PERMISSIONS_FILESYSTEM_OTHER) != 0 &&
+ !(permissions & (GS_APP_PERMISSIONS_FILESYSTEM_FULL |
+ GS_APP_PERMISSIONS_FILESYSTEM_READ |
+ GS_APP_PERMISSIONS_HOME_FULL |
+ GS_APP_PERMISSIONS_HOME_READ))),
+ GS_CONTEXT_DIALOG_ROW_IMPORTANCE_WARNING,
+ "folder-documents-symbolic",
+ /* Translators: This refers to permissions (for example, from flatpak)
which an app requests from the user. */
+ _("Access arbitrary files"),
+ _("Can access arbitrary files on the file system"),
+ NULL, NULL, NULL);
add_permission_row (self->permissions_list, &chosen_rating,
!(permissions & (GS_APP_PERMISSIONS_FILESYSTEM_FULL |
GS_APP_PERMISSIONS_FILESYSTEM_READ |
+ GS_APP_PERMISSIONS_FILESYSTEM_OTHER |
GS_APP_PERMISSIONS_HOME_FULL |
GS_APP_PERMISSIONS_HOME_READ |
GS_APP_PERMISSIONS_DOWNLOADS_FULL |
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
