GNOME.org
 

[gnome-software/wip/hughsie/sandbox-escape] Notify the user when an application can escape the sandbox

commit 56bdbd89d89a85b93f8ba02954a6813fc789a658
Author: Richard Hughes <richard hughsie com>
Date:   Fri Jul 12 15:29:21 2019 +0100

    Notify the user when an application can escape the sandbox
    
    Fixes https://gitlab.gnome.org/GNOME/gnome-software/issues/704

 lib/gs-app.h                 | 1 +
 plugins/flatpak/gs-flatpak.c | 6 +++++-
 src/gs-details-page.c        | 1 +
 src/gs-update-dialog.c       | 1 +
 4 files changed, 8 insertions(+), 1 deletion(-)
---
diff --git a/lib/gs-app.h b/lib/gs-app.h
index cc3aa9cc..12cba966 100644
--- a/lib/gs-app.h
+++ b/lib/gs-app.h
@@ -146,6 +146,7 @@ typedef enum {
        GS_APP_PERMISSIONS_DOWNLOADS_READ       = 1 << 10,
        GS_APP_PERMISSIONS_SETTINGS             = 1 << 11,
        GS_APP_PERMISSIONS_X11                  = 1 << 12,
+       GS_APP_PERMISSIONS_ESCAPE_SANDBOX       = 1 << 13,
        /*< private >*/
        GS_APP_PERMISSIONS_LAST
 } GsAppPermissions;
diff --git a/plugins/flatpak/gs-flatpak.c b/plugins/flatpak/gs-flatpak.c
index a62355ed..d7969c95 100644
--- a/plugins/flatpak/gs-flatpak.c
+++ b/plugins/flatpak/gs-flatpak.c
@@ -148,6 +148,11 @@ perms_from_metadata (GKeyFile *keyfile)
                permissions |= GS_APP_PERMISSIONS_SETTINGS;
        g_free (str);
 
+       str = g_key_file_get_string (keyfile, "Session Bus Policy", "org.freedesktop.Flatpak", NULL);
+       if (str != NULL && g_str_equal (str, "talk"))
+               permissions |= GS_APP_PERMISSIONS_ESCAPE_SANDBOX;
+       g_free (str);
+
        /* no permissions set */
        if (permissions == GS_APP_PERMISSIONS_UNKNOWN)
                return GS_APP_PERMISSIONS_NONE;
@@ -188,7 +193,6 @@ gs_flatpak_set_update_permissions (GsFlatpak *self, GsApp *app, FlatpakInstalled
                                           g_bytes_get_data (bytes, NULL),
                                           g_bytes_get_size (bytes),
                                           0, NULL);
-
                permissions = perms_from_metadata (keyfile) & ~perms_from_metadata (old_keyfile);
        }
 
diff --git a/src/gs-details-page.c b/src/gs-details-page.c
index 5784250a..b80a4438 100644
--- a/src/gs-details-page.c
+++ b/src/gs-details-page.c
@@ -955,6 +955,7 @@ static struct {
   { GS_APP_PERMISSIONS_DOWNLOADS_READ, N_("Downloads folder"), N_("Can view files") },
   { GS_APP_PERMISSIONS_SETTINGS, N_("Settings"), N_("Can view and change any settings") },
   { GS_APP_PERMISSIONS_X11, N_("Legacy display system"), N_("Uses an old, insecure display system") },
+  { GS_APP_PERMISSIONS_ESCAPE_SANDBOX, N_("Sandbox escape"), N_("Can escape the sandbox and circumvent any 
other restrictions") },
 };
 
 static void
diff --git a/src/gs-update-dialog.c b/src/gs-update-dialog.c
index 56460db0..7d9f0a77 100644
--- a/src/gs-update-dialog.c
+++ b/src/gs-update-dialog.c
@@ -101,6 +101,7 @@ static struct {
   { GS_APP_PERMISSIONS_DOWNLOADS_READ, N_("Downloads folder"), N_("Can view files") },
   { GS_APP_PERMISSIONS_SETTINGS, N_("Settings"), N_("Can view and change any settings") },
   { GS_APP_PERMISSIONS_X11, N_("Legacy display system"), N_("Uses an old, insecure display system") },
+  { GS_APP_PERMISSIONS_ESCAPE_SANDBOX, N_("Sandbox escape"), N_("Can escape the sandbox and circumvent any 
other restrictions") },
 };
 
 static void
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]