[gnome-control-center/applications-sandbox-escape] applications: Indicate when an app has permissions to escape the sandbox

[Felipe Borges <felipeborges src gnome org>]

commit 4aa472951ff5d1563afd042d056379587714e4c7
Author: Felipe Borges <felipeborges gnome org>
Date:   Thu Feb 18 12:02:32 2021 +0100

    applications: Indicate when an app has permissions to escape the sandbox
    
    Applications that can talk to "org.freedesktop.Flatpak" can run
    flatpak-spawn --host, circumventing the sandbox permissions and running
    arbitrary commands in the host.
    
    Inspired by https://gitlab.gnome.org/GNOME/gnome-software/-/merge_requests/258
    
    Fixes #838

 panels/applications/cc-applications-panel.c | 4 ++++
 1 file changed, 4 insertions(+)
---
diff --git a/panels/applications/cc-applications-panel.c b/panels/applications/cc-applications-panel.c
index 6b9a1c05b..43d918219 100644
--- a/panels/applications/cc-applications-panel.c
+++ b/panels/applications/cc-applications-panel.c
@@ -848,6 +848,10 @@ add_static_permissions (CcApplicationsPanel *self,
   if (str && g_str_equal (str, "talk"))
     added += add_static_permission_row (self, _("Settings"), _("Can change settings"));
 
+  str = g_key_file_get_string (keyfile, "Session Bus Policy", "org.freedesktop.Flatpak", NULL);
+  if (str && g_str_equal (str, "talk"))
+    added += add_static_permission_row (self, _("Sandbox Escape"), _("Can escape the sandbox and circumvent 
any other restrictions"));
+
   text = g_strdup_printf (_("%s has the following permissions built-in. These cannot be altered. If you are 
concerned about these permissions, consider removing this application."), g_app_info_get_display_name (info));
   gtk_label_set_label (self->builtin_label, text);