[gnome-control-center/applications-sandbox-escape: 10/10] applications: Indicate when an app has permissions to escape the sandbox

[Felipe Borges <felipeborges src gnome org>]

commit 58f85e0d3d9d489043890455d45e3c3861e13e58
Author: Felipe Borges <felipeborges gnome org>
Date:   Thu Feb 18 12:02:32 2021 +0100

    applications: Indicate when an app has permissions to escape the sandbox
    
    Applications that can talk to "org.freedesktop.Flatpak" can run
    flatpak-spawn --host, circumventing the sandbox permissions and running
    arbitrary commands in the host.
    
    Inspired by https://gitlab.gnome.org/GNOME/gnome-software/-/merge_requests/258
    
    Fixes #838

 panels/applications/cc-applications-panel.c | 4 ++++
 1 file changed, 4 insertions(+)
---
diff --git a/panels/applications/cc-applications-panel.c b/panels/applications/cc-applications-panel.c
index 6b9a1c05b..e0ca950ae 100644
--- a/panels/applications/cc-applications-panel.c
+++ b/panels/applications/cc-applications-panel.c
@@ -818,6 +818,10 @@ add_static_permissions (CcApplicationsPanel *self,
   if (keyfile == NULL)
     return FALSE;
 
+  str = g_key_file_get_string (keyfile, "Session Bus Policy", "org.freedesktop.Flatpak", NULL);
+  if (str && g_str_equal (str, "talk"))
+    added += add_static_permission_row (self, _("Sandbox Escape"), _("Can circumvent all imposed 
restrictions"));
+
   sockets = g_key_file_get_string_list (keyfile, "Context", "sockets", NULL, NULL);
   if (sockets && g_strv_contains ((const gchar * const*)sockets, "system-bus"))
     added += add_static_permission_row (self, _("System Bus"), _("Full access"));