[gnome-control-center/applications-sandbox-escape: 95/95] applications: Indicate when an app has permissions to escape the sandbox




commit 826e78945cebb783339f02aaa9349b7e757c2e10
Author: Felipe Borges <felipeborges gnome org>
Date:   Thu Feb 18 12:02:32 2021 +0100

    applications: Indicate when an app has permissions to escape the sandbox
    
    Applications that can talk to "org.freedesktop.Flatpak" can run
    flatpak-spawn --host, circumventing the sandbox permissions and running
    arbitrary commands in the host.
    
    Inspired by https://gitlab.gnome.org/GNOME/gnome-software/-/merge_requests/258
    
    Fixes #838

 panels/applications/cc-applications-panel.c | 4 ++++
 1 file changed, 4 insertions(+)
---
diff --git a/panels/applications/cc-applications-panel.c b/panels/applications/cc-applications-panel.c
index 6b9a1c05b..e0ca950ae 100644
--- a/panels/applications/cc-applications-panel.c
+++ b/panels/applications/cc-applications-panel.c
@@ -818,6 +818,10 @@ add_static_permissions (CcApplicationsPanel *self,
   if (keyfile == NULL)
     return FALSE;
 
+  str = g_key_file_get_string (keyfile, "Session Bus Policy", "org.freedesktop.Flatpak", NULL);
+  if (str && g_str_equal (str, "talk"))
+    added += add_static_permission_row (self, _("Sandbox Escape"), _("Can circumvent all imposed 
restrictions"));
+
   sockets = g_key_file_get_string_list (keyfile, "Context", "sockets", NULL, NULL);
   if (sockets && g_strv_contains ((const gchar * const*)sockets, "system-bus"))
     added += add_static_permission_row (self, _("System Bus"), _("Full access"));


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]