[gnome-software/1598-flatseal-should-not-show-as-having-no-permissions] flatpak: Update when ESCAPE_SANDBOX permission is set

From: Milan Crha <mcrha src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-software/1598-flatseal-should-not-show-as-having-no-permissions] flatpak: Update when ESCAPE_SANDBOX permission is set
Date: Thu, 20 Jan 2022 14:30:26 +0000 (UTC)

commit 882451010be3390137856bd308e5fc3b76ad31f9
Author: Milan Crha <mcrha redhat com>
Date:   Thu Jan 20 15:28:45 2022 +0100

    flatpak: Update when ESCAPE_SANDBOX permission is set
    
    The sandbox can be escaped by various ways. Add two more to catch
    the possibility.
    
    Closes https://gitlab.gnome.org/GNOME/gnome-software/-/issues/1598

 plugins/flatpak/gs-flatpak.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)
---
diff --git a/plugins/flatpak/gs-flatpak.c b/plugins/flatpak/gs-flatpak.c
index 4e40e441a..8db5bcf83 100644
--- a/plugins/flatpak/gs-flatpak.c
+++ b/plugins/flatpak/gs-flatpak.c
@@ -239,6 +239,8 @@ perms_from_metadata (GKeyFile *keyfile)
                permissions |= GS_APP_PERMISSIONS_DOWNLOADS_FULL;
        else if (strv != NULL && g_strv_contains ((const gchar * const *)strv, "xdg-download:ro"))
                permissions |= GS_APP_PERMISSIONS_DOWNLOADS_READ;
+       if (strv != NULL && g_strv_contains ((const gchar * const *)strv, 
"xdg-data/flatpak/overrides:create"))
+               permissions |= GS_APP_PERMISSIONS_ESCAPE_SANDBOX;
        g_strfreev (strv);
 
        str = g_key_file_get_string (keyfile, "Session Bus Policy", "ca.desrt.dconf", NULL);
@@ -246,10 +248,19 @@ perms_from_metadata (GKeyFile *keyfile)
                permissions |= GS_APP_PERMISSIONS_SETTINGS;
        g_free (str);
 
-       str = g_key_file_get_string (keyfile, "Session Bus Policy", "org.freedesktop.Flatpak", NULL);
-       if (str != NULL && g_str_equal (str, "talk"))
-               permissions |= GS_APP_PERMISSIONS_ESCAPE_SANDBOX;
-       g_free (str);
+       if (!(permissions & GS_APP_PERMISSIONS_ESCAPE_SANDBOX)) {
+               str = g_key_file_get_string (keyfile, "Session Bus Policy", "org.freedesktop.Flatpak", NULL);
+               if (str != NULL && g_str_equal (str, "talk"))
+                       permissions |= GS_APP_PERMISSIONS_ESCAPE_SANDBOX;
+               g_free (str);
+       }
+
+       if (!(permissions & GS_APP_PERMISSIONS_ESCAPE_SANDBOX)) {
+               str = g_key_file_get_string (keyfile, "Session Bus Policy", 
"org.freedesktop.impl.portal.PermissionStore", NULL);
+               if (str != NULL && g_str_equal (str, "talk"))
+                       permissions |= GS_APP_PERMISSIONS_ESCAPE_SANDBOX;
+               g_free (str);
+       }
 
        /* no permissions set */
        if (permissions == GS_APP_PERMISSIONS_UNKNOWN)

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]