packages/flatpak
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
flatpak/backport-0002-CVE-2022-21682.patch
Jiayi Yin e013179427 init
2025-03-16 16:10:18 +00:00

277 lines
10 KiB
Diff
Raw Permalink Blame History

From 517ad25b5fe83376af258acef646551cb97af97c Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 10 Aug 2020 23:58:11 +0100
Subject: [PATCH] context: Only parse filesystem/mode strings in one place
This gives us the ability for the parse function (the former verify
function) to carry out a normalization step as well.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Conflict:NA
Reference:https://github.com/flatpak/flatpak/commit/517ad25b5fe83376af258acef646551cb97af97c
---
common/flatpak-context.c | 77 +++++++++++++++++---------------
common/flatpak-exports-private.h | 1 +
common/flatpak-exports.c | 14 +++---
3 files changed, 48 insertions(+), 44 deletions(-)
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 4892d7b..3a99646 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -92,6 +92,7 @@ flatpak_context_new (void)
context = g_slice_new0 (FlatpakContext);
context->env_vars = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, g_free);
context->persistent = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL);
+ /* filename or special filesystem name => FlatpakFilesystemMode */
context->filesystems = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL);
context->session_bus_policy = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL);
context->system_bus_policy = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL);
@@ -748,19 +749,23 @@ parse_filesystem_flags (const char *filesystem,
}
static gboolean
-flatpak_context_verify_filesystem (const char *filesystem_and_mode,
- GError **error)
+flatpak_context_parse_filesystem (const char *filesystem_and_mode,
+ char **filesystem_out,
+ FlatpakFilesystemMode *mode_out,
+ GError **error)
{
- g_autofree char *filesystem = parse_filesystem_flags (filesystem_and_mode, NULL);
+ g_autofree char *filesystem = parse_filesystem_flags (filesystem_and_mode, mode_out);
- if (g_strv_contains (flatpak_context_special_filesystems, filesystem))
- return TRUE;
- if (get_xdg_user_dir_from_string (filesystem, NULL, NULL, NULL))
- return TRUE;
- if (g_str_has_prefix (filesystem, "~/"))
- return TRUE;
- if (g_str_has_prefix (filesystem, "/"))
- return TRUE;
+ if (g_strv_contains (flatpak_context_special_filesystems, filesystem) ||
+ get_xdg_user_dir_from_string (filesystem, NULL, NULL, NULL) ||
+ g_str_has_prefix (filesystem, "~/") ||
+ g_str_has_prefix (filesystem, "/"))
+ {
+ if (filesystem_out != NULL)
+ *filesystem_out = g_steal_pointer (&filesystem);
+
+ return TRUE;
+ }
g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED,
_("Unknown filesystem location %s, valid locations are: host, home, xdg-*[/...], ~/dir, /dir"), filesystem);
@@ -768,24 +773,13 @@ flatpak_context_verify_filesystem (const char *filesystem_and_mode,
}
static void
-flatpak_context_add_filesystem (FlatpakContext *context,
- const char *what)
+flatpak_context_take_filesystem (FlatpakContext *context,
+ char *fs,
+ FlatpakFilesystemMode mode)
{
- FlatpakFilesystemMode mode;
- char *fs = parse_filesystem_flags (what, &mode);
-
g_hash_table_insert (context->filesystems, fs, GINT_TO_POINTER (mode));
}
-static void
-flatpak_context_remove_filesystem (FlatpakContext *context,
- const char *what)
-{
- g_hash_table_insert (context->filesystems,
- parse_filesystem_flags (what, NULL),
- NULL);
-}
-
void
flatpak_context_merge (FlatpakContext *context,
FlatpakContext *other)
@@ -999,11 +993,13 @@ option_filesystem_cb (const gchar *option_name,
GError **error)
{
FlatpakContext *context = data;
+ g_autofree char *fs = NULL;
+ FlatpakFilesystemMode mode;
- if (!flatpak_context_verify_filesystem (value, error))
+ if (!flatpak_context_parse_filesystem (value, &fs, &mode, error))
return FALSE;
- flatpak_context_add_filesystem (context, value);
+ flatpak_context_take_filesystem (context, g_steal_pointer (&fs), mode);
return TRUE;
}
@@ -1014,11 +1010,14 @@ option_nofilesystem_cb (const gchar *option_name,
GError **error)
{
FlatpakContext *context = data;
+ g_autofree char *fs = NULL;
+ FlatpakFilesystemMode mode;
- if (!flatpak_context_verify_filesystem (value, error))
+ if (!flatpak_context_parse_filesystem (value, &fs, &mode, error))
return FALSE;
- flatpak_context_remove_filesystem (context, value);
+ flatpak_context_take_filesystem (context, g_steal_pointer (&fs),
+ FLATPAK_FILESYSTEM_MODE_NONE);
return TRUE;
}
@@ -1441,14 +1440,18 @@ flatpak_context_load_metadata (FlatpakContext *context,
for (i = 0; filesystems[i] != NULL; i++)
{
const char *fs = parse_negated (filesystems[i], &remove);
- if (!flatpak_context_verify_filesystem (fs, NULL))
+ g_autofree char *filesystem = NULL;
+ FlatpakFilesystemMode mode;
+
+ if (!flatpak_context_parse_filesystem (fs, &filesystem, &mode, NULL))
g_debug ("Unknown filesystem type %s", filesystems[i]);
else
{
if (remove)
- flatpak_context_remove_filesystem (context, fs);
+ flatpak_context_take_filesystem (context, g_steal_pointer (&filesystem),
+ FLATPAK_FILESYSTEM_MODE_NONE);
else
- flatpak_context_add_filesystem (context, fs);
+ flatpak_context_take_filesystem (context, g_steal_pointer (&filesystem), mode);
}
}
}
@@ -1674,7 +1677,7 @@ flatpak_context_save_metadata (FlatpakContext *context,
{
FlatpakFilesystemMode mode = GPOINTER_TO_INT (value);
- if (mode != 0)
+ if (mode != FLATPAK_FILESYSTEM_MODE_NONE)
g_ptr_array_add (array, unparse_filesystem_flags (key, mode));
else
g_ptr_array_add (array, g_strconcat ("!", key, NULL));
@@ -1781,7 +1784,7 @@ flatpak_context_save_metadata (FlatpakContext *context,
void
flatpak_context_allow_host_fs (FlatpakContext *context)
{
- flatpak_context_add_filesystem (context, "host");
+ flatpak_context_take_filesystem (context, g_strdup ("host"), FLATPAK_FILESYSTEM_MODE_READ_WRITE);
}
gboolean
@@ -1846,7 +1849,7 @@ flatpak_context_to_args (FlatpakContext *context,
{
FlatpakFilesystemMode mode = GPOINTER_TO_INT (value);
- if (mode != 0)
+ if (mode != FLATPAK_FILESYSTEM_MODE_NONE)
{
g_autofree char *fs = unparse_filesystem_flags (key, mode);
g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", fs));
@@ -1949,7 +1952,7 @@ flatpak_context_export (FlatpakContext *context,
gpointer key, value;
fs_mode = (FlatpakFilesystemMode) g_hash_table_lookup (context->filesystems, "host");
- if (fs_mode != 0)
+ if (fs_mode != FLATPAK_FILESYSTEM_MODE_NONE)
{
DIR *dir;
struct dirent *dirent;
@@ -1978,7 +1981,7 @@ flatpak_context_export (FlatpakContext *context,
}
home_mode = (FlatpakFilesystemMode) g_hash_table_lookup (context->filesystems, "home");
- if (home_mode != 0)
+ if (home_mode != FLATPAK_FILESYSTEM_MODE_NONE)
{
g_debug ("Allowing homedir access");
home_access = TRUE;
diff --git a/common/flatpak-exports-private.h b/common/flatpak-exports-private.h
index 64cf59a..e4b2c14 100644
--- a/common/flatpak-exports-private.h
+++ b/common/flatpak-exports-private.h
@@ -26,6 +26,7 @@
/* In numerical order of more privs */
typedef enum {
+ FLATPAK_FILESYSTEM_MODE_NONE = 0,
FLATPAK_FILESYSTEM_MODE_READ_ONLY = 1,
FLATPAK_FILESYSTEM_MODE_READ_WRITE = 2,
FLATPAK_FILESYSTEM_MODE_CREATE = 3,
diff --git a/common/flatpak-exports.c b/common/flatpak-exports.c
index 21a8b17..d31ef95 100644
--- a/common/flatpak-exports.c
+++ b/common/flatpak-exports.c
@@ -80,7 +80,7 @@ make_relative (const char *base, const char *path)
}
#define FAKE_MODE_DIR -1 /* Ensure a dir, either on tmpfs or mapped parent */
-#define FAKE_MODE_TMPFS 0
+#define FAKE_MODE_TMPFS FLATPAK_FILESYSTEM_MODE_NONE
#define FAKE_MODE_SYMLINK G_MAXINT
typedef struct
@@ -278,7 +278,7 @@ flatpak_exports_append_bwrap_args (FlatpakExports *exports,
}
}
- if (exports->host_fs != 0)
+ if (exports->host_fs != FLATPAK_FILESYSTEM_MODE_NONE)
{
if (g_file_test ("/usr", G_FILE_TEST_IS_DIR))
flatpak_bwrap_add_args (bwrap,
@@ -337,7 +337,7 @@ flatpak_exports_path_get_mode (FlatpakExports *exports,
break;
}
- return 0;
+ return FLATPAK_FILESYSTEM_MODE_NONE;
}
if (S_ISLNK (st.st_mode))
@@ -347,7 +347,7 @@ flatpak_exports_path_get_mode (FlatpakExports *exports,
int j;
if (resolved == NULL)
- return 0;
+ return FLATPAK_FILESYSTEM_MODE_NONE;
path2_builder = g_string_new (resolved);
@@ -361,7 +361,7 @@ flatpak_exports_path_get_mode (FlatpakExports *exports,
}
}
else if (parts[i + 1] == NULL)
- return 0; /* Last part was not mapped */
+ return FLATPAK_FILESYSTEM_MODE_NONE; /* Last part was not mapped */
}
if (is_readonly)
@@ -374,7 +374,7 @@ gboolean
flatpak_exports_path_is_visible (FlatpakExports *exports,
const char *path)
{
- return flatpak_exports_path_get_mode (exports, path) > 0;
+ return flatpak_exports_path_get_mode (exports, path) > FLATPAK_FILESYSTEM_MODE_NONE;
}
static gboolean
@@ -605,7 +605,7 @@ flatpak_exports_add_path_expose_or_hide (FlatpakExports *exports,
FlatpakFilesystemMode mode,
const char *path)
{
- if (mode == 0)
+ if (mode == FLATPAK_FILESYSTEM_MODE_NONE)
flatpak_exports_add_path_tmpfs (exports, path);
else
flatpak_exports_add_path_expose (exports, mode, path);
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink