Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--run unclear #348

Open
vinipsmaker opened this issue May 16, 2020 · 5 comments · May be fixed by #362
Open

--run unclear #348

vinipsmaker opened this issue May 16, 2020 · 5 comments · May be fixed by #362

Comments

@vinipsmaker
Copy link

The documentation states (emphasis mine):

Run a command in a sandbox based on the build dir. [...] and the same permissions the final app will have (except filesystem permissions)

What exactly are the exceptions? Has every app that I've run through --run been executed outside of a sandbox? It's unclear to me what are the exceptions and I can't find this info anywhere.
@TingPing
Copy link
Member

Its certainly in a sandbox.

The exact line that comment is talking about is here:

flatpak-builder/src/builder-manifest.c

Lines 4123 to 4141 in aec06b3

/* Inherit all finish args except --filesystem and some that
* build doesn't understand so the command gets the same access
* as the final app
*/
if (self->finish_args)
{
for (i = 0; self->finish_args[i] != NULL; i++)
{
const char *arg = self->finish_args[i];
if (!g_str_has_prefix (arg, "--filesystem") &&
!g_str_has_prefix (arg, "--extension") &&
!g_str_has_prefix (arg, "--sdk") &&
!g_str_has_prefix (arg, "--runtime") &&
!g_str_has_prefix (arg, "--command") &&
!g_str_has_prefix (arg, "--extra-data") &&
!g_str_has_prefix (arg, "--require-version"))
g_ptr_array_add (args, g_strdup (arg));
}
}

@vinipsmaker
Copy link
Author

vinipsmaker commented May 17, 2020
edited
Loading

Its certainly in a sandbox.

If so, how did the application managed to write to .local/share/[redacted] w/o a matching --persist in my "finish-args"?

@TingPing
Copy link
Member

TingPing commented May 17, 2020
edited
Loading

Sandbox is a broad term. It is in a sandbox, its permissions just aren't what you expect. I don't think its documented sadly.

@vinipsmaker
Copy link
Author

The exact line that comment is talking about is here:

I don't understand how this piece of code relates to give full-access to my home dir (making the whole point of sandbox moot). You sure this is the line? Care to explain how permissions leak from my specification out of that?

cxrvh pushed a commit to cxrvh/flatpak-builder that referenced this issue Sep 25, 2020
--run commands in a sandbox
e30b0dd 
Closes: flatpak#348
cxrvh pushed a commit to cxrvh/flatpak-builder that referenced this issue Sep 25, 2020
--run commands in a sandbox
7258ff1 
Closes: flatpak#348
@cxrvh cxrvh linked a pull request Sep 25, 2020 that will close this issue
Open
@cxrvh
Copy link
Contributor

cxrvh commented Sep 25, 2020

I think the missing sandbox is a bug. You can work around it by adding --nofilesystem=host.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

--run commands in a sandbox cxrvh/flatpak-builder
3 participants
@TingPing @vinipsmaker @cxrvh