diff --git a/eos-parental-controls-client/eos-parental-controls-client.py b/eos-parental-controls-client/eos-parental-controls-client.py index 24c4b73..5e6ca4f 100644 --- a/eos-parental-controls-client/eos-parental-controls-client.py +++ b/eos-parental-controls-client/eos-parental-controls-client.py @@ -150,7 +150,12 @@ def command_check(user, path, quiet=False, interactive=True): user_id = __lookup_user_id_or_error(user) app_filter = __get_app_filter_or_error(user_id, interactive) - if path.startswith('app/') or path.startswith('runtime/'): + if path.startswith('app/') and path.count('/') < 3: + # Flatpak app ID + path = path[4:] + is_allowed = app_filter.is_flatpak_app_allowed(path) + noun = 'Flatpak app ID' + elif path.startswith('app/') or path.startswith('runtime/'): # Flatpak ref is_allowed = app_filter.is_flatpak_ref_allowed(path) noun = 'Flatpak ref' diff --git a/libeos-parental-controls/app-filter.c b/libeos-parental-controls/app-filter.c index 8d8e085..bd146da 100644 --- a/libeos-parental-controls/app-filter.c +++ b/libeos-parental-controls/app-filter.c @@ -166,7 +166,7 @@ epc_app_filter_is_path_allowed (EpcAppFilter *filter, /** * epc_app_filter_is_flatpak_ref_allowed: * @filter: an #EpcAppFilter - * @app_ref: flatpak ref for the app + * @app_ref: flatpak ref for the app, for example `app/org.gnome.Builder/x86_64/master` * * Check whether the flatpak app with the given @app_ref is allowed to be run * according to this app filter. @@ -197,6 +197,57 @@ epc_app_filter_is_flatpak_ref_allowed (EpcAppFilter *filter, } } +/** + * epc_app_filter_is_flatpak_app_allowed: + * @filter: an #EpcAppFilter + * @app_id: flatpak ID for the app, for example `org.gnome.Builder` + * + * Check whether the flatpak app with the given @app_id is allowed to be run + * according to this app filter. This is a globbing match, matching @app_id + * against potentially multiple entries in the blacklist, as the blacklist + * contains flatpak refs (for example, `app/org.gnome.Builder/x86_64/master`) + * which contain architecture and branch information. App IDs (for example, + * `org.gnome.Builder`) do not contain architecture or branch information. + * + * Returns: %TRUE if the user this @filter corresponds to is allowed to run the + * flatpak called @app_id according to the @filter policy; %FALSE otherwise + * Since: 0.1.0 + */ +gboolean +epc_app_filter_is_flatpak_app_allowed (EpcAppFilter *filter, + const gchar *app_id) +{ + g_return_val_if_fail (filter != NULL, FALSE); + g_return_val_if_fail (filter->ref_count >= 1, FALSE); + g_return_val_if_fail (app_id != NULL, FALSE); + + gsize app_id_len = strlen (app_id); + + gboolean id_in_list = FALSE; + for (gsize i = 0; filter->app_list[i] != NULL; i++) + { + /* Avoid using flatpak_ref_parse() to avoid a dependency on libflatpak + * just for that one function. */ + if (g_str_has_prefix (filter->app_list[i], "app/") && + strncmp (filter->app_list[i] + strlen ("app/"), app_id, app_id_len) == 0 && + filter->app_list[i][strlen ("app/") + app_id_len] == '/') + { + id_in_list = TRUE; + break; + } + } + + switch (filter->app_list_type) + { + case EPC_APP_FILTER_LIST_BLACKLIST: + return !id_in_list; + case EPC_APP_FILTER_LIST_WHITELIST: + return id_in_list; + default: + g_assert_not_reached (); + } +} + static gint strcmp_cb (gconstpointer a, gconstpointer b) diff --git a/libeos-parental-controls/app-filter.h b/libeos-parental-controls/app-filter.h index ab6280a..fbca57a 100644 --- a/libeos-parental-controls/app-filter.h +++ b/libeos-parental-controls/app-filter.h @@ -102,6 +102,8 @@ gboolean epc_app_filter_is_path_allowed (EpcAppFilter *filter, const gchar *path); gboolean epc_app_filter_is_flatpak_ref_allowed (EpcAppFilter *filter, const gchar *app_ref); +gboolean epc_app_filter_is_flatpak_app_allowed (EpcAppFilter *filter, + const gchar *app_id); const gchar **epc_app_filter_get_oars_sections (EpcAppFilter *filter); EpcAppFilterOarsValue epc_app_filter_get_oars_value (EpcAppFilter *filter, diff --git a/libeos-parental-controls/tests/app-filter.c b/libeos-parental-controls/tests/app-filter.c index 2bbbb63..7fb4e5e 100644 --- a/libeos-parental-controls/tests/app-filter.c +++ b/libeos-parental-controls/tests/app-filter.c @@ -135,8 +135,10 @@ test_app_filter_builder_non_empty (BuilderFixture *fixture, g_assert_true (epc_app_filter_is_flatpak_ref_allowed (filter, "app/org.gnome.Ponies/x86_64/master")); + g_assert_true (epc_app_filter_is_flatpak_app_allowed (filter, "org.gnome.Ponies")); g_assert_false (epc_app_filter_is_flatpak_ref_allowed (filter, "app/org.doom.Doom/x86_64/master")); + g_assert_false (epc_app_filter_is_flatpak_app_allowed (filter, "org.doom.Doom")); g_assert_cmpint (epc_app_filter_get_oars_value (filter, "drugs-alcohol"), ==, EPC_APP_FILTER_OARS_VALUE_MILD); @@ -168,8 +170,10 @@ test_app_filter_builder_empty (BuilderFixture *fixture, g_assert_true (epc_app_filter_is_flatpak_ref_allowed (filter, "app/org.gnome.Ponies/x86_64/master")); + g_assert_true (epc_app_filter_is_flatpak_app_allowed (filter, "org.gnome.Ponies")); g_assert_true (epc_app_filter_is_flatpak_ref_allowed (filter, "app/org.doom.Doom/x86_64/master")); + g_assert_true (epc_app_filter_is_flatpak_app_allowed (filter, "org.doom.Doom")); g_assert_cmpint (epc_app_filter_get_oars_value (filter, "drugs-alcohol"), ==, EPC_APP_FILTER_OARS_VALUE_UNKNOWN);