Merge pull request #15 from endlessm/T24016-flatpak-apps

libeos-parental-controls: Support matching against flatpak app IDs

eos-parental-controls-client/eos-parental-controls-client.py

@@ -150,7 +150,12 @@ def command_check(user, path, quiet=False, interactive=True):
     user_id = __lookup_user_id_or_error(user)
     app_filter = __get_app_filter_or_error(user_id, interactive)
 
-    if path.startswith('app/') or path.startswith('runtime/'):
+    if path.startswith('app/') and path.count('/') < 3:
+        # Flatpak app ID
+        path = path[4:]
+        is_allowed = app_filter.is_flatpak_app_allowed(path)
+        noun = 'Flatpak app ID'
+    elif path.startswith('app/') or path.startswith('runtime/'):
         # Flatpak ref
         is_allowed = app_filter.is_flatpak_ref_allowed(path)
         noun = 'Flatpak ref'

libeos-parental-controls/app-filter.c

@@ -166,7 +166,7 @@ epc_app_filter_is_path_allowed (EpcAppFilter *filter,
 /**
  * epc_app_filter_is_flatpak_ref_allowed:
  * @filter: an #EpcAppFilter
- * @app_ref: flatpak ref for the app
+ * @app_ref: flatpak ref for the app, for example `app/org.gnome.Builder/x86_64/master`
  *
  * Check whether the flatpak app with the given @app_ref is allowed to be run
  * according to this app filter.
@@ -197,6 +197,57 @@ epc_app_filter_is_flatpak_ref_allowed (EpcAppFilter *filter,
     }
 }
 
+/**
+ * epc_app_filter_is_flatpak_app_allowed:
+ * @filter: an #EpcAppFilter
+ * @app_id: flatpak ID for the app, for example `org.gnome.Builder`
+ *
+ * Check whether the flatpak app with the given @app_id is allowed to be run
+ * according to this app filter. This is a globbing match, matching @app_id
+ * against potentially multiple entries in the blacklist, as the blacklist
+ * contains flatpak refs (for example, `app/org.gnome.Builder/x86_64/master`)
+ * which contain architecture and branch information. App IDs (for example,
+ * `org.gnome.Builder`) do not contain architecture or branch information.
+ *
+ * Returns: %TRUE if the user this @filter corresponds to is allowed to run the
+ *    flatpak called @app_id according to the @filter policy; %FALSE otherwise
+ * Since: 0.1.0
+ */
+gboolean
+epc_app_filter_is_flatpak_app_allowed (EpcAppFilter *filter,
+                                       const gchar  *app_id)
+{
+  g_return_val_if_fail (filter != NULL, FALSE);
+  g_return_val_if_fail (filter->ref_count >= 1, FALSE);
+  g_return_val_if_fail (app_id != NULL, FALSE);
+
+  gsize app_id_len = strlen (app_id);
+
+  gboolean id_in_list = FALSE;
+  for (gsize i = 0; filter->app_list[i] != NULL; i++)
+    {
+      /* Avoid using flatpak_ref_parse() to avoid a dependency on libflatpak
+       * just for that one function. */
+      if (g_str_has_prefix (filter->app_list[i], "app/") &&
+          strncmp (filter->app_list[i] + strlen ("app/"), app_id, app_id_len) == 0 &&
+          filter->app_list[i][strlen ("app/") + app_id_len] == '/')
+        {
+          id_in_list = TRUE;
+          break;
+        }
+    }
+
+  switch (filter->app_list_type)
+    {
+    case EPC_APP_FILTER_LIST_BLACKLIST:
+      return !id_in_list;
+    case EPC_APP_FILTER_LIST_WHITELIST:
+      return id_in_list;
+    default:
+      g_assert_not_reached ();
+    }
+}
+
 static gint
 strcmp_cb (gconstpointer a,
            gconstpointer b)

libeos-parental-controls/app-filter.h

@@ -102,6 +102,8 @@ gboolean epc_app_filter_is_path_allowed        (EpcAppFilter *filter,
                                                 const gchar  *path);
 gboolean epc_app_filter_is_flatpak_ref_allowed (EpcAppFilter *filter,
                                                 const gchar  *app_ref);
+gboolean epc_app_filter_is_flatpak_app_allowed (EpcAppFilter *filter,
+                                                const gchar  *app_id);
 
 const gchar           **epc_app_filter_get_oars_sections (EpcAppFilter *filter);
 EpcAppFilterOarsValue   epc_app_filter_get_oars_value    (EpcAppFilter *filter,

libeos-parental-controls/tests/app-filter.c

@@ -135,8 +135,10 @@ test_app_filter_builder_non_empty (BuilderFixture *fixture,
 
   g_assert_true (epc_app_filter_is_flatpak_ref_allowed (filter,
                                                         "app/org.gnome.Ponies/x86_64/master"));
+  g_assert_true (epc_app_filter_is_flatpak_app_allowed (filter, "org.gnome.Ponies"));
   g_assert_false (epc_app_filter_is_flatpak_ref_allowed (filter,
                                                          "app/org.doom.Doom/x86_64/master"));
+  g_assert_false (epc_app_filter_is_flatpak_app_allowed (filter, "org.doom.Doom"));
 
   g_assert_cmpint (epc_app_filter_get_oars_value (filter, "drugs-alcohol"), ==,
                    EPC_APP_FILTER_OARS_VALUE_MILD);
@@ -168,8 +170,10 @@ test_app_filter_builder_empty (BuilderFixture *fixture,
 
   g_assert_true (epc_app_filter_is_flatpak_ref_allowed (filter,
                                                         "app/org.gnome.Ponies/x86_64/master"));
+  g_assert_true (epc_app_filter_is_flatpak_app_allowed (filter, "org.gnome.Ponies"));
   g_assert_true (epc_app_filter_is_flatpak_ref_allowed (filter,
                                                         "app/org.doom.Doom/x86_64/master"));
+  g_assert_true (epc_app_filter_is_flatpak_app_allowed (filter, "org.doom.Doom"));
 
   g_assert_cmpint (epc_app_filter_get_oars_value (filter, "drugs-alcohol"), ==,
                    EPC_APP_FILTER_OARS_VALUE_UNKNOWN);