Merge pull request #7 from endlessm/T24020-flatpak-support
T24020 flatpak support
This commit is contained in:
commit
6e703b3bc2
|
@ -171,20 +171,28 @@ def command_get(user, quiet=False, interactive=True):
|
||||||
|
|
||||||
|
|
||||||
def command_check(user, path, quiet=False, interactive=True):
|
def command_check(user, path, quiet=False, interactive=True):
|
||||||
"""Check the given path is runnable by the given user, according to their
|
"""Check the given path or flatpak ref is runnable by the given user,
|
||||||
app filter."""
|
according to their app filter."""
|
||||||
user_id = __lookup_user_id_or_error(user)
|
user_id = __lookup_user_id_or_error(user)
|
||||||
app_filter = __get_app_filter_or_error(user_id, interactive)
|
app_filter = __get_app_filter_or_error(user_id, interactive)
|
||||||
|
|
||||||
path = os.path.abspath(path)
|
if path.startswith('app/') or path.startswith('runtime/'):
|
||||||
|
# Flatpak ref
|
||||||
|
is_allowed = app_filter.is_flatpak_ref_allowed(path)
|
||||||
|
noun = 'Flatpak ref'
|
||||||
|
else:
|
||||||
|
# File system path
|
||||||
|
path = os.path.abspath(path)
|
||||||
|
is_allowed = app_filter.is_path_allowed(path)
|
||||||
|
noun = 'Path'
|
||||||
|
|
||||||
if app_filter.is_path_allowed(path):
|
if is_allowed:
|
||||||
print('Path {} is allowed by app filter for user {}'.format(
|
print('{} {} is allowed by app filter for user {}'.format(
|
||||||
path, user_id))
|
noun, path, user_id))
|
||||||
return
|
return
|
||||||
else:
|
else:
|
||||||
print('Path {} is not allowed by app filter for user {}'.format(
|
print('{} {} is not allowed by app filter for user {}'.format(
|
||||||
path, user_id))
|
noun, path, user_id))
|
||||||
raise SystemExit(EXIT_PATH_NOT_ALLOWED)
|
raise SystemExit(EXIT_PATH_NOT_ALLOWED)
|
||||||
|
|
||||||
|
|
||||||
|
@ -214,6 +222,8 @@ def command_set(user, app_filter_args=None, quiet=False, interactive=True):
|
||||||
file=sys.stderr)
|
file=sys.stderr)
|
||||||
raise SystemExit(EXIT_INVALID_OPTION)
|
raise SystemExit(EXIT_INVALID_OPTION)
|
||||||
builder.set_oars_value(section, value)
|
builder.set_oars_value(section, value)
|
||||||
|
elif arg.startswith('app/') or arg.startswith('runtime/'):
|
||||||
|
builder.blacklist_flatpak_ref(arg)
|
||||||
else:
|
else:
|
||||||
builder.blacklist_path(arg)
|
builder.blacklist_path(arg)
|
||||||
app_filter = builder.end()
|
app_filter = builder.end()
|
||||||
|
|
|
@ -162,6 +162,40 @@ epc_app_filter_is_path_allowed (EpcAppFilter *filter,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* epc_app_filter_is_flatpak_ref_allowed:
|
||||||
|
* @filter: an #EpcAppFilter
|
||||||
|
* @app_ref: flatpak ref for the app
|
||||||
|
*
|
||||||
|
* Check whether the flatpak app with the given @app_ref is allowed to be run
|
||||||
|
* according to this app filter.
|
||||||
|
*
|
||||||
|
* Returns: %TRUE if the user this @filter corresponds to is allowed to run the
|
||||||
|
* flatpak called @app_ref according to the @filter policy; %FALSE otherwise
|
||||||
|
* Since: 0.1.0
|
||||||
|
*/
|
||||||
|
gboolean
|
||||||
|
epc_app_filter_is_flatpak_ref_allowed (EpcAppFilter *filter,
|
||||||
|
const gchar *app_ref)
|
||||||
|
{
|
||||||
|
g_return_val_if_fail (filter != NULL, FALSE);
|
||||||
|
g_return_val_if_fail (filter->ref_count >= 1, FALSE);
|
||||||
|
g_return_val_if_fail (app_ref != NULL, FALSE);
|
||||||
|
|
||||||
|
gboolean ref_in_list = g_strv_contains ((const gchar * const *) filter->app_list,
|
||||||
|
app_ref);
|
||||||
|
|
||||||
|
switch (filter->app_list_type)
|
||||||
|
{
|
||||||
|
case EPC_APP_FILTER_LIST_BLACKLIST:
|
||||||
|
return !ref_in_list;
|
||||||
|
case EPC_APP_FILTER_LIST_WHITELIST:
|
||||||
|
return ref_in_list;
|
||||||
|
default:
|
||||||
|
g_assert_not_reached ();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* epc_app_filter_get_oars_value:
|
* epc_app_filter_get_oars_value:
|
||||||
* @filter: an #EpcAppFilter
|
* @filter: an #EpcAppFilter
|
||||||
|
@ -977,6 +1011,32 @@ epc_app_filter_builder_blacklist_path (EpcAppFilterBuilder *builder,
|
||||||
g_ptr_array_add (_builder->paths_blacklist, g_steal_pointer (&canonical_path));
|
g_ptr_array_add (_builder->paths_blacklist, g_steal_pointer (&canonical_path));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* epc_app_filter_builder_blacklist_flatpak_ref:
|
||||||
|
* @builder: an initialised #EpcAppFilterBuilder
|
||||||
|
* @app_ref: a flatpak app ref to blacklist
|
||||||
|
*
|
||||||
|
* Add @app_ref to the blacklist of flatpak refs in the filter under
|
||||||
|
* construction. The @app_ref will not be added again if it’s already been
|
||||||
|
* added.
|
||||||
|
*
|
||||||
|
* Since: 0.1.0
|
||||||
|
*/
|
||||||
|
void
|
||||||
|
epc_app_filter_builder_blacklist_flatpak_ref (EpcAppFilterBuilder *builder,
|
||||||
|
const gchar *app_ref)
|
||||||
|
{
|
||||||
|
EpcAppFilterBuilderReal *_builder = (EpcAppFilterBuilderReal *) builder;
|
||||||
|
|
||||||
|
g_return_if_fail (_builder != NULL);
|
||||||
|
g_return_if_fail (_builder->paths_blacklist != NULL);
|
||||||
|
g_return_if_fail (app_ref != NULL);
|
||||||
|
|
||||||
|
if (!g_ptr_array_find_with_equal_func (_builder->paths_blacklist,
|
||||||
|
app_ref, g_str_equal, NULL))
|
||||||
|
g_ptr_array_add (_builder->paths_blacklist, g_strdup (app_ref));
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* epc_app_filter_builder_set_oars_value:
|
* epc_app_filter_builder_set_oars_value:
|
||||||
* @builder: an initialised #EpcAppFilterBuilder
|
* @builder: an initialised #EpcAppFilterBuilder
|
||||||
|
|
|
@ -97,9 +97,11 @@ void epc_app_filter_unref (EpcAppFilter *filter);
|
||||||
|
|
||||||
G_DEFINE_AUTOPTR_CLEANUP_FUNC (EpcAppFilter, epc_app_filter_unref)
|
G_DEFINE_AUTOPTR_CLEANUP_FUNC (EpcAppFilter, epc_app_filter_unref)
|
||||||
|
|
||||||
uid_t epc_app_filter_get_user_id (EpcAppFilter *filter);
|
uid_t epc_app_filter_get_user_id (EpcAppFilter *filter);
|
||||||
gboolean epc_app_filter_is_path_allowed (EpcAppFilter *filter,
|
gboolean epc_app_filter_is_path_allowed (EpcAppFilter *filter,
|
||||||
const gchar *path);
|
const gchar *path);
|
||||||
|
gboolean epc_app_filter_is_flatpak_ref_allowed (EpcAppFilter *filter,
|
||||||
|
const gchar *flatpak_ref);
|
||||||
|
|
||||||
EpcAppFilterOarsValue epc_app_filter_get_oars_value (EpcAppFilter *filter,
|
EpcAppFilterOarsValue epc_app_filter_get_oars_value (EpcAppFilter *filter,
|
||||||
const gchar *oars_section);
|
const gchar *oars_section);
|
||||||
|
@ -177,10 +179,12 @@ G_DEFINE_AUTOPTR_CLEANUP_FUNC (EpcAppFilterBuilder, epc_app_filter_builder_free)
|
||||||
|
|
||||||
EpcAppFilter *epc_app_filter_builder_end (EpcAppFilterBuilder *builder);
|
EpcAppFilter *epc_app_filter_builder_end (EpcAppFilterBuilder *builder);
|
||||||
|
|
||||||
void epc_app_filter_builder_blacklist_path (EpcAppFilterBuilder *builder,
|
void epc_app_filter_builder_blacklist_path (EpcAppFilterBuilder *builder,
|
||||||
const gchar *path);
|
const gchar *path);
|
||||||
void epc_app_filter_builder_set_oars_value (EpcAppFilterBuilder *builder,
|
void epc_app_filter_builder_blacklist_flatpak_ref (EpcAppFilterBuilder *builder,
|
||||||
const gchar *oars_section,
|
const gchar *app_ref);
|
||||||
EpcAppFilterOarsValue value);
|
void epc_app_filter_builder_set_oars_value (EpcAppFilterBuilder *builder,
|
||||||
|
const gchar *oars_section,
|
||||||
|
EpcAppFilterOarsValue value);
|
||||||
|
|
||||||
G_END_DECLS
|
G_END_DECLS
|
||||||
|
|
|
@ -102,6 +102,9 @@ test_app_filter_builder_non_empty (BuilderFixture *fixture,
|
||||||
epc_app_filter_builder_blacklist_path (fixture->builder, "/bin/true");
|
epc_app_filter_builder_blacklist_path (fixture->builder, "/bin/true");
|
||||||
epc_app_filter_builder_blacklist_path (fixture->builder, "/usr/bin/gnome-software");
|
epc_app_filter_builder_blacklist_path (fixture->builder, "/usr/bin/gnome-software");
|
||||||
|
|
||||||
|
epc_app_filter_builder_blacklist_flatpak_ref (fixture->builder,
|
||||||
|
"app/org.doom.Doom/x86_64/master");
|
||||||
|
|
||||||
epc_app_filter_builder_set_oars_value (fixture->builder, "drugs-alcohol",
|
epc_app_filter_builder_set_oars_value (fixture->builder, "drugs-alcohol",
|
||||||
EPC_APP_FILTER_OARS_VALUE_MILD);
|
EPC_APP_FILTER_OARS_VALUE_MILD);
|
||||||
epc_app_filter_builder_set_oars_value (fixture->builder, "language-humor",
|
epc_app_filter_builder_set_oars_value (fixture->builder, "language-humor",
|
||||||
|
@ -113,6 +116,11 @@ test_app_filter_builder_non_empty (BuilderFixture *fixture,
|
||||||
g_assert_false (epc_app_filter_is_path_allowed (filter,
|
g_assert_false (epc_app_filter_is_path_allowed (filter,
|
||||||
"/usr/bin/gnome-software"));
|
"/usr/bin/gnome-software"));
|
||||||
|
|
||||||
|
g_assert_true (epc_app_filter_is_flatpak_ref_allowed (filter,
|
||||||
|
"app/org.gnome.Ponies/x86_64/master"));
|
||||||
|
g_assert_false (epc_app_filter_is_flatpak_ref_allowed (filter,
|
||||||
|
"app/org.doom.Doom/x86_64/master"));
|
||||||
|
|
||||||
g_assert_cmpint (epc_app_filter_get_oars_value (filter, "drugs-alcohol"), ==,
|
g_assert_cmpint (epc_app_filter_get_oars_value (filter, "drugs-alcohol"), ==,
|
||||||
EPC_APP_FILTER_OARS_VALUE_MILD);
|
EPC_APP_FILTER_OARS_VALUE_MILD);
|
||||||
g_assert_cmpint (epc_app_filter_get_oars_value (filter, "language-humor"), ==,
|
g_assert_cmpint (epc_app_filter_get_oars_value (filter, "language-humor"), ==,
|
||||||
|
@ -134,6 +142,11 @@ test_app_filter_builder_empty (BuilderFixture *fixture,
|
||||||
g_assert_true (epc_app_filter_is_path_allowed (filter,
|
g_assert_true (epc_app_filter_is_path_allowed (filter,
|
||||||
"/usr/bin/gnome-software"));
|
"/usr/bin/gnome-software"));
|
||||||
|
|
||||||
|
g_assert_true (epc_app_filter_is_flatpak_ref_allowed (filter,
|
||||||
|
"app/org.gnome.Ponies/x86_64/master"));
|
||||||
|
g_assert_true (epc_app_filter_is_flatpak_ref_allowed (filter,
|
||||||
|
"app/org.doom.Doom/x86_64/master"));
|
||||||
|
|
||||||
g_assert_cmpint (epc_app_filter_get_oars_value (filter, "drugs-alcohol"), ==,
|
g_assert_cmpint (epc_app_filter_get_oars_value (filter, "drugs-alcohol"), ==,
|
||||||
EPC_APP_FILTER_OARS_VALUE_UNKNOWN);
|
EPC_APP_FILTER_OARS_VALUE_UNKNOWN);
|
||||||
g_assert_cmpint (epc_app_filter_get_oars_value (filter, "language-humor"), ==,
|
g_assert_cmpint (epc_app_filter_get_oars_value (filter, "language-humor"), ==,
|
||||||
|
|
Loading…
Reference in New Issue