Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dir: Set up the apply_extra sandbox like flatpak-run --sandbox #5466

Merged
merged 1 commit into from Jul 3, 2023
Merged

dir: Set up the apply_extra sandbox like flatpak-run --sandbox #5466

merged 1 commit into from Jul 3, 2023

Conversation

swick
Copy link
Contributor

@swick swick commented Jul 3, 2023

Use the same run flags and highlight which ones are specific to apply_extra. Also mark the flatpak context as sandboxed.

@swick swick mentioned this pull request Jul 3, 2023
Merged
@alexlarsson
Copy link
Member

alexlarsson commented Jul 3, 2023
edited

This is all wrong, as per:
#4920 (comment)

@alexlarsson alexlarsson closed this Jul 3, 2023
@alexlarsson alexlarsson reopened this Jul 3, 2023
@alexlarsson
Copy link
Member

Well, the splitting out for clarity may be nice, but the make_sandbox() part is useless.

@alexlarsson
Copy link
Member

Should have an actual comment about the NO_PROC part though.

@alexlarsson
Copy link
Member

See cd21428 for why NO_PROC was added.

@swick
Copy link
Contributor Author

swick commented Jul 3, 2023
edited

I'll add the comment about NO_PROC and remove the make_sandbox call.

The only semantic difference then is the FLATPAK_RUN_FLAG_SANDBOX run flag.

e: that's actually no semantic difference either...

@swick swick force-pushed the mr/apply-extra-data-sandbox branch from d95987e to fdd0bb5 Compare July 3, 2023 16:03
@swick swick marked this pull request as ready for review July 3, 2023 16:04
@swick
Copy link
Contributor Author

swick commented Jul 3, 2023

Should be good now.

@swick @alexlarsson
dir: Document the apply_extra_data run flags
af58d8c 
They are the same as `flatpak run --sandbox` with two exceptions:

  * `FLATPAK_RUN_FLAG_MULTIARCH` might be required so we just add it
    always
  * `FLATPAK_RUN_FLAG_NO_PROC` is added to prevent sandbox escapes via
    `/proc/self/exe`

Signed-off-by: Sebastian Wick <[email protected]>
@alexlarsson alexlarsson merged commit bbac52e into flatpak:main Jul 3, 2023
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@swick @alexlarsson