Verified Commit 259e7e4e authored by Iain Lane's avatar Iain Lane

thumbnail: Handle non-usrmerged systems and non-existing directories

On systems where /usr-merge hasn't been carried out, /bin (etc) won't
point to /usr/bin. In that case we should --ro-bind the directory
instead of --symlinking it.

This implements the suggestion from Simon McVittie on
https://bugzilla.gnome.org/show_bug.cgi?id=787072.

It also handles source directories not existing, which for example
/lib64 won't on 32-bit systems.

Closes: #4
Closes: #89
parent 0f3de28f
Pipeline #45265 passed with stage
in 36 minutes and 43 seconds
......@@ -506,22 +506,67 @@ setup_seccomp (GPtrArray *argv_array,
#endif
#ifdef HAVE_BWRAP
static gboolean
path_is_usrmerged (const char *dir)
{
/* does /dir point to /usr/dir? */
g_autofree char *target = NULL;
GStatBuf stat_buf_src, stat_buf_target;
if (g_stat (dir, &stat_buf_src) < 0)
return FALSE;
target = g_strdup_printf ("/usr/%s", dir);
if (g_stat (target, &stat_buf_target) < 0)
return FALSE;
return (stat_buf_src.st_dev == stat_buf_target.st_dev) &&
(stat_buf_src.st_ino == stat_buf_target.st_ino);
}
static gboolean
add_bwrap (GPtrArray *array,
ScriptExec *script)
{
const char * const usrmerged_dirs[] = { "bin", "lib64", "lib", "sbin" };
int i;
g_return_val_if_fail (script->outdir != NULL, FALSE);
g_return_val_if_fail (script->s_infile != NULL, FALSE);
add_args (array,
"bwrap",
"--ro-bind", "/usr", "/usr",
"--ro-bind", "/lib", "/lib",
"--ro-bind", "/lib64", "/lib64",
NULL);
/* These directories might be symlinks into /usr/... */
for (i = 0; i < G_N_ELEMENTS (usrmerged_dirs); i++)
{
g_autofree char *absolute_dir = g_strdup_printf ("/%s", usrmerged_dirs[i]);
if (!g_file_test (absolute_dir, G_FILE_TEST_EXISTS))
continue;
if (path_is_usrmerged (absolute_dir))
{
g_autofree char *symlink_target = g_strdup_printf ("/usr/%s", absolute_dir);
add_args (array,
"--symlink", symlink_target, absolute_dir,
NULL);
}
else
{
add_args (array,
"--ro-bind", absolute_dir, absolute_dir,
NULL);
}
}
add_args (array,
"--proc", "/proc",
"--dev", "/dev",
"--symlink", "usr/bin", "/bin",
"--symlink", "usr/sbin", "/sbin",
"--chdir", "/",
"--setenv", "GIO_USE_VFS", "local",
"--unshare-all",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment