gsandbox: Mark classic snaps as UNKNOWN sandbox type

Classic snaps are just a kind of packages with no sandbox at all, so there's no point to mark them as sandboxed. In this way we can just do IO checks once without having to multiply them. Co-Authored-by: Robert Ancell <robert.ancell@canonical.com>
2025-03-28 10:30:03 +01:00 · 2022-11-24 04:26:19 +01:00 · 2022-11-24 04:26:19 +01:00 · 0e4dff445f
commit 0e4dff445f
parent 660242af07
2 changed files with 89 additions and 2 deletions
--- a/gio/gsandbox.c
+++ b/gio/gsandbox.c
@ -22,27 +22,78 @@

 #include "gsandbox.h"

+#include <string.h>
+
+#define SNAP_CONFINEMENT_PREFIX "confinement:"
+
 static gboolean
 is_flatpak (void)
 {
  return g_file_test ("/.flatpak-info", G_FILE_TEST_EXISTS);
 }

+static gchar *
+get_snap_confinement (const char  *snap_yaml,
+                      GError     **error)
+{
+  char *confinement = NULL;
+  char *yaml_contents;
+
+  if (g_file_get_contents (snap_yaml, &yaml_contents, NULL, error))
+    {
+      const char *line = yaml_contents;
+
+      do
+        {
+          if (g_str_has_prefix (line, SNAP_CONFINEMENT_PREFIX))
+            break;
+
+          line = strchr (line, '\n');
+          if (line)
+            line += 1;
+        }
+      while (line != NULL);
+
+      if (line)
+        {
+          const char *start = line + strlen (SNAP_CONFINEMENT_PREFIX);
+          const char *end = strchr (start, '\n');
+
+          confinement =
+            g_strstrip (end ? g_strndup (start, end-start) : g_strdup (start));
+        }
+
+      g_free (yaml_contents);
+    }
+
+  return g_steal_pointer (&confinement);
+}
+
 static gboolean
 is_snap (void)
 {
+  GError *error = NULL;
  const gchar *snap_path;
  gchar *yaml_path;
+  char *confinement;
  gboolean result;

  snap_path = g_getenv ("SNAP");
  if (snap_path == NULL)
    return FALSE;

+  result = FALSE;
  yaml_path = g_build_filename (snap_path, "meta", "snap.yaml", NULL);
-  result = g_file_test (yaml_path, G_FILE_TEST_EXISTS);
+  confinement = get_snap_confinement (yaml_path, &error);
  g_free (yaml_path);

+  /* Classic snaps are de-facto no sandboxed apps, so we can ignore them */
+  if (!error && g_strcmp0 (confinement, "classic") != 0)
+    result = TRUE;
+
+  g_clear_error (&error);
+  g_free (confinement);
+
  return result;
 }

--- a/gio/tests/sandbox.c
+++ b/gio/tests/sandbox.c
@ -33,6 +33,10 @@ test_sandbox_snap (void)
  const char *temp_dir;
  gchar *snap_path, *meta_path, *yaml_path;
  GError *error = NULL;
+  const char *contents = "name: glib-test-portal-support\n"
+                         "title: GLib Portal Support Test\n"
+                         "version: 2.76\n"
+                         "summary: Test it works\n";

  temp_dir = g_getenv ("G_TEST_TMPDIR");
  g_assert_nonnull (temp_dir);
@ -41,7 +45,7 @@ test_sandbox_snap (void)
  meta_path = g_build_filename (snap_path, "meta", NULL);
  yaml_path = g_build_filename (meta_path, "snap.yaml", NULL);
  g_mkdir_with_parents (meta_path, 0700);
-  g_file_set_contents (yaml_path, "", -1, &error);
+  g_file_set_contents (yaml_path, contents, -1, &error);
  g_assert_no_error (error);
  g_setenv ("SNAP", snap_path, TRUE);

@ -53,6 +57,37 @@ test_sandbox_snap (void)
  g_free (yaml_path);
 }

+static void
+test_sandbox_snap_classic (void)
+{
+  GError *error = NULL;
+  const char *temp_dir;
+  char *snap_path, *meta_path, *yaml_path;
+  const char *contents = "name: glib-test-portal-support\n"
+                         "title: GLib Portal Support Test\n"
+                         "version: 2.76\n"
+                         "summary: Test it works\n"
+                         "confinement: classic\n";
+
+  temp_dir = g_getenv ("G_TEST_TMPDIR");
+  g_assert_nonnull (temp_dir);
+
+  snap_path = g_build_filename (temp_dir, "snap", "current", NULL);
+  meta_path = g_build_filename (snap_path, "meta", NULL);
+  yaml_path = g_build_filename (meta_path, "snap.yaml", NULL);
+  g_mkdir_with_parents (meta_path, 0700);
+  g_file_set_contents (yaml_path, contents, -1, &error);
+  g_assert_no_error (error);
+  g_setenv ("SNAP", snap_path, TRUE);
+
+  g_assert_cmpint (glib_get_sandbox_type (), ==, G_SANDBOX_TYPE_UNKNOWN);
+
+  g_unsetenv ("SNAP");
+  g_free (snap_path);
+  g_free (meta_path);
+  g_free (yaml_path);
+}
+
 int
 main (int argc, char **argv)
 {
@ -60,6 +95,7 @@ main (int argc, char **argv)

  g_test_add_func ("/sandbox/none", test_sandbox_none);
  g_test_add_func ("/sandbox/snap", test_sandbox_snap);
+  g_test_add_func ("/sandbox/classic-snap", test_sandbox_snap_classic);

  return g_test_run ();
 }