Merge branch 'snap-portal-support' into 'main'

portal: Check for snap plugs before accessing portals

See merge request GNOME/glib!3020

gio/gportalsupport.c

@@ -20,35 +20,78 @@
 
 #include "config.h"
 
+#include "glib-private.h"
 #include "gportalsupport.h"
 #include "gsandbox.h"
 
+static GSandboxType sandbox_type = G_SANDBOX_TYPE_UNKNOWN;
 static gboolean use_portal;
 static gboolean network_available;
 static gboolean dconf_access;
 
-static void
+#ifdef G_PORTAL_SUPPORT_TEST
-read_flatpak_info (void)
+static const char *snapctl = "snapctl";
-{
+#else
-  static gsize flatpak_info_read = 0;
+static const char *snapctl = "/usr/bin/snapctl";
-  GSandboxType sandbox_type;
+#endif
 
-  if (!g_once_init_enter (&flatpak_info_read))
+static gboolean
+snap_plug_is_connected (const gchar *plug_name)
+{
+  gint wait_status;
+  const gchar *argv[] = { snapctl, "is-connected", plug_name, NULL };
+
+  /* Bail out if our process is privileged - we don't want to pass those
+   * privileges to snapctl. It could be overridden and this would
+   * allow arbitrary code execution.
+   */
+  if (GLIB_PRIVATE_CALL (g_check_setuid) ())
+    return FALSE;
+
+  if (!g_spawn_sync (NULL, (gchar **) argv, NULL,
+#ifdef G_PORTAL_SUPPORT_TEST
+                     G_SPAWN_SEARCH_PATH |
+#endif
+                         G_SPAWN_STDOUT_TO_DEV_NULL |
+                         G_SPAWN_STDERR_TO_DEV_NULL,
+                     NULL, NULL, NULL, NULL, &wait_status,
+                     NULL))
+    return FALSE;
+
+  return g_spawn_check_wait_status (wait_status, NULL);
+}
+
+static void
+sandbox_info_read (void)
+{
+  static gsize sandbox_info_is_read = 0;
+
+  /* Sandbox type and Flatpak info is static, so only read once */
+  if (!g_once_init_enter (&sandbox_info_is_read))
     return;
 
   sandbox_type = glib_get_sandbox_type ();
+
   switch (sandbox_type)
     {
     case G_SANDBOX_TYPE_FLATPAK:
       {
         GKeyFile *keyfile;
+        const char *keyfile_path = "/.flatpak-info";
 
         use_portal = TRUE;
         network_available = FALSE;
         dconf_access = FALSE;
 
         keyfile = g_key_file_new ();
-        if (g_key_file_load_from_file (keyfile, "/.flatpak-info", G_KEY_FILE_NONE, NULL))
+
+#ifdef G_PORTAL_SUPPORT_TEST
+        char *test_key_file =
+          g_build_filename (g_get_user_runtime_dir (), keyfile_path, NULL);
+        keyfile_path = test_key_file;
+#endif
+
+        if (g_key_file_load_from_file (keyfile, keyfile_path, G_KEY_FILE_NONE, NULL))
           {
             char **shared = NULL;
             char *dconf_policy = NULL;
@@ -69,11 +112,16 @@ read_flatpak_info (void)
               }
           }
 
+#ifdef G_PORTAL_SUPPORT_TEST
+        g_clear_pointer (&test_key_file, g_free);
+#endif
+
         g_key_file_unref (keyfile);
       }
       break;
-    case G_SANDBOX_TYPE_UNKNOWN:
     case G_SANDBOX_TYPE_SNAP:
+      break;
+    case G_SANDBOX_TYPE_UNKNOWN:
       {
         const char *var;
 
@@ -86,26 +134,45 @@ read_flatpak_info (void)
       break;
     }
 
-  g_once_init_leave (&flatpak_info_read, 1);
+  g_once_init_leave (&sandbox_info_is_read, 1);
 }
 
 gboolean
 glib_should_use_portal (void)
 {
-  read_flatpak_info ();
+  sandbox_info_read ();
+
+  if (sandbox_type == G_SANDBOX_TYPE_SNAP)
+    return snap_plug_is_connected ("desktop");
+
   return use_portal;
 }
 
 gboolean
 glib_network_available_in_sandbox (void)
 {
-  read_flatpak_info ();
+  sandbox_info_read ();
+
+  if (sandbox_type == G_SANDBOX_TYPE_SNAP)
+    {
+      /* FIXME: This is inefficient doing multiple calls to check connections.
+       * See https://github.com/snapcore/snapd/pull/12301 for a proposed
+       * improvement to snapd for this.
+       */
+      return snap_plug_is_connected ("desktop") ||
+        snap_plug_is_connected ("network-status");
+    }
+
   return network_available;
 }
 
 gboolean
 glib_has_dconf_access_in_sandbox (void)
 {
-  read_flatpak_info ();
+  sandbox_info_read ();
+
+  if (sandbox_type == G_SANDBOX_TYPE_SNAP)
+    return snap_plug_is_connected ("gsettings");
+
   return dconf_access;
 }

gio/gsandbox.c

@@ -22,27 +22,93 @@
 
 #include "gsandbox.h"
 
+#include <string.h>
+
+#define SNAP_CONFINEMENT_PREFIX "confinement:"
+
 static gboolean
 is_flatpak (void)
 {
-  return g_file_test ("/.flatpak-info", G_FILE_TEST_EXISTS);
+  const char *flatpak_info = "/.flatpak-info";
+  gboolean found;
+
+#ifdef G_PORTAL_SUPPORT_TEST
+        char *test_key_file =
+          g_build_filename (g_get_user_runtime_dir (), flatpak_info, NULL);
+        flatpak_info = test_key_file;
+#endif
+
+  found = g_file_test (flatpak_info, G_FILE_TEST_EXISTS);
+
+#ifdef G_PORTAL_SUPPORT_TEST
+  g_clear_pointer (&test_key_file, g_free);
+#endif
+
+  return found;
+}
+
+static gchar *
+get_snap_confinement (const char  *snap_yaml,
+                      GError     **error)
+{
+  char *confinement = NULL;
+  char *yaml_contents;
+
+  if (g_file_get_contents (snap_yaml, &yaml_contents, NULL, error))
+    {
+      const char *line = yaml_contents;
+
+      do
+        {
+          if (g_str_has_prefix (line, SNAP_CONFINEMENT_PREFIX))
+            break;
+
+          line = strchr (line, '\n');
+          if (line)
+            line += 1;
+        }
+      while (line != NULL);
+
+      if (line)
+        {
+          const char *start = line + strlen (SNAP_CONFINEMENT_PREFIX);
+          const char *end = strchr (start, '\n');
+
+          confinement =
+            g_strstrip (end ? g_strndup (start, end-start) : g_strdup (start));
+        }
+
+      g_free (yaml_contents);
+    }
+
+  return g_steal_pointer (&confinement);
 }
 
 static gboolean
 is_snap (void)
 {
+  GError *error = NULL;
   const gchar *snap_path;
   gchar *yaml_path;
+  char *confinement;
   gboolean result;
 
   snap_path = g_getenv ("SNAP");
   if (snap_path == NULL)
     return FALSE;
 
+  result = FALSE;
   yaml_path = g_build_filename (snap_path, "meta", "snap.yaml", NULL);
-  result = g_file_test (yaml_path, G_FILE_TEST_EXISTS);
+  confinement = get_snap_confinement (yaml_path, &error);
   g_free (yaml_path);
 
+  /* Classic snaps are de-facto no sandboxed apps, so we can ignore them */
+  if (!error && g_strcmp0 (confinement, "classic") != 0)
+    result = TRUE;
+
+  g_clear_error (&error);
+  g_free (confinement);
+
   return result;
 }
 

gio/tests/meson.build

@@ -108,7 +108,8 @@ gio_tests = {
   'proxy-test' : {},
   'readwrite' : {},
   'sandbox' : {
-    'source': ['sandbox.c', '../gsandbox.c'],
+    'extra_sources': ['../gsandbox.c', 'portal-support-utils.c'],
+    'c_args': ['-DG_PORTAL_SUPPORT_TEST'],
   },
   'simple-async-result' : {},
   'simple-proxy' : {},
@@ -227,6 +228,45 @@ if host_machine.system() != 'windows'
     'gdbus-peer-object-manager' : {},
     'gdbus-sasl' : {},
     'live-g-file' : {},
+    'portal-support-flatpak-none' : {
+      'extra_sources': ['../gportalsupport.c', '../gsandbox.c', 'portal-support-utils.c'],
+      'c_args': ['-DG_PORTAL_SUPPORT_TEST'],
+      'suite': ['portal-support'],
+    },
+    'portal-support-flatpak-full' : {
+      'extra_sources': ['../gportalsupport.c', '../gsandbox.c', 'portal-support-utils.c'],
+      'c_args': ['-DG_PORTAL_SUPPORT_TEST'],
+      'suite': ['portal-support'],
+    },
+    'portal-support-flatpak-network-only' : {
+      'extra_sources': ['../gportalsupport.c', '../gsandbox.c', 'portal-support-utils.c'],
+      'c_args': ['-DG_PORTAL_SUPPORT_TEST'],
+      'suite': ['portal-support'],
+    },
+    'portal-support-flatpak-gsettings-only' : {
+      'extra_sources': ['../gportalsupport.c', '../gsandbox.c', 'portal-support-utils.c'],
+      'c_args': ['-DG_PORTAL_SUPPORT_TEST'],
+      'suite': ['portal-support'],
+    },
+    'portal-support-none' : {
+      'extra_sources': ['../gportalsupport.c', '../gsandbox.c'],
+      'c_args': ['-DG_PORTAL_SUPPORT_TEST'],
+      'suite': ['portal-support'],
+    },
+    'portal-support-env-var' : {
+      'extra_sources': ['../gportalsupport.c', '../gsandbox.c'],
+      'suite': ['portal-support'],
+    },
+    'portal-support-snap' : {
+      'extra_sources': ['../gportalsupport.c', '../gsandbox.c', 'portal-support-utils.c'],
+      'c_args': ['-DG_PORTAL_SUPPORT_TEST'],
+      'suite': ['portal-support'],
+    },
+    'portal-support-snap-classic' : {
+      'extra_sources': ['../gportalsupport.c', '../gsandbox.c', 'portal-support-utils.c'],
+      'c_args': ['-DG_PORTAL_SUPPORT_TEST'],
+      'suite': ['portal-support'],
+    },
     'resolver-parsing' : {'dependencies' : [network_libs]},
     'socket-address' : {},
     'stream-rw_all' : {},

gio/tests/portal-support-env-var.c

@@ -0,0 +1,45 @@
+/*
+ * GIO - GLib Input, Output and Streaming Library
+ *
+ * Copyright (C) 2022 Canonical Ltd.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author: Marco Trevisan <marco.trevisan@canonical.com>
+ */
+
+#include "../gportalsupport.h"
+#include <gio/gio.h>
+
+static void
+test_portal_support_env_var (void)
+{
+  g_assert_true (glib_should_use_portal ());
+  g_assert_true (glib_network_available_in_sandbox ());
+  g_assert_true (glib_has_dconf_access_in_sandbox ());
+}
+
+int
+main (int argc, char **argv)
+{
+  g_test_init (&argc, &argv, NULL);
+
+  g_setenv ("GTK_USE_PORTAL", "1", TRUE);
+
+  g_test_add_func ("/portal-support/env-var", test_portal_support_env_var);
+
+  return g_test_run ();
+}

gio/tests/portal-support-flatpak-full.c

@@ -0,0 +1,49 @@
+/*
+ * GIO - GLib Input, Output and Streaming Library
+ *
+ * Copyright (C) 2022 Canonical Ltd.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author: Marco Trevisan <marco.trevisan@canonical.com>
+ */
+
+#include "portal-support-utils.h"
+
+#include "../gportalsupport.h"
+#include <gio/gio.h>
+
+static void
+test_portal_support_flatpak_full (void)
+{
+  create_fake_flatpak_info (g_get_user_runtime_dir (),
+    (GStrv)(const char* []) {"foo", "bar", "network", "more", NULL},
+    "talk");
+
+  g_assert_true (glib_should_use_portal ());
+  g_assert_true (glib_network_available_in_sandbox ());
+  g_assert_true (glib_has_dconf_access_in_sandbox ());
+}
+
+int
+main (int argc, char **argv)
+{
+  g_test_init (&argc, &argv, G_TEST_OPTION_ISOLATE_DIRS, NULL);
+
+  g_test_add_func ("/portal-support/flatpak/full", test_portal_support_flatpak_full);
+
+  return g_test_run ();
+}

gio/tests/portal-support-flatpak-gsettings-only.c

@@ -0,0 +1,49 @@
+/*
+ * GIO - GLib Input, Output and Streaming Library
+ *
+ * Copyright (C) 2022 Canonical Ltd.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author: Marco Trevisan <marco.trevisan@canonical.com>
+ */
+
+#include "portal-support-utils.h"
+
+#include "../gportalsupport.h"
+#include <gio/gio.h>
+
+static void
+test_portal_support_flatpak_gsettings_only (void)
+{
+  create_fake_flatpak_info (g_get_user_runtime_dir (),
+    (GStrv)(const char* []) {"unsupported-stuff", NULL},
+    "talk");
+
+  g_assert_true (glib_should_use_portal ());
+  g_assert_false (glib_network_available_in_sandbox ());
+  g_assert_true (glib_has_dconf_access_in_sandbox ());
+}
+
+int
+main (int argc, char **argv)
+{
+  g_test_init (&argc, &argv, G_TEST_OPTION_ISOLATE_DIRS, NULL);
+
+  g_test_add_func ("/portal-support/flatpak/gsettings", test_portal_support_flatpak_gsettings_only);
+
+  return g_test_run ();
+}

gio/tests/portal-support-flatpak-network-only.c

@@ -0,0 +1,49 @@
+/*
+ * GIO - GLib Input, Output and Streaming Library
+ *
+ * Copyright (C) 2022 Canonical Ltd.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author: Marco Trevisan <marco.trevisan@canonical.com>
+ */
+
+#include "portal-support-utils.h"
+
+#include "../gportalsupport.h"
+#include <gio/gio.h>
+
+static void
+test_portal_support_flatpak_network (void)
+{
+  create_fake_flatpak_info (g_get_user_runtime_dir (),
+    (GStrv)(const char* []) {"foo", "bar", "network", "more", NULL},
+    "do-not-talk");
+
+  g_assert_true (glib_should_use_portal ());
+  g_assert_true (glib_network_available_in_sandbox ());
+  g_assert_false (glib_has_dconf_access_in_sandbox ());
+}
+
+int
+main (int argc, char **argv)
+{
+  g_test_init (&argc, &argv, G_TEST_OPTION_ISOLATE_DIRS, NULL);
+
+  g_test_add_func ("/portal-support/flatpak/network", test_portal_support_flatpak_network);
+
+  return g_test_run ();
+}

gio/tests/portal-support-flatpak-none.c

@@ -0,0 +1,47 @@
+/*
+ * GIO - GLib Input, Output and Streaming Library
+ *
+ * Copyright (C) 2022 Canonical Ltd.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author: Marco Trevisan <marco.trevisan@canonical.com>
+ */
+
+#include "portal-support-utils.h"
+
+#include "../gportalsupport.h"
+#include <gio/gio.h>
+
+static void
+test_portal_support_flatpak_none (void)
+{
+  create_fake_flatpak_info (g_get_user_runtime_dir (), NULL, NULL);
+
+  g_assert_true (glib_should_use_portal ());
+  g_assert_false (glib_network_available_in_sandbox ());
+  g_assert_false (glib_has_dconf_access_in_sandbox ());
+}
+
+int
+main (int argc, char **argv)
+{
+  g_test_init (&argc, &argv, G_TEST_OPTION_ISOLATE_DIRS, NULL);
+
+  g_test_add_func ("/portal-support/flatpak/none", test_portal_support_flatpak_none);
+
+  return g_test_run ();
+}

gio/tests/portal-support-none.c

@@ -0,0 +1,43 @@
+/*
+ * GIO - GLib Input, Output and Streaming Library
+ *
+ * Copyright (C) 2022 Canonical Ltd.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author: Marco Trevisan <marco.trevisan@canonical.com>
+ */
+
+#include "../gportalsupport.h"
+#include <gio/gio.h>
+
+static void
+test_portal_support_none (void)
+{
+  g_assert_false (glib_should_use_portal ());
+  g_assert_true (glib_network_available_in_sandbox ());
+  g_assert_true (glib_has_dconf_access_in_sandbox ());
+}
+
+int
+main (int argc, char **argv)
+{
+  g_test_init (&argc, &argv, NULL);
+
+  g_test_add_func ("/portal-support/none", test_portal_support_none);
+
+  return g_test_run ();
+}

gio/tests/portal-support-snap-classic.c

@@ -0,0 +1,119 @@
+/*
+ * GIO - GLib Input, Output and Streaming Library
+ *
+ * Copyright (C) 2022 Canonical Ltd.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author: Marco Trevisan <marco.trevisan@canonical.com>
+ */
+
+#include "portal-support-utils.h"
+
+#include "../gportalsupport.h"
+#include <gio/gio.h>
+
+typedef struct
+{
+  char *old_path;
+  char *old_snap;
+
+  const char *bin_path;
+  const char *snap_path;
+} SetupData;
+
+static void
+tests_setup (SetupData *setup_data,
+             gconstpointer data)
+{
+  setup_data->old_path = g_strdup (g_getenv ("PATH"));
+  setup_data->old_snap = g_strdup (g_getenv ("SNAP"));
+
+  setup_data->bin_path = g_get_user_runtime_dir ();
+  setup_data->snap_path = g_getenv ("G_TEST_TMPDIR");
+
+  g_assert_nonnull (setup_data->bin_path);
+  g_assert_nonnull (setup_data->snap_path);
+
+  g_setenv ("PATH", setup_data->bin_path, TRUE);
+  g_setenv ("SNAP", setup_data->snap_path, TRUE);
+}
+
+static void
+tests_teardown (SetupData *setup_data,
+                gconstpointer data)
+{
+  if (setup_data->old_path)
+    g_setenv ("PATH", setup_data->old_path, TRUE);
+  else
+    g_unsetenv ("PATH");
+
+  if (setup_data->old_snap)
+    g_setenv ("SNAP", setup_data->old_snap, TRUE);
+  else
+    g_unsetenv ("SNAP");
+
+  g_clear_pointer (&setup_data->old_path, g_free);
+  g_clear_pointer (&setup_data->old_snap, g_free);
+}
+
+static void
+test_portal_support_snap_no_snapctl (SetupData *setup,
+                                     gconstpointer data)
+{
+  g_assert_false (glib_should_use_portal ());
+  g_assert_true (glib_network_available_in_sandbox ());
+  g_assert_true (glib_has_dconf_access_in_sandbox ());
+}
+
+static void
+test_portal_support_snap_none (SetupData *setup,
+                               gconstpointer data)
+{
+  create_fake_snap_yaml (setup->snap_path, TRUE);
+  create_fake_snapctl (setup->bin_path, NULL);
+
+  g_assert_false (glib_should_use_portal ());
+  g_assert_true (glib_network_available_in_sandbox ());
+  g_assert_true (glib_has_dconf_access_in_sandbox ());
+}
+
+static void
+test_portal_support_snap_all (SetupData *setup,
+                              gconstpointer data)
+{
+  create_fake_snap_yaml (setup->snap_path, TRUE);
+  create_fake_snapctl (setup->bin_path, "desktop|network-status|gsettings");
+
+  g_assert_false (glib_should_use_portal ());
+  g_assert_true (glib_network_available_in_sandbox ());
+  g_assert_true (glib_has_dconf_access_in_sandbox ());
+}
+
+int
+main (int argc, char **argv)
+{
+  g_test_init (&argc, &argv, G_TEST_OPTION_ISOLATE_DIRS, NULL);
+
+  g_test_add ("/portal-support/snap-classic/no-snapctl", SetupData, NULL,
+    tests_setup, test_portal_support_snap_no_snapctl, tests_teardown);
+  g_test_add ("/portal-support/snap-classic/none", SetupData, NULL,
+    tests_setup, test_portal_support_snap_none, tests_teardown);
+  g_test_add ("/portal-support/snap-classic/all", SetupData, NULL,
+    tests_setup, test_portal_support_snap_all, tests_teardown);
+
+  return g_test_run ();
+}

gio/tests/portal-support-snap.c

@@ -0,0 +1,208 @@
+/*
+ * GIO - GLib Input, Output and Streaming Library
+ *
+ * Copyright (C) 2022 Canonical Ltd.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author: Marco Trevisan <marco.trevisan@canonical.com>
+ */
+
+#include "portal-support-utils.h"
+
+#include "../gportalsupport.h"
+#include <gio/gio.h>
+#include <glib/gstdio.h>
+
+typedef struct
+{
+  char *old_path;
+  char *old_snap;
+
+  const char *bin_path;
+  const char *snap_path;
+} SetupData;
+
+static void
+tests_setup (SetupData *setup_data,
+             gconstpointer data)
+{
+  setup_data->old_path = g_strdup (g_getenv ("PATH"));
+  setup_data->old_snap = g_strdup (g_getenv ("SNAP"));
+
+  setup_data->bin_path = g_get_user_runtime_dir ();
+  setup_data->snap_path = g_getenv ("G_TEST_TMPDIR");
+
+  g_assert_nonnull (setup_data->bin_path);
+  g_assert_nonnull (setup_data->snap_path);
+
+  g_setenv ("PATH", setup_data->bin_path, TRUE);
+  g_setenv ("SNAP", setup_data->snap_path, TRUE);
+}
+
+static void
+tests_teardown (SetupData *setup_data,
+                gconstpointer data)
+{
+  if (setup_data->old_path)
+    g_setenv ("PATH", setup_data->old_path, TRUE);
+  else
+    g_unsetenv ("PATH");
+
+  if (setup_data->old_snap)
+    g_setenv ("SNAP", setup_data->old_snap, TRUE);
+  else
+    g_unsetenv ("SNAP");
+
+  g_clear_pointer (&setup_data->old_path, g_free);
+  g_clear_pointer (&setup_data->old_snap, g_free);
+}
+
+static void
+test_portal_support_snap_no_snapctl (SetupData *setup,
+                                     gconstpointer data)
+{
+  create_fake_snap_yaml (setup->snap_path, FALSE);
+
+  g_assert_false (glib_should_use_portal ());
+  g_assert_false (glib_network_available_in_sandbox ());
+  g_assert_false (glib_has_dconf_access_in_sandbox ());
+}
+
+static void
+test_portal_support_snap_none (SetupData *setup,
+                               gconstpointer data)
+{
+  create_fake_snap_yaml (setup->snap_path, FALSE);
+  create_fake_snapctl (setup->bin_path, NULL);
+
+  g_assert_false (glib_should_use_portal ());
+  g_assert_false (glib_network_available_in_sandbox ());
+  g_assert_false (glib_has_dconf_access_in_sandbox ());
+}
+
+static void
+test_portal_support_snap_all (SetupData *setup,
+                              gconstpointer data)
+{
+  create_fake_snap_yaml (setup->snap_path, FALSE);
+  create_fake_snapctl (setup->bin_path, "desktop|network-status|gsettings");
+
+  g_assert_true (glib_should_use_portal ());
+  g_assert_true (glib_network_available_in_sandbox ());
+  g_assert_true (glib_has_dconf_access_in_sandbox ());
+}
+
+static void
+test_portal_support_snap_desktop_only (SetupData *setup,
+                                       gconstpointer data)
+{
+  create_fake_snap_yaml (setup->snap_path, FALSE);
+  create_fake_snapctl (setup->bin_path, "desktop");
+
+  g_assert_true (glib_should_use_portal ());
+  g_assert_true (glib_network_available_in_sandbox ());
+  g_assert_false (glib_has_dconf_access_in_sandbox ());
+}
+
+static void
+test_portal_support_snap_network_only (SetupData *setup,
+                                       gconstpointer data)
+{
+  create_fake_snap_yaml (setup->snap_path, FALSE);
+  create_fake_snapctl (setup->bin_path, "network-status");
+
+  g_assert_false (glib_should_use_portal ());
+  g_assert_true (glib_network_available_in_sandbox ());
+  g_assert_false (glib_has_dconf_access_in_sandbox ());
+}
+
+static void
+test_portal_support_snap_gsettings_only (SetupData *setup,
+                                         gconstpointer data)
+{
+  create_fake_snap_yaml (setup->snap_path, FALSE);
+  create_fake_snapctl (setup->bin_path, "gsettings");
+
+  g_assert_false (glib_should_use_portal ());
+  g_assert_false (glib_network_available_in_sandbox ());
+  g_assert_true (glib_has_dconf_access_in_sandbox ());
+}
+
+static void
+test_portal_support_snap_updates_dynamically (SetupData *setup,
+                                              gconstpointer data)
+{
+  create_fake_snap_yaml (setup->snap_path, FALSE);
+  create_fake_snapctl (setup->bin_path, NULL);
+
+  g_assert_false (glib_should_use_portal ());
+  g_assert_false (glib_network_available_in_sandbox ());
+  g_assert_false (glib_has_dconf_access_in_sandbox ());
+
+  create_fake_snapctl (setup->bin_path, "desktop");
+  g_assert_true (glib_should_use_portal ());
+  g_assert_true (glib_network_available_in_sandbox ());
+  g_assert_false (glib_has_dconf_access_in_sandbox ());
+
+  create_fake_snapctl (setup->bin_path, "network-status|gsettings");
+  g_assert_false (glib_should_use_portal ());
+  g_assert_true (glib_network_available_in_sandbox ());
+  g_assert_true (glib_has_dconf_access_in_sandbox ());
+
+  create_fake_snapctl (setup->bin_path, "desktop|network-status|gsettings");
+  g_assert_true (glib_should_use_portal ());
+  g_assert_true (glib_network_available_in_sandbox ());
+  g_assert_true (glib_has_dconf_access_in_sandbox ());
+
+  create_fake_snapctl (setup->bin_path, "desktop|gsettings");
+  g_assert_true (glib_should_use_portal ());
+  g_assert_true (glib_network_available_in_sandbox ());
+  g_assert_true (glib_has_dconf_access_in_sandbox ());
+
+  create_fake_snapctl (setup->bin_path, "gsettings");
+  g_assert_false (glib_should_use_portal ());
+  g_assert_false (glib_network_available_in_sandbox ());
+  g_assert_true (glib_has_dconf_access_in_sandbox ());
+
+  create_fake_snapctl (setup->bin_path, NULL);
+  g_assert_false (glib_should_use_portal ());
+  g_assert_false (glib_network_available_in_sandbox ());
+  g_assert_false (glib_has_dconf_access_in_sandbox ());
+}
+
+int
+main (int argc, char **argv)
+{
+  g_test_init (&argc, &argv, G_TEST_OPTION_ISOLATE_DIRS, NULL);
+
+  g_test_add ("/portal-support/snap/no-snapctl", SetupData, NULL,
+    tests_setup, test_portal_support_snap_no_snapctl, tests_teardown);
+  g_test_add ("/portal-support/snap/none", SetupData, NULL,
+    tests_setup, test_portal_support_snap_none, tests_teardown);
+  g_test_add ("/portal-support/snap/all", SetupData, NULL,
+    tests_setup, test_portal_support_snap_all, tests_teardown);
+  g_test_add ("/portal-support/snap/desktop-only", SetupData, NULL,
+    tests_setup, test_portal_support_snap_desktop_only, tests_teardown);
+  g_test_add ("/portal-support/snap/network-only", SetupData, NULL,
+    tests_setup, test_portal_support_snap_network_only, tests_teardown);
+  g_test_add ("/portal-support/snap/gsettings-only", SetupData, NULL,
+    tests_setup, test_portal_support_snap_gsettings_only, tests_teardown);
+  g_test_add ("/portal-support/snap/updates-dynamically", SetupData, NULL,
+    tests_setup, test_portal_support_snap_updates_dynamically, tests_teardown);
+
+  return g_test_run ();
+}

gio/tests/portal-support-utils.c

@@ -0,0 +1,141 @@
+/*
+ * GIO - GLib Input, Output and Streaming Library
+ *
+ * Copyright (C) 2022 Canonical Ltd.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author: Marco Trevisan <marco.trevisan@canonical.com>
+ */
+
+#include "portal-support-utils.h"
+
+#include <glib.h>
+#include <glib/gstdio.h>
+
+void
+create_fake_snapctl (const char *path,
+                     const char *supported_op)
+{
+  GError *error = NULL;
+  char *snapctl_content;
+  char *snapctl;
+
+  snapctl = g_build_filename (path, "snapctl", NULL);
+  snapctl_content = g_strdup_printf ("#!/bin/sh\n" \
+                                     "[ \"$1\" != 'is-connected' ] && exit 2\n"
+                                     "[ -z \"$2\" ] && exit 3\n"
+                                     "[ -n \"$3\" ] && exit 4\n"
+                                     "case \"$2\" in\n"
+                                     "  %s) exit 0;;\n"
+                                     "  *) exit 1;;\n"
+                                     "esac\n",
+                                     supported_op ? supported_op : "<invalid>");
+
+  g_file_set_contents (snapctl, snapctl_content, -1, &error);
+  g_assert_no_error (error);
+  g_assert_cmpint (g_chmod (snapctl, 0500), ==, 0);
+
+  g_test_message ("Created snapctl in %s", snapctl);
+
+  g_clear_error (&error);
+  g_free (snapctl_content);
+  g_free (snapctl);
+}
+
+void
+create_fake_snap_yaml (const char *snap_path,
+                       gboolean is_classic)
+{
+  char *meta_path;
+  char *yaml_path;
+  char *yaml_contents;
+
+  g_assert_nonnull (snap_path);
+
+  yaml_contents = g_strconcat ("name: glib-test-portal-support\n"
+                               "title: GLib Portal Support Test\n"
+                               "version: 2.76\n"
+                               "summary: Test it works\n",
+                               is_classic ?
+                                "confinement: classic\n" : NULL, NULL);
+
+  meta_path = g_build_filename (snap_path, "meta", NULL);
+  g_assert_cmpint (g_mkdir_with_parents (meta_path, 0700), ==, 0);
+
+  yaml_path = g_build_filename (meta_path, "snap.yaml", NULL);
+  g_file_set_contents (yaml_path, yaml_contents, -1, NULL);
+
+  g_test_message ("Created snap.yaml in %s", yaml_path);
+
+  g_free (meta_path);
+  g_free (yaml_path);
+  g_free (yaml_contents);
+}
+
+void
+create_fake_flatpak_info_from_key_file (const char *root_path,
+                                        GKeyFile   *key_file)
+{
+  GError *error = NULL;
+  char *key_file_path;
+
+  g_assert_nonnull (root_path);
+
+  key_file_path = g_build_filename (root_path, ".flatpak-info", NULL);
+  g_test_message ("Creating .flatpak-info in %s", key_file_path);
+  g_key_file_save_to_file (key_file, key_file_path, &error);
+  g_assert_no_error (error);
+
+  g_free (key_file_path);
+}
+
+void
+create_fake_flatpak_info (const char  *root_path,
+                          const GStrv shared_context,
+                          const char  *dconf_dbus_policy)
+{
+  GKeyFile *key_file;
+
+  key_file = g_key_file_new ();
+
+  /* File format is defined at:
+   *  https://docs.flatpak.org/en/latest/flatpak-command-reference.html
+   */
+  g_key_file_set_string (key_file, "Application", "name",
+                         "org.gnome.GLib.Test.Flatpak");
+  g_key_file_set_string (key_file, "Application", "runtime",
+                         "org.gnome.Platform/x86_64/44");
+  g_key_file_set_string (key_file, "Application", "sdk",
+                         "org.gnome.Sdk/x86_64/44");
+
+  if (shared_context)
+    {
+      g_key_file_set_string_list (key_file, "Context", "shared",
+                                  (const char * const *) shared_context,
+                                  g_strv_length (shared_context));
+    }
+
+  if (dconf_dbus_policy)
+    {
+      g_key_file_set_string (key_file, "Session Bus Policy", "ca.desrt.dconf",
+                             dconf_dbus_policy);
+    }
+
+  create_fake_flatpak_info_from_key_file (root_path, key_file);
+
+  g_key_file_free (key_file);
+}

gio/tests/portal-support-utils.h

@@ -0,0 +1,37 @@
+/*
+ * GIO - GLib Input, Output and Streaming Library
+ *
+ * Copyright (C) 2022 Canonical Ltd.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author: Marco Trevisan <marco.trevisan@canonical.com>
+ */
+
+#include <glib.h>
+
+void create_fake_snap_yaml (const char *snap_path,
+                            gboolean is_classic);
+
+void create_fake_snapctl (const char *path,
+                          const char *supported_op);
+
+void create_fake_flatpak_info (const char  *root_path,
+                               const GStrv shared_context,
+                               const char  *dconf_dbus_policy);
+
+void create_fake_flatpak_info_from_key_file (const char *root_path,
+                                             GKeyFile   *key_file);

gio/tests/sandbox.c

@@ -17,6 +17,8 @@
  * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
  */
 
+#include "portal-support-utils.h"
+
 #include "../gsandbox.h"
 #include <gio/gio.h>
 #include <glib/gstdio.h>
@@ -30,40 +32,57 @@ test_sandbox_none (void)
 static void
 test_sandbox_snap (void)
 {
-  gchar *temp_dir, *snap_path, *snap_version_path, *meta_path, *yaml_path;
+  const char *temp_dir;
-  GError *error = NULL;
+  gchar *snap_path;
 
-  temp_dir = g_dir_make_tmp ("gio-test-sandbox_XXXXXX", &error);
+  temp_dir = g_getenv ("G_TEST_TMPDIR");
-  g_assert_no_error (error);
+  g_assert_nonnull (temp_dir);
-  snap_path = g_build_filename (temp_dir, "snap", NULL);
+
-  snap_version_path = g_build_filename (snap_path, "current", NULL);
+  snap_path = g_build_filename (temp_dir, "snap", "current", NULL);
-  meta_path = g_build_filename (snap_version_path, "meta", NULL);
+  create_fake_snap_yaml (snap_path, FALSE);
-  yaml_path = g_build_filename (meta_path, "snap.yaml", NULL);
+  g_setenv ("SNAP", snap_path, TRUE);
-  g_mkdir_with_parents (meta_path, 0700);
-  g_file_set_contents (yaml_path, "", -1, NULL);
-  g_setenv ("SNAP", snap_version_path, TRUE);
 
   g_assert_cmpint (glib_get_sandbox_type (), ==, G_SANDBOX_TYPE_SNAP);
 
   g_unsetenv ("SNAP");
-  g_unlink (yaml_path);
-  g_rmdir (meta_path);
-  g_rmdir (snap_version_path);
-  g_rmdir (snap_path);
-  g_rmdir (temp_dir);
-  g_free (temp_dir);
   g_free (snap_path);
-  g_free (meta_path);
+}
-  g_free (yaml_path);
+
+static void
+test_sandbox_snap_classic (void)
+{
+  const char *temp_dir;
+  char *snap_path;
+
+  temp_dir = g_getenv ("G_TEST_TMPDIR");
+  g_assert_nonnull (temp_dir);
+
+  snap_path = g_build_filename (temp_dir, "snap", "current", NULL);
+  create_fake_snap_yaml (snap_path, TRUE);
+  g_setenv ("SNAP", snap_path, TRUE);
+
+  g_assert_cmpint (glib_get_sandbox_type (), ==, G_SANDBOX_TYPE_UNKNOWN);
+
+  g_unsetenv ("SNAP");
+  g_free (snap_path);
+}
+
+static void
+test_sandbox_flatpak (void)
+{
+  create_fake_flatpak_info (g_get_user_runtime_dir (), NULL, NULL);
+  g_assert_cmpint (glib_get_sandbox_type (), ==, G_SANDBOX_TYPE_FLATPAK);
 }
 
 int
 main (int argc, char **argv)
 {
-  g_test_init (&argc, &argv, NULL);
+  g_test_init (&argc, &argv, G_TEST_OPTION_ISOLATE_DIRS, NULL);
 
   g_test_add_func ("/sandbox/none", test_sandbox_none);
   g_test_add_func ("/sandbox/snap", test_sandbox_snap);
+  g_test_add_func ("/sandbox/classic-snap", test_sandbox_snap_classic);
+  g_test_add_func ("/sandbox/flatpak", test_sandbox_flatpak);
 
   return g_test_run ();
 }