/* GIO - GLib Input, Output and Streaming Library
*
* Copyright 2022 Canonical Ltd
*
* SPDX-License-Identifier: LGPL-2.1-or-later
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General
* Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
*/
#include "config.h"
#include "gsandbox.h"
#include <string.h>
#define SNAP_CONFINEMENT_PREFIX "confinement:"
static gboolean
is_flatpak (void)
{
const char *flatpak_info = "/.flatpak-info";
gboolean found;
#ifdef G_PORTAL_SUPPORT_TEST
char *test_key_file =
g_build_filename (g_get_user_runtime_dir (), flatpak_info, NULL);
flatpak_info = test_key_file;
#endif
found = g_file_test (flatpak_info, G_FILE_TEST_EXISTS);
#ifdef G_PORTAL_SUPPORT_TEST
g_clear_pointer (&test_key_file, g_free);
#endif
return found;
}
static gchar *
get_snap_confinement (const char *snap_yaml,
GError **error)
{
char *confinement = NULL;
char *yaml_contents;
if (g_file_get_contents (snap_yaml, &yaml_contents, NULL, error))
{
const char *line = yaml_contents;
do
{
if (g_str_has_prefix (line, SNAP_CONFINEMENT_PREFIX))
break;
line = strchr (line, '\n');
if (line)
line += 1;
}
while (line != NULL);
if (line)
{
const char *start = line + strlen (SNAP_CONFINEMENT_PREFIX);
const char *end = strchr (start, '\n');
confinement =
g_strstrip (end ? g_strndup (start, end-start) : g_strdup (start));
}
g_free (yaml_contents);
}
return g_steal_pointer (&confinement);
}
static gboolean
is_snap (void)
{
GError *error = NULL;
const gchar *snap_path;
gchar *yaml_path;
char *confinement;
gboolean result;
snap_path = g_getenv ("SNAP");
if (snap_path == NULL)
return FALSE;
result = FALSE;
yaml_path = g_build_filename (snap_path, "meta", "snap.yaml", NULL);
confinement = get_snap_confinement (yaml_path, &error);
g_free (yaml_path);
/* Classic snaps are de-facto no sandboxed apps, so we can ignore them */
if (!error && g_strcmp0 (confinement, "classic") != 0)
result = TRUE;
g_clear_error (&error);
g_free (confinement);
return result;
}
/*
* glib_get_sandbox_type:
*
* Gets the type of sandbox this process is running inside.
*
* Checking for sandboxes may involve doing blocking I/O calls, but should not take
* any significant time.
*
* The sandbox will not change over the lifetime of the process, so calling this
* function once and reusing the result is valid.
*
* If this process is not sandboxed then @G_SANDBOX_TYPE_UNKNOWN will be returned.
* This is because this function only detects known sandbox types in #GSandboxType.
* It may be updated in the future if new sandboxes come into use.
*
* Returns: a #GSandboxType.
*/
GSandboxType
glib_get_sandbox_type (void)
{
if (is_flatpak ())
return G_SANDBOX_TYPE_FLATPAK;
else if (is_snap ())
return G_SANDBOX_TYPE_SNAP;
else
return G_SANDBOX_TYPE_UNKNOWN;
}