Flatpak uses a limited form of ostree repos called "bare-user-only". In this for certain things are not allowed. For instance all files are assumed to be owned by uid and gid 0, and certain permissions like world-writable dirs are forbiddent. This is both for security reasons (we want no such bad permissions), but also because we need to represent the objects on disk as written by a non-root user (during pulls, etc).
If i install the fedora platform and run flatpak repair then it reports a bunch of invalid object, as reported by https://github.com/flatpak/flatpak/issues/2470.
I did some research on this:
# Install fedora stuff: flatpak remote-add --user fedora oci+https://registry.fedoraproject.org flatpak --user install fedora org.fedoraproject.MediaWriter # Get a list of broken object ids, note that they are all in the platform flatpak repair --dry-run --user > a 2>&1 # Get all files in the platform with object ids ostree --repo=/home/alex/.local/share/flatpak/repo ls -CR runtime/org.fedoraproject.Platform/x86_64/f29 > b # Reverse map each invalid object to a file for obj in $(grep invalid a | awk "{ print \$3 }" | sed s/.file//); do grep $obj b; done
This results in showing all the symlinks in the platform, like this:
l00777 0 0 0 9880aff2821430f579e4696a6d029c8aa098856aa29c195cdb83ba38f6616ef8 /files/tmp -> ../var/tmp l00777 0 0 0 9d3f386eae02cfa44ae8fe22f01b86ffe6b255b4857288dee48d502c1e7fd966 /files/bin/awk -> gawk l00777 0 0 0 811a375c1d8e8742f5d02246af00136f2192905d06ae1dd7de662f16b1ddebea /files/bin/bashbug -> bashbug-64 l00777 0 0 0 9396116ed486f52943960a591fe9375fb6d79328540eafaf3ae2f14cb7cc962b /files/bin/bunzip2 -> bzip2 l00777 0 0 0 9396116ed486f52943960a591fe9375fb6d79328540eafaf3ae2f14cb7cc962b /files/bin/bzcat -> bzip2
However, if i redo the install after having tweaked the mode of the flatpak repo to "bare-user", which stores the full permissions (in xattrs) i get for example for the above gawk symlink:
l00755 0 0 0 9d3f386eae02cfa44ae8fe22f01b86ffe6b255b4857288dee48d502c1e7fd966 /files/bin/awk -> gawk
So, it seems like we're generating non-canonical permissions for symlinks. I'm not sure exactly where this is happening, but I have two guesses:
In flatpak_builder.py we call out to ostree commit, this should also pass --canonical-permissions to generate permissions that are guaranteed to work with bare-user-only repos (and thus flatpak).
ostree commit
--canonical-permissions
In flatpak_builder.py the function _export_from_stream() does some manual permission changes. It references https://github.com/flatpak/flatpak/blob/master/app/flatpak-builtins-build-export.c#L189 for this, but doesn't seem to quite do the same thing. In particular, it doesn't have an else if is_regular() case, which seems like it will trigger this to run on symlinks too.
else if is_regular()
I think the second is causing the above issue, but both should be fixed.
I landed fixes for both parts in version 0.10.1 - the generated runtimes seem to avoid repair issues now. (Will need to wait for Fedora OSBS to be updated to get these fixes for the official runtime.)
Metadata Update from @otaylor: - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.