diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 99c8e3e7..414c5152 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -2043,6 +2043,27 @@ flatpak_context_merge (FlatpakContext *context,
flatpak_context_add_nousb_query (context, value);
}
+static gboolean
+parse_if_option (const char *option_name,
+ const char *value,
+ char **name_out,
+ char **condition_out,
+ GError **error)
+{
+ g_auto(GStrv) tokens = g_strsplit (value, ":", 2);
+
+ if (g_strv_length (tokens) != 2)
+ {
+ g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED,
+ _("Invalid syntax for %s: %s"), option_name, value);
+ return FALSE;
+ }
+
+ *name_out = g_strdup (tokens[0]);
+ *condition_out = g_strdup (tokens[1]);
+ return TRUE;
+}
+
static gboolean
option_share_cb (const gchar *option_name,
const gchar *value,
@@ -2079,6 +2100,29 @@ option_unshare_cb (const gchar *option_name,
return TRUE;
}
+static gboolean
+option_share_if_cb (const gchar *option_name,
+ const gchar *value,
+ gpointer data,
+ GError **error)
+{
+ FlatpakContext *context = data;
+ g_autofree char *name = NULL;
+ g_autofree char *condition = NULL;
+ FlatpakContextShares share;
+
+ if (!parse_if_option (option_name, value, &name, &condition, error))
+ return FALSE;
+
+ share = flatpak_context_share_from_string (name, error);
+ if (share == 0)
+ return FALSE;
+
+ flatpak_permissions_set_allowed_if (context->shares_permissions,
+ name, condition);
+ return TRUE;
+}
+
static gboolean
option_socket_cb (const gchar *option_name,
const gchar *value,
@@ -2132,27 +2176,6 @@ option_nosocket_cb (const gchar *option_name,
return TRUE;
}
-static gboolean
-parse_if_option (const char *option_name,
- const char *value,
- char **name_out,
- char **condition_out,
- GError **error)
-{
- g_auto(GStrv) tokens = g_strsplit (value, ":", 2);
-
- if (g_strv_length (tokens) != 2)
- {
- g_set_error (error, G_OPTION_ERROR, G_OPTION_ERROR_FAILED,
- _("Invalid syntax for %s: %s"), option_name, value);
- return FALSE;
- }
-
- *name_out = g_strdup (tokens[0]);
- *condition_out = g_strdup (tokens[1]);
- return TRUE;
-}
-
static gboolean
option_socket_if_cb (const gchar *option_name,
const gchar *value,
@@ -2280,6 +2303,29 @@ option_disallow_cb (const gchar *option_name,
return TRUE;
}
+static gboolean
+option_allow_if_cb (const gchar *option_name,
+ const gchar *value,
+ gpointer data,
+ GError **error)
+{
+ FlatpakContext *context = data;
+ g_autofree char *name = NULL;
+ g_autofree char *condition = NULL;
+ FlatpakContextFeatures feature;
+
+ if (!parse_if_option (option_name, value, &name, &condition, error))
+ return FALSE;
+
+ feature = flatpak_context_feature_from_string (name, error);
+ if (feature == 0)
+ return FALSE;
+
+ flatpak_permissions_set_allowed_if (context->features_permissions,
+ name, condition);
+ return TRUE;
+}
+
static gboolean
option_filesystem_cb (const gchar *option_name,
const gchar *value,
@@ -2675,6 +2721,7 @@ static gboolean option_no_desktop_deprecated;
static GOptionEntry context_options[] = {
{ "share", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_share_cb, N_("Share with host"), N_("SHARE") },
{ "unshare", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_unshare_cb, N_("Unshare with host"), N_("SHARE") },
+ { "share-if", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_share_if_cb, N_("Require conditions to be met for a subsystem to get shared"), N_("SHARE:CONDITION") },
{ "socket", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_socket_cb, N_("Expose socket to app"), N_("SOCKET") },
{ "nosocket", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_nosocket_cb, N_("Don't expose socket to app"), N_("SOCKET") },
{ "socket-if", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_socket_if_cb, N_("Require conditions to be met for a socket to get exposed"), N_("SOCKET:CONDITION") },
@@ -2683,6 +2730,7 @@ static GOptionEntry context_options[] = {
{ "device-if", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_device_if_cb, N_("Require conditions to be met for a device to get exposed"), N_("DEVICE:CONDITION") },
{ "allow", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_allow_cb, N_("Allow feature"), N_("FEATURE") },
{ "disallow", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_disallow_cb, N_("Don't allow feature"), N_("FEATURE") },
+ { "allow-if", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_allow_if_cb, N_("Require conditions to be met for a feature to get allowed"), N_("FEATURE:CONDITION") },
{ "filesystem", 0, G_OPTION_FLAG_IN_MAIN | G_OPTION_FLAG_FILENAME, G_OPTION_ARG_CALLBACK, &option_filesystem_cb, N_("Expose filesystem to app (:ro for read-only)"), N_("FILESYSTEM[:ro]") },
{ "nofilesystem", 0, G_OPTION_FLAG_IN_MAIN | G_OPTION_FLAG_FILENAME, G_OPTION_ARG_CALLBACK, &option_nofilesystem_cb, N_("Don't expose filesystem to app"), N_("FILESYSTEM") },
{ "env", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_env_cb, N_("Set environment variable"), N_("VAR=VALUE") },
diff --git a/doc/flatpak-build-finish.xml b/doc/flatpak-build-finish.xml
index f52bf25c..34e6645c 100644
--- a/doc/flatpak-build-finish.xml
+++ b/doc/flatpak-build-finish.xml
@@ -127,6 +127,28 @@
+
+
+
+
+ Share a subsystem with the host session conditionally,
+ only when the specified condition is met at runtime.
+ This updates the [Context] group in the metadata.
+ SUBSYSTEM must be one of: network, ipc.
+ CONDITION must be one of:
+ , ,
+ , .
+ Conditions can be negated with !,
+ for example .
+ This option can be used multiple times.
+ Available since 1.17.
+
+ See the Conditional Permissions section in
+ flatpak-metadata5
+ for more details.
+
+
+
@@ -269,6 +291,28 @@
+
+
+
+
+ Allow access to a specific feature conditionally,
+ only when the specified condition is met at runtime.
+ This updates the [Context] group in the metadata.
+ FEATURE must be one of: devel, multiarch, bluetooth.
+ CONDITION must be one of:
+ , ,
+ , .
+ Conditions can be negated with !,
+ for example .
+ This option can be used multiple times.
+ Available since 1.17.
+
+ See the Conditional Permissions section in
+ flatpak-metadata5
+ for more details.
+
+
+
diff --git a/doc/flatpak-override.xml b/doc/flatpak-override.xml
index 44cb54dd..92f9aadd 100644
--- a/doc/flatpak-override.xml
+++ b/doc/flatpak-override.xml
@@ -130,6 +130,28 @@
+
+
+
+
+ Share a subsystem with the host session conditionally,
+ only when the specified condition is met at runtime.
+ This overrides to the Context section from the application metadata.
+ SUBSYSTEM must be one of: network, ipc.
+ CONDITION must be one of:
+ , ,
+ , .
+ Conditions can be negated with !,
+ for example .
+ This option can be used multiple times.
+ Available since 1.17.
+
+ See the Conditional Permissions section in
+ flatpak-metadata5
+ for more details.
+
+
+
@@ -248,6 +270,28 @@
+
+
+
+
+ Allow access to a specific feature conditionally,
+ only when the specified condition is met at runtime.
+ This overrides to the Context section from the application metadata.
+ FEATURE must be one of: devel, multiarch, bluetooth.
+ CONDITION must be one of:
+ , ,
+ , .
+ Conditions can be negated with !,
+ for example .
+ This option can be used multiple times.
+ Available since 1.17.
+
+ See the Conditional Permissions section in
+ flatpak-metadata5
+ for more details.
+
+
+
diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml
index 29eaa43c..d0e0263d 100644
--- a/doc/flatpak-run.xml
+++ b/doc/flatpak-run.xml
@@ -325,6 +325,28 @@
+
+
+
+
+ Share a subsystem with the host session conditionally,
+ only when the specified condition is met at runtime.
+ This overrides to the Context section from the application metadata.
+ SUBSYSTEM must be one of: network, ipc.
+ CONDITION must be one of:
+ , ,
+ , .
+ Conditions can be negated with !,
+ for example .
+ This option can be used multiple times.
+ Available since 1.17.
+
+ See the Conditional Permissions section in
+ flatpak-metadata5
+ for more details.
+
+
+
@@ -441,6 +463,28 @@
+
+
+
+
+ Allow access to a specific feature conditionally,
+ only when the specified condition is met at runtime.
+ This overrides to the Context section from the application metadata.
+ FEATURE must be one of: devel, multiarch, bluetooth.
+ CONDITION must be one of:
+ , ,
+ , .
+ Conditions can be negated with !,
+ for example .
+ This option can be used multiple times.
+ Available since 1.17.
+
+ See the Conditional Permissions section in
+ flatpak-metadata5
+ for more details.
+
+
+