Support installing files from file sources

[bbhtt]

This adds a new install stage to BuilderSourceFile that copies files to
a specified directory within the appdir after post-install for
sources that have opted into using it (currently only the file source
and no-op for everyone else).

Additionally, the file source now has a install-dir and install-mode
property. The install-dir property assumes the install location
is relative to FLATPAK_DEST. If the destination file already exists, the
install is skipped with a warning. If install-mode is specified as a
valid octal permission string, the permissions are applied on the file
otherwise the file retains its original permissions.

Fixes: #54

[swick]

AFAIU this is executed in the host context and dst can point to arbitrary locations on the filesystem. You really have to make sure that dst points somewhere inside dest_dir. This is harder than it sounds because even if you ensure there are no ".." in self->install_dir, there might be symlinks anywhere in the build-controlled path (and they do get followed even if you use G_FILE_COPY_NOFOLLOW_SYMLINKS; they only care about the last element in the path).

I think we have a very similar problem with the LICENSE file code (i.e. you can copy certain files from the host system to the build output).

The solution is the use something like openat2/chase (https://gitlab.gnome.org/GNOME/libglnx/-/merge_requests/64).

[bbhtt]

Yea this is indeed executed in host context.

[swick]

Urgh, builder_migrate_locale_dirs also got this wrong already. I'm wondering if people assume that flatpak-builder is secure to run on untrusted content, because it certainly doesn't look like it is.