From 52f2ec615b1ae6994faa45b93407d876e60c9dd9 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 21 Jan 2020 15:53:44 -0500 Subject: [PATCH] import flatpak-1.4.3-2.el8 --- .flatpak.metadata | 2 +- .gitignore | 2 +- SOURCES/0001-ref-Fix-a-memory-leak.patch | 26 ++ SOURCES/flatpak-1.0.4-oci-fixes.patch | 346 --------------------- SOURCES/flatpak-1.0.6-CVE-2019-10063.patch | 29 -- SOURCES/flatpak-1.0.6-CVE-2019-5736.patch | 65 ---- SPECS/flatpak.spec | 127 ++++++-- 7 files changed, 136 insertions(+), 461 deletions(-) create mode 100644 SOURCES/0001-ref-Fix-a-memory-leak.patch delete mode 100644 SOURCES/flatpak-1.0.4-oci-fixes.patch delete mode 100644 SOURCES/flatpak-1.0.6-CVE-2019-10063.patch delete mode 100644 SOURCES/flatpak-1.0.6-CVE-2019-5736.patch diff --git a/.flatpak.metadata b/.flatpak.metadata index abf3c92..93ade30 100644 --- a/.flatpak.metadata +++ b/.flatpak.metadata @@ -1 +1 @@ -d2ebda16446fbd28d78d2f7df5ccb77c34f2874c SOURCES/flatpak-1.0.6.tar.xz +9efde3d86f706e2bed43cb6bcd7177126388e544 SOURCES/flatpak-1.4.3.tar.xz diff --git a/.gitignore b/.gitignore index 8b49271..8e590c8 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/flatpak-1.0.6.tar.xz +SOURCES/flatpak-1.4.3.tar.xz diff --git a/SOURCES/0001-ref-Fix-a-memory-leak.patch b/SOURCES/0001-ref-Fix-a-memory-leak.patch new file mode 100644 index 0000000..0acd1d8 --- /dev/null +++ b/SOURCES/0001-ref-Fix-a-memory-leak.patch @@ -0,0 +1,26 @@ +From 18a16227556ad0aa24f9b8c759d571fcc5cdb728 Mon Sep 17 00:00:00 2001 +From: Kalev Lember +Date: Fri, 14 Jun 2019 12:30:57 +0200 +Subject: [PATCH] ref: Fix a memory leak + +Closes: #2964 +Approved by: mwleeds +--- + common/flatpak-ref.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/common/flatpak-ref.c b/common/flatpak-ref.c +index 38554e97..6dacb19c 100644 +--- a/common/flatpak-ref.c ++++ b/common/flatpak-ref.c +@@ -82,6 +82,7 @@ flatpak_ref_finalize (GObject *object) + g_free (priv->arch); + g_free (priv->branch); + g_free (priv->commit); ++ g_free (priv->collection_id); + + G_OBJECT_CLASS (flatpak_ref_parent_class)->finalize (object); + } +-- +2.21.0 + diff --git a/SOURCES/flatpak-1.0.4-oci-fixes.patch b/SOURCES/flatpak-1.0.4-oci-fixes.patch deleted file mode 100644 index 663d389..0000000 --- a/SOURCES/flatpak-1.0.4-oci-fixes.patch +++ /dev/null @@ -1,346 +0,0 @@ -From 3f5235e925ba6555cd9c639684660356867c952f Mon Sep 17 00:00:00 2001 -From: "Owen W. Taylor" -Date: Fri, 30 Nov 2018 16:11:06 -0500 -Subject: [PATCH 1/3] flatpak_cache_http_uri: save downloaded files with - permission 0644 - -Previously, downloaded files were being saved with 0600 permissions, -which prevented OCI icons downloaded by the system helper at appstream -creation time from being read by users. - -Closes: #2362 -Approved by: matthiasclasen ---- - common/flatpak-utils-http.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/common/flatpak-utils-http.c b/common/flatpak-utils-http.c -index 53074162..997c9db8 100644 ---- a/common/flatpak-utils-http.c -+++ b/common/flatpak-utils-http.c -@@ -645,6 +645,9 @@ sync_and_rename_tmpfile (GLnxTmpfile *tmpfile, - if (fdatasync (tmpfile->fd) != 0) - return glnx_throw_errno_prefix (error, "fdatasync"); - -+ if (fchmod (tmpfile->fd, 0644) != 0) -+ return glnx_throw_errno_prefix (error, "fchmod"); -+ - if (!glnx_link_tmpfile_at (tmpfile, - GLNX_LINK_TMPFILE_REPLACE, - tmpfile->src_dfd, dest_name, error)) --- -2.19.2 - - -From 3263827dbbd4d84919899e91ca066d2d3cf338bc Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Fri, 30 Nov 2018 10:30:20 +0100 -Subject: [PATCH 2/3] OCI: Use system helper to generate summary for OCI - remotes - -The OCI support relies on downloading a json index and converting it -to a ostree-style summary, which we the use in all sorts of operations -in the client code. Currently this happens in the user code, which means -that it will fail (due to permissions) in the system installation case. - -We could do the conversion as the user, but when eventually installing -something the system-helper will anyway do this download and -conversion, so that would only double the work and risk things going out -of sync. Also, the OCI index is not gpg signed, so we can't realy on -downloads done as the user. - -So, the solution done here is to add a GenerateOciSummary -system-helper call which we use instead of directly generating the -oci summary. - -This fixes https://github.com/flatpak/flatpak/issues/2350 - -Closes: #2363 -Approved by: matthiasclasen ---- - common/flatpak-dir-private.h | 5 ++ - common/flatpak-dir.c | 94 +++++++++++++++++++-------- - data/org.freedesktop.Flatpak.xml | 5 ++ - system-helper/flatpak-system-helper.c | 52 ++++++++++++++- - 4 files changed, 129 insertions(+), 27 deletions(-) - -diff --git a/common/flatpak-dir-private.h b/common/flatpak-dir-private.h -index 64a72758..f6126056 100644 ---- a/common/flatpak-dir-private.h -+++ b/common/flatpak-dir-private.h -@@ -718,6 +718,11 @@ FlatpakRemoteState * flatpak_dir_get_remote_state_for_summary (FlatpakDir *sel - GBytes *opt_summary_sig, - GCancellable *cancellable, - GError **error); -+gboolean flatpak_dir_remote_make_oci_summary (FlatpakDir *self, -+ const char *remote, -+ GBytes **out_summary, -+ GCancellable *cancellable, -+ GError **error); - FlatpakRemoteState * flatpak_dir_get_remote_state_optional (FlatpakDir *self, - const char *remote, - GCancellable *cancellable, -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 828945ca..7853b74a 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -1385,6 +1385,22 @@ flatpak_dir_system_helper_call_update_summary (FlatpakDir *self, - return ret != NULL; - } - -+static gboolean -+flatpak_dir_system_helper_call_generate_oci_summary (FlatpakDir *self, -+ const gchar *arg_origin, -+ const gchar *arg_installation, -+ GCancellable *cancellable, -+ GError **error) -+{ -+ g_autoptr(GVariant) ret = -+ flatpak_dir_system_helper_call (self, "GenerateOciSummary", -+ g_variant_new ("(ss)", -+ arg_origin, -+ arg_installation), -+ cancellable, error); -+ return ret != NULL; -+} -+ - static OstreeRepo * - system_ostree_repo_new (GFile *repodir) - { -@@ -9088,7 +9104,7 @@ flatpak_dir_cache_summary (FlatpakDir *self, - G_UNLOCK (cache); - } - --static gboolean -+gboolean - flatpak_dir_remote_make_oci_summary (FlatpakDir *self, - const char *remote, - GBytes **out_summary, -@@ -9103,42 +9119,68 @@ flatpak_dir_remote_make_oci_summary (FlatpakDir *self, - g_autoptr(GError) local_error = NULL; - g_autoptr(GMappedFile) mfile = NULL; - g_autoptr(GBytes) cache_bytes = NULL; -+ g_autoptr(GBytes) summary_bytes = NULL; - -- self_name = flatpak_dir_get_name (self); -- -- index_cache = flatpak_dir_update_oci_index (self, remote, &index_uri, cancellable, error); -- if (index_cache == NULL) -- return FALSE; -+ if (flatpak_dir_use_system_helper (self, NULL)) -+ { -+ const char *installation = flatpak_dir_get_id (self); - -- summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); -- if (summary_cache == NULL) -- return FALSE; -+ if (!flatpak_dir_system_helper_call_generate_oci_summary (self, remote, -+ installation ? installation : "", -+ cancellable, error)) -+ return FALSE; - -- if (check_destination_mtime (index_cache, summary_cache, cancellable)) -+ summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); -+ if (summary_cache == NULL) -+ return FALSE; -+ } -+ else - { -- mfile = g_mapped_file_new (flatpak_file_get_path_cached (summary_cache), FALSE, NULL); -- if (mfile) -+ self_name = flatpak_dir_get_name (self); -+ -+ index_cache = flatpak_dir_update_oci_index (self, remote, &index_uri, cancellable, error); -+ if (index_cache == NULL) -+ return FALSE; -+ -+ summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); -+ if (summary_cache == NULL) -+ return FALSE; -+ -+ if (!check_destination_mtime (index_cache, summary_cache, cancellable)) - { -- cache_bytes = g_mapped_file_get_bytes (mfile); -- *out_summary = g_steal_pointer (&cache_bytes); -+ summary = flatpak_oci_index_make_summary (index_cache, index_uri, cancellable, &local_error); -+ if (summary == NULL) -+ { -+ g_propagate_error (error, g_steal_pointer (&local_error)); -+ return FALSE; -+ } -+ -+ summary_bytes = g_variant_get_data_as_bytes (summary); -+ -+ if (!g_file_replace_contents (summary_cache, -+ g_bytes_get_data (summary_bytes, NULL), -+ g_bytes_get_size (summary_bytes), -+ NULL, FALSE, 0, NULL, cancellable, error)) -+ { -+ g_prefix_error (error, _("Failed to write summary cache: ")); -+ return FALSE; -+ } -+ -+ if (out_summary) -+ *out_summary = g_steal_pointer (&summary_bytes); - return TRUE; - } - } - -- summary = flatpak_oci_index_make_summary (index_cache, index_uri, cancellable, &local_error); -- if (summary == NULL) -+ if (out_summary) - { -- g_propagate_error (error, g_steal_pointer (&local_error)); -- return FALSE; -- } -- -- *out_summary = g_variant_get_data_as_bytes (summary); -+ mfile = g_mapped_file_new (flatpak_file_get_path_cached (summary_cache), FALSE, error); -+ if (mfile == NULL) -+ return FALSE; - -- if (!g_file_replace_contents (summary_cache, -- g_bytes_get_data (*out_summary, NULL), -- g_bytes_get_size (*out_summary), -- NULL, FALSE, 0, NULL, cancellable, NULL)) -- g_warning ("Failed to write summary cache"); -+ cache_bytes = g_mapped_file_get_bytes (mfile); -+ *out_summary = g_steal_pointer (&cache_bytes); -+ } - - return TRUE; - } -diff --git a/data/org.freedesktop.Flatpak.xml b/data/org.freedesktop.Flatpak.xml -index 25dc8a02..8b1606c6 100644 ---- a/data/org.freedesktop.Flatpak.xml -+++ b/data/org.freedesktop.Flatpak.xml -@@ -144,6 +144,11 @@ - - - -+ -+ -+ -+ -+ - - - -diff --git a/system-helper/flatpak-system-helper.c b/system-helper/flatpak-system-helper.c -index ce647b6e..29a2d3e1 100644 ---- a/system-helper/flatpak-system-helper.c -+++ b/system-helper/flatpak-system-helper.c -@@ -1122,6 +1122,54 @@ handle_update_summary (FlatpakSystemHelper *object, - return TRUE; - } - -+static gboolean -+handle_generate_oci_summary (FlatpakSystemHelper *object, -+ GDBusMethodInvocation *invocation, -+ const gchar *arg_origin, -+ const gchar *arg_installation) -+{ -+ g_autoptr(FlatpakDir) system = NULL; -+ g_autoptr(GError) error = NULL; -+ gboolean is_oci; -+ -+ g_debug ("GenerateOciSummary %s %s", arg_origin, arg_installation); -+ -+ system = dir_get_system (arg_installation, &error); -+ if (system == NULL) -+ { -+ g_dbus_method_invocation_return_gerror (invocation, error); -+ return TRUE; -+ } -+ -+ if (!flatpak_dir_ensure_repo (system, NULL, &error)) -+ { -+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, -+ "Can't open system repo %s", error->message); -+ return TRUE; -+ } -+ -+ is_oci = flatpak_dir_get_remote_oci (system, arg_origin); -+ if (!is_oci) -+ { -+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS, -+ "%s is not a OCI remote", arg_origin); -+ return TRUE; -+ } -+ -+ if (!flatpak_dir_remote_make_oci_summary (system, arg_origin, NULL, NULL, &error)) -+ { -+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, -+ "Failed to update OCI summary: %s", error->message); -+ return TRUE; -+ } -+ -+ -+ flatpak_system_helper_complete_generate_oci_summary (object, invocation); -+ -+ return TRUE; -+} -+ -+ - static gboolean - flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface, - GDBusMethodInvocation *invocation, -@@ -1250,7 +1298,8 @@ flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface, - g_strcmp0 (method_name, "PruneLocalRepo") == 0 || - g_strcmp0 (method_name, "EnsureRepo") == 0 || - g_strcmp0 (method_name, "RunTriggers") == 0 || -- g_strcmp0 (method_name, "UpdateSummary") == 0) -+ g_strcmp0 (method_name, "UpdateSummary") == 0 || -+ g_strcmp0 (method_name, "GenerateOciSummary") == 0) - { - const char *remote; - -@@ -1321,6 +1370,7 @@ on_bus_acquired (GDBusConnection *connection, - g_signal_connect (helper, "handle-ensure-repo", G_CALLBACK (handle_ensure_repo), NULL); - g_signal_connect (helper, "handle-run-triggers", G_CALLBACK (handle_run_triggers), NULL); - g_signal_connect (helper, "handle-update-summary", G_CALLBACK (handle_update_summary), NULL); -+ g_signal_connect (helper, "handle-generate-oci-summary", G_CALLBACK (handle_generate_oci_summary), NULL); - - g_signal_connect (helper, "g-authorize-method", - G_CALLBACK (flatpak_authorize_method_handler), --- -2.19.2 - - -From b7f1d5118fc4e1df472f7108472f122e279fe2b9 Mon Sep 17 00:00:00 2001 -From: Matthias Clasen -Date: Fri, 7 Dec 2018 14:39:06 -0500 -Subject: [PATCH 3/3] Fix oci pull progress reporting - -Comparing the code in flatpak-utils.c:progress_cb, -we need to set bytes-transferred for the total amount -of data that has been transferred so far. The value -we were setting so far, fetched-delta-part-size, refers -to the size of the objects we already have locally, and -is subtracted from the total, which explains oci progress -running backwards. - -Closes: #2392 - -Closes: #2400 -Approved by: matthiasclasen ---- - common/flatpak-dir.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 7853b74a..51cd1e66 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -4154,7 +4154,7 @@ oci_pull_progress_cb (guint64 total_size, guint64 pulled_size, - "total-delta-parts", "u", n_layers, - "fetched-delta-fallbacks", "u", 0, - "total-delta-fallbacks", "u", 0, -- "fetched-delta-part-size", "t", pulled_size, -+ "bytes-transferred", "t", pulled_size, - "total-delta-part-size", "t", total_size, - "total-delta-part-usize", "t", total_size, - "total-delta-superblocks", "u", 0, --- -2.19.2 - diff --git a/SOURCES/flatpak-1.0.6-CVE-2019-10063.patch b/SOURCES/flatpak-1.0.6-CVE-2019-10063.patch deleted file mode 100644 index a713027..0000000 --- a/SOURCES/flatpak-1.0.6-CVE-2019-10063.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 77f076712949c13b9bcecc02d043cbd6de6e291e Mon Sep 17 00:00:00 2001 -From: Ryan Gonzalez -Date: Mon, 25 Mar 2019 13:00:15 -0500 -Subject: [PATCH] run: Only compare the lowest 32 ioctl arg bits for TIOCSTI - -Closes #2782. - -Closes: #2783 -Approved by: alexlarsson ---- - common/flatpak-run.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 90b435fe..d1acd9f2 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2147,7 +2147,7 @@ setup_seccomp (FlatpakBwrap *bwrap, - {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, - - /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ -- {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)}, -+ {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, - }; - - struct --- -2.21.0 - diff --git a/SOURCES/flatpak-1.0.6-CVE-2019-5736.patch b/SOURCES/flatpak-1.0.6-CVE-2019-5736.patch deleted file mode 100644 index 65bed56..0000000 --- a/SOURCES/flatpak-1.0.6-CVE-2019-5736.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 9cb5f1e465cf5a3e643caf7159e89530ae867be2 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Sun, 10 Feb 2019 18:23:44 +0100 -Subject: [PATCH] Don't expose /proc when running apply_extra - -As shown by CVE-2019-5736, it is sometimes possible for the sandbox -app to access outside files using /proc/self/exe. This is not -typically an issue for flatpak as the sandbox runs as the user which -has no permissions to e.g. modify the host files. - -However, when installing apps using extra-data into the system repo -we *do* actually run a sandbox as root. So, in this case we disable mounting -/proc in the sandbox, which will neuter attacks like this. - -(cherry picked from commit 468858c1cbcdbcb27266deb5c7347b37adf3a9e4) ---- - common/flatpak-common-types-private.h | 1 + - common/flatpak-dir.c | 2 +- - common/flatpak-run.c | 6 +++++- - 3 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h -index e361777e1..b8f76b9c4 100644 ---- a/common/flatpak-common-types-private.h -+++ b/common/flatpak-common-types-private.h -@@ -45,6 +45,7 @@ typedef enum { - FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15), - FLATPAK_RUN_FLAG_BLUETOOTH = (1 << 16), - FLATPAK_RUN_FLAG_CANBUS = (1 << 17), -+ FLATPAK_RUN_FLAG_NO_PROC = (1 << 19), - } FlatpakRunFlags; - - typedef struct FlatpakDir FlatpakDir; -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 0809a42be..7d44cfb4f 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -6507,7 +6507,7 @@ apply_extra_data (FlatpakDir *self, - NULL); - - if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_ref_parts[2], -- FLATPAK_RUN_FLAG_NO_SESSION_HELPER, -+ FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC, - error)) - return FALSE; - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index e8e55262e..ab167c00d 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2373,9 +2373,13 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap, - "# Disable user pkcs11 config, because the host modules don't work in the runtime\n" - "user-config: none\n"; - -+ if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0) -+ flatpak_bwrap_add_args (bwrap, -+ "--proc", "/proc", -+ NULL); -+ - flatpak_bwrap_add_args (bwrap, - "--unshare-pid", -- "--proc", "/proc", - "--dir", "/tmp", - "--dir", "/var/tmp", - "--dir", "/run/host", diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec index eabf799..a486da7 100644 --- a/SPECS/flatpak.spec +++ b/SPECS/flatpak.spec @@ -1,31 +1,32 @@ %global bubblewrap_version 0.2.1 -%global ostree_version 2018.7 +%global ostree_version 2018.9 Name: flatpak -Version: 1.0.6 -Release: 4%{?dist} +Version: 1.4.3 +Release: 2%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ URL: http://flatpak.org/ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz -# https://bugzilla.redhat.com/show_bug.cgi?id=1657306 -Patch0: flatpak-1.0.4-oci-fixes.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1675776 -Patch1: flatpak-1.0.6-CVE-2019-5736.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1700654 -Patch2: flatpak-1.0.6-CVE-2019-10063.patch + +# Backported from upstream +Patch0: 0001-ref-Fix-a-memory-leak.patch BuildRequires: pkgconfig(appstream-glib) +BuildRequires: pkgconfig(dconf) +BuildRequires: pkgconfig(fuse) +BuildRequires: pkgconfig(gdk-pixbuf-2.0) BuildRequires: pkgconfig(gio-unix-2.0) BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0 BuildRequires: pkgconfig(json-glib-1.0) BuildRequires: pkgconfig(libarchive) >= 2.8.0 +BuildRequires: pkgconfig(libseccomp) BuildRequires: pkgconfig(libsoup-2.4) +BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(libxml-2.0) >= 2.4 BuildRequires: pkgconfig(ostree-1) >= %{ostree_version} BuildRequires: pkgconfig(polkit-gobject-1) -BuildRequires: pkgconfig(libseccomp) BuildRequires: pkgconfig(xau) BuildRequires: bison BuildRequires: bubblewrap >= %{bubblewrap_version} @@ -38,8 +39,14 @@ BuildRequires: systemd BuildRequires: /usr/bin/xmlto BuildRequires: /usr/bin/xsltproc +%{?systemd_requires} + Requires: bubblewrap >= %{bubblewrap_version} +Requires: librsvg2%{?_isa} Requires: ostree-libs%{?_isa} >= %{ostree_version} +# https://fedoraproject.org/wiki/SELinux/IndependentPolicy +Requires: (flatpak-selinux = %{?epoch:%{epoch}:}%{version}-%{release} if selinux-policy-targeted) +Requires: %{name}-session-helper%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release} Recommends: p11-kit-server # Make sure the document portal is installed @@ -70,20 +77,63 @@ Summary: Libraries for %{name} License: LGPLv2+ Requires: bubblewrap >= %{bubblewrap_version} Requires: ostree%{?_isa} >= %{ostree_version} +Requires(pre): /usr/sbin/useradd %description libs This package contains libflatpak. +%package selinux +Summary: SELinux policy module for %{name} +License: LGPLv2+ +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +BuildArch: noarch +%{?selinux_requires} + +%description selinux +This package contains the SELinux policy module for %{name}. + +%package session-helper +Summary: User D-Bus service used by %{name} and others +License: LGPLv2+ +Conflicts: flatpak < 1.4.1-2 +Requires: systemd + +%description session-helper +This package contains the org.freedesktop.Flatpak user D-Bus service +that's used by %{name} and other packages. + +%package tests +Summary: Tests for %{name} +License: LGPLv2+ +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: bubblewrap >= %{bubblewrap_version} +Requires: ostree%{?_isa} >= %{ostree_version} + +%description tests +This package contains installed tests for %{name}. + %prep %autosetup -p1 %build +# Fix generic python shebangs. +find tests -name '*.py' -exec \ + sed -i -e 's|/usr/bin/python|/usr/bin/python3|' {} + + (if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi; - # User namespace support is sufficient. - %configure --with-priv-mode=none \ - --with-system-bubblewrap --enable-docbook-docs $CONFIGFLAGS) + # Generate consistent IDs between runs to avoid multilib problems. + export XMLTO_FLAGS="--stringparam generate.consistent.ids=1" + %configure \ + --enable-docbook-docs \ + --enable-installed-tests \ + --enable-selinux-module \ + --with-priv-mode=none \ + --with-system-bubblewrap \ + $CONFIGFLAGS) %make_build V=1 @@ -97,11 +147,29 @@ rm -f %{buildroot}%{_libdir}/libflatpak.la %find_lang %{name} +%pre +getent group flatpak >/dev/null || groupadd -r flatpak +getent passwd flatpak >/dev/null || \ + useradd -r -g flatpak -d / -s /sbin/nologin \ + -c "User for flatpak system helper" flatpak +exit 0 + + %post # Create an (empty) system-wide repo. flatpak remote-list --system &> /dev/null || : +%post selinux +%selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2 + + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2 +fi + + %ldconfig_scriptlets libs @@ -114,9 +182,7 @@ flatpak remote-list --system &> /dev/null || : %{_bindir}/flatpak-bisect %{_bindir}/flatpak-coredumpctl %{_datadir}/bash-completion -%{_datadir}/dbus-1/interfaces/org.freedesktop.Flatpak.xml %{_datadir}/dbus-1/interfaces/org.freedesktop.portal.Flatpak.xml -%{_datadir}/dbus-1/services/org.freedesktop.Flatpak.service %{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service %{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service # Co-own directory. @@ -127,8 +193,9 @@ flatpak remote-list --system &> /dev/null || : %{_datadir}/zsh/site-functions %{_libexecdir}/flatpak-dbus-proxy %{_libexecdir}/flatpak-portal -%{_libexecdir}/flatpak-session-helper %{_libexecdir}/flatpak-system-helper +%{_libexecdir}/flatpak-validate-icon +%{_libexecdir}/revokefs-fuse %dir %{_localstatedir}/lib/flatpak %{_mandir}/man1/%{name}*.1* %{_mandir}/man5/%{name}-metadata.5* @@ -141,9 +208,7 @@ flatpak remote-list --system &> /dev/null || : %{_sysconfdir}/profile.d/flatpak.sh %{_unitdir}/flatpak-system-helper.service %{_userunitdir}/flatpak-portal.service -%{_userunitdir}/flatpak-session-helper.service -# Co-own directory. -%{_userunitdir}/dbus.service.d +%{_systemd_user_env_generator_dir}/60-flatpak %files devel %{_datadir}/gir-1.0/Flatpak-1.0.gir @@ -157,8 +222,32 @@ flatpak remote-list --system &> /dev/null || : %{_libdir}/girepository-1.0/Flatpak-1.0.typelib %{_libdir}/libflatpak.so.* +%files selinux +%{_datadir}/selinux/packages/flatpak.pp.bz2 +%{_datadir}/selinux/devel/include/contrib/flatpak.if + +%files session-helper +%license COPYING +%{_datadir}/dbus-1/interfaces/org.freedesktop.Flatpak.xml +%{_datadir}/dbus-1/services/org.freedesktop.Flatpak.service +%{_libexecdir}/flatpak-session-helper +%{_userunitdir}/flatpak-session-helper.service + +%files tests +%{_datadir}/installed-tests +%{_libexecdir}/installed-tests + %changelog +* Fri Nov 08 2019 David King - 1.4.3-2 +- Use %%{?selinux_requires} for proper install ordering + +* Tue Oct 08 2019 David King - 1.4.3-1 +- Rebase to 1.4.3 (#1748276) + +* Fri Sep 20 2019 Kalev Lember - 1.0.9-1 +- Update to 1.0.9 (#1753613) + * Tue May 14 2019 David King - 1.0.6-4 - Bump release (#1700654)