Update to 1.13.3

While Flatpak should ideally use at least appstream 0.15.3, certain
practicalities make it difficult to bump the requirement upstream:
  https://github.com/flatpak/flatpak/pull/4949

This reverts 8cbbf30854 because the
downstream patch for gssproxy support doesn't apply anymore and needs
to be rebased.  Ideally, we shouldn't be in a rush to apply unreviewed
patches to Rawhide unless there's some major ongoing crisis.
This commit is contained in:
Debarshi Ray 2022-06-17 02:45:03 +02:00
parent 8cbbf30854
commit 575d1a8370
5 changed files with 16 additions and 233 deletions

1
.gitignore vendored
View File

@ -104,3 +104,4 @@
/flatpak-1.12.6.tar.xz
/flatpak-1.13.1.tar.xz
/flatpak-1.13.2.tar.xz
/flatpak-1.13.3.tar.xz

View File

@ -1,118 +0,0 @@
From 50c12cbeea35590779098e2e01313cc781f91f31 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Thu, 12 May 2022 12:44:59 -0500
Subject: [PATCH 1/2] Bind gssproxy socket into sandbox environment
We're using a directory rather than binding a socket directly for
increased robustness. In theory, if gssproxy crashes on the host, a new
socket that a new gssproxy process creates should be immediately visible
inside the sandbox. Nifty.
Previously, applications that wanted to use Kerberos authentication
would have to punch a sandbox hole for the host's KCM socket. In
contrast, this gssproxy socket is designed for use by sandboxed apps.
See also: https://github.com/gssapi/gssproxy/issues/45
---
common/flatpak-run.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index b91be51b..ccf9807b 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -924,6 +924,19 @@ flatpak_run_add_pulseaudio_args (FlatpakBwrap *bwrap,
flatpak_bwrap_add_args (bwrap, "--dev-bind", "/dev/snd", "/dev/snd", NULL);
}
+static void
+flatpak_run_add_gssproxy_args (FlatpakBwrap *bwrap)
+{
+ /* We only expose the gssproxy user service. The gssproxy system service is
+ * not intended to be exposed to sandboxed environments.
+ */
+ g_autofree char *gssproxy_host_dir = g_build_filename (g_get_user_runtime_dir (), "gssproxy", NULL);
+ const char *gssproxy_sandboxed_dir = "/var/lib/gssproxy/";
+
+ if (g_file_test (gssproxy_host_dir, G_FILE_TEST_EXISTS))
+ flatpak_bwrap_add_args (bwrap, "--bind", gssproxy_host_dir, gssproxy_sandboxed_dir, NULL);
+}
+
static void
flatpak_run_add_resolved_args (FlatpakBwrap *bwrap)
{
@@ -4561,7 +4574,10 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
}
if ((app_context->shares & FLATPAK_CONTEXT_SHARED_NETWORK) != 0)
- flatpak_run_add_resolved_args (bwrap);
+ {
+ flatpak_run_add_gssproxy_args (bwrap);
+ flatpak_run_add_resolved_args (bwrap);
+ }
flatpak_run_add_journal_args (bwrap);
add_font_path_args (bwrap);
--
2.36.1
From b4eb25dacbe745b10606adb8b0080c75490e9070 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Mon, 23 May 2022 09:59:48 -0500
Subject: [PATCH 2/2] Block KRB5CCNAME from inheriting into sandbox
If this environment variable is set on the host, it's going to mess up
authentication in the sandbox. For example, if the host has:
KRB5CCNAME=KCM:
then the sandboxed process will try to use the host KCM socket, which is
not available in the sandboxed environment, rather than the gssproxy
socket that we want it to use. We need to unset it to ensure that
whatever configuration we ship in the runtime gets used instead. We have
switched the GNOME runtime to use an empty krb5.conf and it works as
long as we don't break it with this environment variable meant for the
host.
---
common/flatpak-run.c | 4 +++-
doc/flatpak-run.xml | 1 +
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index ccf9807b..b66f326c 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -1851,7 +1851,8 @@ static const ExportData default_exports[] = {
{"XDG_RUNTIME_DIR", NULL},
/* Some env vars are common enough and will affect the sandbox badly
- if set on the host. We clear these always. */
+ if set on the host. We clear these always. If updating this list,
+ also update the list in flatpak-run.xml. */
{"PYTHONPATH", NULL},
{"PERLLIB", NULL},
{"PERL5LIB", NULL},
@@ -1868,6 +1869,7 @@ static const ExportData default_exports[] = {
{"GST_PTP_HELPER", NULL},
{"GST_PTP_HELPER_1_0", NULL},
{"GST_INSTALL_PLUGINS_HELPER", NULL},
+ {"KRB5CCNAME", NULL},
};
static const ExportData no_ld_so_cache_exports[] = {
diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml
index c1396b07..ca181f32 100644
--- a/doc/flatpak-run.xml
+++ b/doc/flatpak-run.xml
@@ -89,6 +89,7 @@
<member>PERLLIB</member>
<member>PERL5LIB</member>
<member>XCURSOR_PATH</member>
+ <member>KRB5CCNAME</member>
</simplelist>
<para>
Flatpak also overrides the XDG environment variables to point sandboxed applications
--
2.36.1

View File

@ -1,105 +0,0 @@
From b20c074fb225ed3e54337bd50dc18452a3dc3196 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Tue, 12 Apr 2022 20:28:29 +0200
Subject: [PATCH 1/3] selinux: Let the system helper have read access to
/etc/passwd
The system-helper (ie., the `flatpak-system-helper` process) is
labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
domain, and needs to be able to read /etc/passwd. This explicitly
permits it to do so to avoid running into SELinux denials.
https://bugzilla.redhat.com/show_bug.cgi?id=2070350
---
selinux/flatpak.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
index 2bcc507b725a..871ffa2906cc 100644
--- a/selinux/flatpak.te
+++ b/selinux/flatpak.te
@@ -12,6 +12,8 @@ type flatpak_helper_t;
type flatpak_helper_exec_t;
init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
+auth_read_passwd(flatpak_helper_t)
+
optional_policy(`
dbus_stub()
dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
--
2.35.1
From d6743d58bbd0293a4f6992fee9b5e7363892ebe7 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Tue, 12 Apr 2022 20:56:06 +0200
Subject: [PATCH 2/3] selinux: Let the system helper watch files inside
$libexecdir
The system-helper (ie., the `flatpak-system-helper` process) is
labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
domain, and tries to set up an inotify(7) watch on it's own binary so
that it can exit when the binary is replaced. This explicitly permits
it to do so to avoid running into SELinux denials.
The corecmd_watch_bin_dirs SELinux interface is a recent addition [1],
and is therefore used conditionally when defined.
[1] https://github.com/fedora-selinux/selinux-policy/commit/88072fd293
https://github.com/fedora-selinux/selinux-policy/pull/1133
https://bugzilla.redhat.com/show_bug.cgi?id=2053634
---
selinux/flatpak.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
index 871ffa2906cc..0bb776314ddb 100644
--- a/selinux/flatpak.te
+++ b/selinux/flatpak.te
@@ -14,6 +14,10 @@ init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
auth_read_passwd(flatpak_helper_t)
+ifdef(`corecmd_watch_bin_dirs',`
+ corecmd_watch_bin_dirs(flatpak_helper_t)
+')
+
optional_policy(`
dbus_stub()
dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
--
2.35.1
From 04524cb3b79bb777d62f743b1fb4037816c6a3f2 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Tue, 12 Apr 2022 22:33:11 +0200
Subject: [PATCH 3/3] selinux: Permit read access to /var/lib/flatpak
It's clearly quite important to have read access to /var/lib/flatpak
and it's contents. This explicitly permits that to avoid running
into SELinux denials.
https://bugzilla.redhat.com/show_bug.cgi?id=2070741
---
selinux/flatpak.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
index 0bb776314ddb..e1fd4377373f 100644
--- a/selinux/flatpak.te
+++ b/selinux/flatpak.te
@@ -13,6 +13,8 @@ type flatpak_helper_exec_t;
init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
auth_read_passwd(flatpak_helper_t)
+files_list_var_lib(flatpak_helper_t)
+files_read_var_lib_files(flatpak_helper_t)
ifdef(`corecmd_watch_bin_dirs',`
corecmd_watch_bin_dirs(flatpak_helper_t)
--
2.35.1

View File

@ -1,10 +1,12 @@
%global appstream_version 0.14.0
%global appstream_version 0.15.3
%global bubblewrap_version 0.5.0
%global glib_version 2.46.0
%global libcurl_version 7.29.0
%global ostree_version 2020.8
Name: flatpak
Version: 1.13.2
Release: 4%{?dist}
Version: 1.13.3
Release: 1%{?dist}
Summary: Application deployment framework for desktop apps
License: LGPLv2+
@ -20,20 +22,16 @@ Source1: flatpak-add-fedora-repos.service
# with the config from upstream sources.
Source2: flatpak.sysusers.conf
Patch0: flatpak-selinux-permissions.patch
# https://github.com/flatpak/flatpak/pull/4914
Patch1: flatpak-1.13.2-add-gssproxy-support.patch
BuildRequires: pkgconfig(appstream) >= %{appstream_version}
BuildRequires: pkgconfig(dconf)
BuildRequires: pkgconfig(fuse)
BuildRequires: pkgconfig(gdk-pixbuf-2.0)
BuildRequires: pkgconfig(gio-unix-2.0)
BuildRequires: pkgconfig(gio-unix-2.0) >= %{glib_version}
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0
BuildRequires: pkgconfig(json-glib-1.0)
BuildRequires: pkgconfig(libarchive) >= 2.8.0
BuildRequires: pkgconfig(libseccomp)
BuildRequires: pkgconfig(libsoup-2.4)
BuildRequires: pkgconfig(libcurl) >= %{libcurl_version}
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(libxml-2.0) >= 2.4
BuildRequires: pkgconfig(libzstd) >= 0.8.1
@ -57,6 +55,8 @@ BuildRequires: /usr/bin/xsltproc
Requires: appstream%{?_isa} >= %{appstream_version}
Requires: bubblewrap >= %{bubblewrap_version}
Requires: glib2%{?_isa} >= %{glib_version}
Requires: libcurl%{?_isa} >= %{libcurl_version}
Requires: librsvg2%{?_isa}
Requires: ostree-libs%{?_isa} >= %{ostree_version}
Requires: /usr/bin/xdg-dbus-proxy
@ -143,6 +143,7 @@ This package contains installed tests for %{name}.
--enable-docbook-docs \
--enable-installed-tests \
--enable-selinux-module \
--with-curl \
--with-priv-mode=none \
--with-system-bubblewrap \
--with-system-dbus-proxy \
@ -270,6 +271,10 @@ fi
%changelog
* Fri Jun 17 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.3-1
- Update to 1.13.3
- Remove downstream patch for gssproxy support until it gets rebased
* Tue Jun 07 2022 David King <amigadave@amigadave.com> - 1.13.2-4
- Add gssproxy support

View File

@ -1 +1 @@
SHA512 (flatpak-1.13.2.tar.xz) = d7e1d0a9965332220f829caa5724d7547280db10f7428b4e9add87152da1d7dad97edcde85668501d5a50e6a7c1031bfd15e8f4cbc7196e1c0f7cc3d2e333fe1
SHA512 (flatpak-1.13.3.tar.xz) = 8aeef0b0c00a958b04d3d40b9bc6fa6afd3b4875fea6aa4a64ed1fe4e5e67a6e17543fa42e20d7e0e99e22d26821fb392849206f27f1ee7c6cf4c78f8aed2cfe