Update to 1.13.3
While Flatpak should ideally use at least appstream 0.15.3, certain
practicalities make it difficult to bump the requirement upstream:
https://github.com/flatpak/flatpak/pull/4949
This reverts 8cbbf30854
because the
downstream patch for gssproxy support doesn't apply anymore and needs
to be rebased. Ideally, we shouldn't be in a rush to apply unreviewed
patches to Rawhide unless there's some major ongoing crisis.
This commit is contained in:
parent
8cbbf30854
commit
575d1a8370
1
.gitignore
vendored
1
.gitignore
vendored
@ -104,3 +104,4 @@
|
||||
/flatpak-1.12.6.tar.xz
|
||||
/flatpak-1.13.1.tar.xz
|
||||
/flatpak-1.13.2.tar.xz
|
||||
/flatpak-1.13.3.tar.xz
|
||||
|
@ -1,118 +0,0 @@
|
||||
From 50c12cbeea35590779098e2e01313cc781f91f31 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Catanzaro <mcatanzaro@redhat.com>
|
||||
Date: Thu, 12 May 2022 12:44:59 -0500
|
||||
Subject: [PATCH 1/2] Bind gssproxy socket into sandbox environment
|
||||
|
||||
We're using a directory rather than binding a socket directly for
|
||||
increased robustness. In theory, if gssproxy crashes on the host, a new
|
||||
socket that a new gssproxy process creates should be immediately visible
|
||||
inside the sandbox. Nifty.
|
||||
|
||||
Previously, applications that wanted to use Kerberos authentication
|
||||
would have to punch a sandbox hole for the host's KCM socket. In
|
||||
contrast, this gssproxy socket is designed for use by sandboxed apps.
|
||||
|
||||
See also: https://github.com/gssapi/gssproxy/issues/45
|
||||
---
|
||||
common/flatpak-run.c | 18 +++++++++++++++++-
|
||||
1 file changed, 17 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
||||
index b91be51b..ccf9807b 100644
|
||||
--- a/common/flatpak-run.c
|
||||
+++ b/common/flatpak-run.c
|
||||
@@ -924,6 +924,19 @@ flatpak_run_add_pulseaudio_args (FlatpakBwrap *bwrap,
|
||||
flatpak_bwrap_add_args (bwrap, "--dev-bind", "/dev/snd", "/dev/snd", NULL);
|
||||
}
|
||||
|
||||
+static void
|
||||
+flatpak_run_add_gssproxy_args (FlatpakBwrap *bwrap)
|
||||
+{
|
||||
+ /* We only expose the gssproxy user service. The gssproxy system service is
|
||||
+ * not intended to be exposed to sandboxed environments.
|
||||
+ */
|
||||
+ g_autofree char *gssproxy_host_dir = g_build_filename (g_get_user_runtime_dir (), "gssproxy", NULL);
|
||||
+ const char *gssproxy_sandboxed_dir = "/var/lib/gssproxy/";
|
||||
+
|
||||
+ if (g_file_test (gssproxy_host_dir, G_FILE_TEST_EXISTS))
|
||||
+ flatpak_bwrap_add_args (bwrap, "--bind", gssproxy_host_dir, gssproxy_sandboxed_dir, NULL);
|
||||
+}
|
||||
+
|
||||
static void
|
||||
flatpak_run_add_resolved_args (FlatpakBwrap *bwrap)
|
||||
{
|
||||
@@ -4561,7 +4574,10 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
|
||||
}
|
||||
|
||||
if ((app_context->shares & FLATPAK_CONTEXT_SHARED_NETWORK) != 0)
|
||||
- flatpak_run_add_resolved_args (bwrap);
|
||||
+ {
|
||||
+ flatpak_run_add_gssproxy_args (bwrap);
|
||||
+ flatpak_run_add_resolved_args (bwrap);
|
||||
+ }
|
||||
|
||||
flatpak_run_add_journal_args (bwrap);
|
||||
add_font_path_args (bwrap);
|
||||
--
|
||||
2.36.1
|
||||
|
||||
|
||||
From b4eb25dacbe745b10606adb8b0080c75490e9070 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Catanzaro <mcatanzaro@redhat.com>
|
||||
Date: Mon, 23 May 2022 09:59:48 -0500
|
||||
Subject: [PATCH 2/2] Block KRB5CCNAME from inheriting into sandbox
|
||||
|
||||
If this environment variable is set on the host, it's going to mess up
|
||||
authentication in the sandbox. For example, if the host has:
|
||||
|
||||
KRB5CCNAME=KCM:
|
||||
|
||||
then the sandboxed process will try to use the host KCM socket, which is
|
||||
not available in the sandboxed environment, rather than the gssproxy
|
||||
socket that we want it to use. We need to unset it to ensure that
|
||||
whatever configuration we ship in the runtime gets used instead. We have
|
||||
switched the GNOME runtime to use an empty krb5.conf and it works as
|
||||
long as we don't break it with this environment variable meant for the
|
||||
host.
|
||||
---
|
||||
common/flatpak-run.c | 4 +++-
|
||||
doc/flatpak-run.xml | 1 +
|
||||
2 files changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
||||
index ccf9807b..b66f326c 100644
|
||||
--- a/common/flatpak-run.c
|
||||
+++ b/common/flatpak-run.c
|
||||
@@ -1851,7 +1851,8 @@ static const ExportData default_exports[] = {
|
||||
{"XDG_RUNTIME_DIR", NULL},
|
||||
|
||||
/* Some env vars are common enough and will affect the sandbox badly
|
||||
- if set on the host. We clear these always. */
|
||||
+ if set on the host. We clear these always. If updating this list,
|
||||
+ also update the list in flatpak-run.xml. */
|
||||
{"PYTHONPATH", NULL},
|
||||
{"PERLLIB", NULL},
|
||||
{"PERL5LIB", NULL},
|
||||
@@ -1868,6 +1869,7 @@ static const ExportData default_exports[] = {
|
||||
{"GST_PTP_HELPER", NULL},
|
||||
{"GST_PTP_HELPER_1_0", NULL},
|
||||
{"GST_INSTALL_PLUGINS_HELPER", NULL},
|
||||
+ {"KRB5CCNAME", NULL},
|
||||
};
|
||||
|
||||
static const ExportData no_ld_so_cache_exports[] = {
|
||||
diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml
|
||||
index c1396b07..ca181f32 100644
|
||||
--- a/doc/flatpak-run.xml
|
||||
+++ b/doc/flatpak-run.xml
|
||||
@@ -89,6 +89,7 @@
|
||||
<member>PERLLIB</member>
|
||||
<member>PERL5LIB</member>
|
||||
<member>XCURSOR_PATH</member>
|
||||
+ <member>KRB5CCNAME</member>
|
||||
</simplelist>
|
||||
<para>
|
||||
Flatpak also overrides the XDG environment variables to point sandboxed applications
|
||||
--
|
||||
2.36.1
|
||||
|
@ -1,105 +0,0 @@
|
||||
From b20c074fb225ed3e54337bd50dc18452a3dc3196 Mon Sep 17 00:00:00 2001
|
||||
From: Debarshi Ray <debarshir@gnome.org>
|
||||
Date: Tue, 12 Apr 2022 20:28:29 +0200
|
||||
Subject: [PATCH 1/3] selinux: Let the system helper have read access to
|
||||
/etc/passwd
|
||||
|
||||
The system-helper (ie., the `flatpak-system-helper` process) is
|
||||
labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
|
||||
domain, and needs to be able to read /etc/passwd. This explicitly
|
||||
permits it to do so to avoid running into SELinux denials.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=2070350
|
||||
---
|
||||
selinux/flatpak.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
|
||||
index 2bcc507b725a..871ffa2906cc 100644
|
||||
--- a/selinux/flatpak.te
|
||||
+++ b/selinux/flatpak.te
|
||||
@@ -12,6 +12,8 @@ type flatpak_helper_t;
|
||||
type flatpak_helper_exec_t;
|
||||
init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
||||
|
||||
+auth_read_passwd(flatpak_helper_t)
|
||||
+
|
||||
optional_policy(`
|
||||
dbus_stub()
|
||||
dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From d6743d58bbd0293a4f6992fee9b5e7363892ebe7 Mon Sep 17 00:00:00 2001
|
||||
From: Debarshi Ray <debarshir@gnome.org>
|
||||
Date: Tue, 12 Apr 2022 20:56:06 +0200
|
||||
Subject: [PATCH 2/3] selinux: Let the system helper watch files inside
|
||||
$libexecdir
|
||||
|
||||
The system-helper (ie., the `flatpak-system-helper` process) is
|
||||
labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
|
||||
domain, and tries to set up an inotify(7) watch on it's own binary so
|
||||
that it can exit when the binary is replaced. This explicitly permits
|
||||
it to do so to avoid running into SELinux denials.
|
||||
|
||||
The corecmd_watch_bin_dirs SELinux interface is a recent addition [1],
|
||||
and is therefore used conditionally when defined.
|
||||
|
||||
[1] https://github.com/fedora-selinux/selinux-policy/commit/88072fd293
|
||||
https://github.com/fedora-selinux/selinux-policy/pull/1133
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=2053634
|
||||
---
|
||||
selinux/flatpak.te | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
|
||||
index 871ffa2906cc..0bb776314ddb 100644
|
||||
--- a/selinux/flatpak.te
|
||||
+++ b/selinux/flatpak.te
|
||||
@@ -14,6 +14,10 @@ init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
||||
|
||||
auth_read_passwd(flatpak_helper_t)
|
||||
|
||||
+ifdef(`corecmd_watch_bin_dirs',`
|
||||
+ corecmd_watch_bin_dirs(flatpak_helper_t)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
dbus_stub()
|
||||
dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From 04524cb3b79bb777d62f743b1fb4037816c6a3f2 Mon Sep 17 00:00:00 2001
|
||||
From: Debarshi Ray <debarshir@gnome.org>
|
||||
Date: Tue, 12 Apr 2022 22:33:11 +0200
|
||||
Subject: [PATCH 3/3] selinux: Permit read access to /var/lib/flatpak
|
||||
|
||||
It's clearly quite important to have read access to /var/lib/flatpak
|
||||
and it's contents. This explicitly permits that to avoid running
|
||||
into SELinux denials.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=2070741
|
||||
---
|
||||
selinux/flatpak.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
|
||||
index 0bb776314ddb..e1fd4377373f 100644
|
||||
--- a/selinux/flatpak.te
|
||||
+++ b/selinux/flatpak.te
|
||||
@@ -13,6 +13,8 @@ type flatpak_helper_exec_t;
|
||||
init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
|
||||
|
||||
auth_read_passwd(flatpak_helper_t)
|
||||
+files_list_var_lib(flatpak_helper_t)
|
||||
+files_read_var_lib_files(flatpak_helper_t)
|
||||
|
||||
ifdef(`corecmd_watch_bin_dirs',`
|
||||
corecmd_watch_bin_dirs(flatpak_helper_t)
|
||||
--
|
||||
2.35.1
|
||||
|
23
flatpak.spec
23
flatpak.spec
@ -1,10 +1,12 @@
|
||||
%global appstream_version 0.14.0
|
||||
%global appstream_version 0.15.3
|
||||
%global bubblewrap_version 0.5.0
|
||||
%global glib_version 2.46.0
|
||||
%global libcurl_version 7.29.0
|
||||
%global ostree_version 2020.8
|
||||
|
||||
Name: flatpak
|
||||
Version: 1.13.2
|
||||
Release: 4%{?dist}
|
||||
Version: 1.13.3
|
||||
Release: 1%{?dist}
|
||||
Summary: Application deployment framework for desktop apps
|
||||
|
||||
License: LGPLv2+
|
||||
@ -20,20 +22,16 @@ Source1: flatpak-add-fedora-repos.service
|
||||
# with the config from upstream sources.
|
||||
Source2: flatpak.sysusers.conf
|
||||
|
||||
Patch0: flatpak-selinux-permissions.patch
|
||||
# https://github.com/flatpak/flatpak/pull/4914
|
||||
Patch1: flatpak-1.13.2-add-gssproxy-support.patch
|
||||
|
||||
BuildRequires: pkgconfig(appstream) >= %{appstream_version}
|
||||
BuildRequires: pkgconfig(dconf)
|
||||
BuildRequires: pkgconfig(fuse)
|
||||
BuildRequires: pkgconfig(gdk-pixbuf-2.0)
|
||||
BuildRequires: pkgconfig(gio-unix-2.0)
|
||||
BuildRequires: pkgconfig(gio-unix-2.0) >= %{glib_version}
|
||||
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0
|
||||
BuildRequires: pkgconfig(json-glib-1.0)
|
||||
BuildRequires: pkgconfig(libarchive) >= 2.8.0
|
||||
BuildRequires: pkgconfig(libseccomp)
|
||||
BuildRequires: pkgconfig(libsoup-2.4)
|
||||
BuildRequires: pkgconfig(libcurl) >= %{libcurl_version}
|
||||
BuildRequires: pkgconfig(libsystemd)
|
||||
BuildRequires: pkgconfig(libxml-2.0) >= 2.4
|
||||
BuildRequires: pkgconfig(libzstd) >= 0.8.1
|
||||
@ -57,6 +55,8 @@ BuildRequires: /usr/bin/xsltproc
|
||||
|
||||
Requires: appstream%{?_isa} >= %{appstream_version}
|
||||
Requires: bubblewrap >= %{bubblewrap_version}
|
||||
Requires: glib2%{?_isa} >= %{glib_version}
|
||||
Requires: libcurl%{?_isa} >= %{libcurl_version}
|
||||
Requires: librsvg2%{?_isa}
|
||||
Requires: ostree-libs%{?_isa} >= %{ostree_version}
|
||||
Requires: /usr/bin/xdg-dbus-proxy
|
||||
@ -143,6 +143,7 @@ This package contains installed tests for %{name}.
|
||||
--enable-docbook-docs \
|
||||
--enable-installed-tests \
|
||||
--enable-selinux-module \
|
||||
--with-curl \
|
||||
--with-priv-mode=none \
|
||||
--with-system-bubblewrap \
|
||||
--with-system-dbus-proxy \
|
||||
@ -270,6 +271,10 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Jun 17 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.3-1
|
||||
- Update to 1.13.3
|
||||
- Remove downstream patch for gssproxy support until it gets rebased
|
||||
|
||||
* Tue Jun 07 2022 David King <amigadave@amigadave.com> - 1.13.2-4
|
||||
- Add gssproxy support
|
||||
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (flatpak-1.13.2.tar.xz) = d7e1d0a9965332220f829caa5724d7547280db10f7428b4e9add87152da1d7dad97edcde85668501d5a50e6a7c1031bfd15e8f4cbc7196e1c0f7cc3d2e333fe1
|
||||
SHA512 (flatpak-1.13.3.tar.xz) = 8aeef0b0c00a958b04d3d40b9bc6fa6afd3b4875fea6aa4a64ed1fe4e5e67a6e17543fa42e20d7e0e99e22d26821fb392849206f27f1ee7c6cf4c78f8aed2cfe
|
||||
|
Loading…
Reference in New Issue
Block a user