From 575d1a83702ec78a3bafedc8242bbded8d3eae3d Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Fri, 17 Jun 2022 02:45:03 +0200 Subject: [PATCH] Update to 1.13.3 While Flatpak should ideally use at least appstream 0.15.3, certain practicalities make it difficult to bump the requirement upstream: https://github.com/flatpak/flatpak/pull/4949 This reverts 8cbbf308540580010cc153aa89d1e9934ec32888 because the downstream patch for gssproxy support doesn't apply anymore and needs to be rebased. Ideally, we shouldn't be in a rush to apply unreviewed patches to Rawhide unless there's some major ongoing crisis. --- .gitignore | 1 + flatpak-1.13.2-add-gssproxy-support.patch | 118 ---------------------- flatpak-selinux-permissions.patch | 105 ------------------- flatpak.spec | 23 +++-- sources | 2 +- 5 files changed, 16 insertions(+), 233 deletions(-) delete mode 100644 flatpak-1.13.2-add-gssproxy-support.patch delete mode 100644 flatpak-selinux-permissions.patch diff --git a/.gitignore b/.gitignore index 1c1b1fc..6deb423 100644 --- a/.gitignore +++ b/.gitignore @@ -104,3 +104,4 @@ /flatpak-1.12.6.tar.xz /flatpak-1.13.1.tar.xz /flatpak-1.13.2.tar.xz +/flatpak-1.13.3.tar.xz diff --git a/flatpak-1.13.2-add-gssproxy-support.patch b/flatpak-1.13.2-add-gssproxy-support.patch deleted file mode 100644 index 4881999..0000000 --- a/flatpak-1.13.2-add-gssproxy-support.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 50c12cbeea35590779098e2e01313cc781f91f31 Mon Sep 17 00:00:00 2001 -From: Michael Catanzaro -Date: Thu, 12 May 2022 12:44:59 -0500 -Subject: [PATCH 1/2] Bind gssproxy socket into sandbox environment - -We're using a directory rather than binding a socket directly for -increased robustness. In theory, if gssproxy crashes on the host, a new -socket that a new gssproxy process creates should be immediately visible -inside the sandbox. Nifty. - -Previously, applications that wanted to use Kerberos authentication -would have to punch a sandbox hole for the host's KCM socket. In -contrast, this gssproxy socket is designed for use by sandboxed apps. - -See also: https://github.com/gssapi/gssproxy/issues/45 ---- - common/flatpak-run.c | 18 +++++++++++++++++- - 1 file changed, 17 insertions(+), 1 deletion(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index b91be51b..ccf9807b 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -924,6 +924,19 @@ flatpak_run_add_pulseaudio_args (FlatpakBwrap *bwrap, - flatpak_bwrap_add_args (bwrap, "--dev-bind", "/dev/snd", "/dev/snd", NULL); - } - -+static void -+flatpak_run_add_gssproxy_args (FlatpakBwrap *bwrap) -+{ -+ /* We only expose the gssproxy user service. The gssproxy system service is -+ * not intended to be exposed to sandboxed environments. -+ */ -+ g_autofree char *gssproxy_host_dir = g_build_filename (g_get_user_runtime_dir (), "gssproxy", NULL); -+ const char *gssproxy_sandboxed_dir = "/var/lib/gssproxy/"; -+ -+ if (g_file_test (gssproxy_host_dir, G_FILE_TEST_EXISTS)) -+ flatpak_bwrap_add_args (bwrap, "--bind", gssproxy_host_dir, gssproxy_sandboxed_dir, NULL); -+} -+ - static void - flatpak_run_add_resolved_args (FlatpakBwrap *bwrap) - { -@@ -4561,7 +4574,10 @@ flatpak_run_app (FlatpakDecomposed *app_ref, - } - - if ((app_context->shares & FLATPAK_CONTEXT_SHARED_NETWORK) != 0) -- flatpak_run_add_resolved_args (bwrap); -+ { -+ flatpak_run_add_gssproxy_args (bwrap); -+ flatpak_run_add_resolved_args (bwrap); -+ } - - flatpak_run_add_journal_args (bwrap); - add_font_path_args (bwrap); --- -2.36.1 - - -From b4eb25dacbe745b10606adb8b0080c75490e9070 Mon Sep 17 00:00:00 2001 -From: Michael Catanzaro -Date: Mon, 23 May 2022 09:59:48 -0500 -Subject: [PATCH 2/2] Block KRB5CCNAME from inheriting into sandbox - -If this environment variable is set on the host, it's going to mess up -authentication in the sandbox. For example, if the host has: - -KRB5CCNAME=KCM: - -then the sandboxed process will try to use the host KCM socket, which is -not available in the sandboxed environment, rather than the gssproxy -socket that we want it to use. We need to unset it to ensure that -whatever configuration we ship in the runtime gets used instead. We have -switched the GNOME runtime to use an empty krb5.conf and it works as -long as we don't break it with this environment variable meant for the -host. ---- - common/flatpak-run.c | 4 +++- - doc/flatpak-run.xml | 1 + - 2 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index ccf9807b..b66f326c 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -1851,7 +1851,8 @@ static const ExportData default_exports[] = { - {"XDG_RUNTIME_DIR", NULL}, - - /* Some env vars are common enough and will affect the sandbox badly -- if set on the host. We clear these always. */ -+ if set on the host. We clear these always. If updating this list, -+ also update the list in flatpak-run.xml. */ - {"PYTHONPATH", NULL}, - {"PERLLIB", NULL}, - {"PERL5LIB", NULL}, -@@ -1868,6 +1869,7 @@ static const ExportData default_exports[] = { - {"GST_PTP_HELPER", NULL}, - {"GST_PTP_HELPER_1_0", NULL}, - {"GST_INSTALL_PLUGINS_HELPER", NULL}, -+ {"KRB5CCNAME", NULL}, - }; - - static const ExportData no_ld_so_cache_exports[] = { -diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml -index c1396b07..ca181f32 100644 ---- a/doc/flatpak-run.xml -+++ b/doc/flatpak-run.xml -@@ -89,6 +89,7 @@ - PERLLIB - PERL5LIB - XCURSOR_PATH -+ KRB5CCNAME - - - Flatpak also overrides the XDG environment variables to point sandboxed applications --- -2.36.1 - diff --git a/flatpak-selinux-permissions.patch b/flatpak-selinux-permissions.patch deleted file mode 100644 index 1234a97..0000000 --- a/flatpak-selinux-permissions.patch +++ /dev/null @@ -1,105 +0,0 @@ -From b20c074fb225ed3e54337bd50dc18452a3dc3196 Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Tue, 12 Apr 2022 20:28:29 +0200 -Subject: [PATCH 1/3] selinux: Let the system helper have read access to - /etc/passwd - -The system-helper (ie., the `flatpak-system-helper` process) is -labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t -domain, and needs to be able to read /etc/passwd. This explicitly -permits it to do so to avoid running into SELinux denials. - -https://bugzilla.redhat.com/show_bug.cgi?id=2070350 ---- - selinux/flatpak.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/selinux/flatpak.te b/selinux/flatpak.te -index 2bcc507b725a..871ffa2906cc 100644 ---- a/selinux/flatpak.te -+++ b/selinux/flatpak.te -@@ -12,6 +12,8 @@ type flatpak_helper_t; - type flatpak_helper_exec_t; - init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t) - -+auth_read_passwd(flatpak_helper_t) -+ - optional_policy(` - dbus_stub() - dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t) --- -2.35.1 - - -From d6743d58bbd0293a4f6992fee9b5e7363892ebe7 Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Tue, 12 Apr 2022 20:56:06 +0200 -Subject: [PATCH 2/3] selinux: Let the system helper watch files inside - $libexecdir - -The system-helper (ie., the `flatpak-system-helper` process) is -labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t -domain, and tries to set up an inotify(7) watch on it's own binary so -that it can exit when the binary is replaced. This explicitly permits -it to do so to avoid running into SELinux denials. - -The corecmd_watch_bin_dirs SELinux interface is a recent addition [1], -and is therefore used conditionally when defined. - -[1] https://github.com/fedora-selinux/selinux-policy/commit/88072fd293 - https://github.com/fedora-selinux/selinux-policy/pull/1133 - -https://bugzilla.redhat.com/show_bug.cgi?id=2053634 ---- - selinux/flatpak.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/selinux/flatpak.te b/selinux/flatpak.te -index 871ffa2906cc..0bb776314ddb 100644 ---- a/selinux/flatpak.te -+++ b/selinux/flatpak.te -@@ -14,6 +14,10 @@ init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t) - - auth_read_passwd(flatpak_helper_t) - -+ifdef(`corecmd_watch_bin_dirs',` -+ corecmd_watch_bin_dirs(flatpak_helper_t) -+') -+ - optional_policy(` - dbus_stub() - dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t) --- -2.35.1 - - -From 04524cb3b79bb777d62f743b1fb4037816c6a3f2 Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Tue, 12 Apr 2022 22:33:11 +0200 -Subject: [PATCH 3/3] selinux: Permit read access to /var/lib/flatpak - -It's clearly quite important to have read access to /var/lib/flatpak -and it's contents. This explicitly permits that to avoid running -into SELinux denials. - -https://bugzilla.redhat.com/show_bug.cgi?id=2070741 ---- - selinux/flatpak.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/selinux/flatpak.te b/selinux/flatpak.te -index 0bb776314ddb..e1fd4377373f 100644 ---- a/selinux/flatpak.te -+++ b/selinux/flatpak.te -@@ -13,6 +13,8 @@ type flatpak_helper_exec_t; - init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t) - - auth_read_passwd(flatpak_helper_t) -+files_list_var_lib(flatpak_helper_t) -+files_read_var_lib_files(flatpak_helper_t) - - ifdef(`corecmd_watch_bin_dirs',` - corecmd_watch_bin_dirs(flatpak_helper_t) --- -2.35.1 - diff --git a/flatpak.spec b/flatpak.spec index 5862acf..a022abd 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -1,10 +1,12 @@ -%global appstream_version 0.14.0 +%global appstream_version 0.15.3 %global bubblewrap_version 0.5.0 +%global glib_version 2.46.0 +%global libcurl_version 7.29.0 %global ostree_version 2020.8 Name: flatpak -Version: 1.13.2 -Release: 4%{?dist} +Version: 1.13.3 +Release: 1%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ @@ -20,20 +22,16 @@ Source1: flatpak-add-fedora-repos.service # with the config from upstream sources. Source2: flatpak.sysusers.conf -Patch0: flatpak-selinux-permissions.patch -# https://github.com/flatpak/flatpak/pull/4914 -Patch1: flatpak-1.13.2-add-gssproxy-support.patch - BuildRequires: pkgconfig(appstream) >= %{appstream_version} BuildRequires: pkgconfig(dconf) BuildRequires: pkgconfig(fuse) BuildRequires: pkgconfig(gdk-pixbuf-2.0) -BuildRequires: pkgconfig(gio-unix-2.0) +BuildRequires: pkgconfig(gio-unix-2.0) >= %{glib_version} BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0 BuildRequires: pkgconfig(json-glib-1.0) BuildRequires: pkgconfig(libarchive) >= 2.8.0 BuildRequires: pkgconfig(libseccomp) -BuildRequires: pkgconfig(libsoup-2.4) +BuildRequires: pkgconfig(libcurl) >= %{libcurl_version} BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(libxml-2.0) >= 2.4 BuildRequires: pkgconfig(libzstd) >= 0.8.1 @@ -57,6 +55,8 @@ BuildRequires: /usr/bin/xsltproc Requires: appstream%{?_isa} >= %{appstream_version} Requires: bubblewrap >= %{bubblewrap_version} +Requires: glib2%{?_isa} >= %{glib_version} +Requires: libcurl%{?_isa} >= %{libcurl_version} Requires: librsvg2%{?_isa} Requires: ostree-libs%{?_isa} >= %{ostree_version} Requires: /usr/bin/xdg-dbus-proxy @@ -143,6 +143,7 @@ This package contains installed tests for %{name}. --enable-docbook-docs \ --enable-installed-tests \ --enable-selinux-module \ + --with-curl \ --with-priv-mode=none \ --with-system-bubblewrap \ --with-system-dbus-proxy \ @@ -270,6 +271,10 @@ fi %changelog +* Fri Jun 17 2022 Debarshi Ray - 1.13.3-1 +- Update to 1.13.3 +- Remove downstream patch for gssproxy support until it gets rebased + * Tue Jun 07 2022 David King - 1.13.2-4 - Add gssproxy support diff --git a/sources b/sources index 600232d..68694ed 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (flatpak-1.13.2.tar.xz) = d7e1d0a9965332220f829caa5724d7547280db10f7428b4e9add87152da1d7dad97edcde85668501d5a50e6a7c1031bfd15e8f4cbc7196e1c0f7cc3d2e333fe1 +SHA512 (flatpak-1.13.3.tar.xz) = 8aeef0b0c00a958b04d3d40b9bc6fa6afd3b4875fea6aa4a64ed1fe4e5e67a6e17543fa42e20d7e0e99e22d26821fb392849206f27f1ee7c6cf4c78f8aed2cfe