Update to 1.15.1

2022-12-14 12:22:38 +00:00 · 2022-12-14 12:22:38 +00:00 · 684f7eba6b
commit 684f7eba6b
parent 7681d5d489
5 changed files with 70 additions and 138 deletions
--- a/.gitignore
+++ b/.gitignore
@ -107,3 +107,4 @@
 /flatpak-1.13.3.tar.xz
 /flatpak-1.14.0.tar.xz
 /flatpak-1.14.1.tar.xz
+/flatpak-1.15.1.tar.xz
--- a/flatpak-1.13.3-add-gssproxy-support.patch
+++ b/flatpak-1.13.3-add-gssproxy-support.patch
@ -1,116 +0,0 @@
-From b9f4200b9674638ee2879db568e30219e81d5ed8 Mon Sep 17 00:00:00 2001
-From: Michael Catanzaro <mcatanzaro@redhat.com>
-Date: Thu, 12 May 2022 12:44:59 -0500
-Subject: [PATCH 1/2] Bind gssproxy socket into sandbox environment
-
-We're using a directory rather than binding a socket directly for
-increased robustness. In theory, if gssproxy crashes on the host, a new
-socket that a new gssproxy process creates should be immediately visible
-inside the sandbox. Nifty.
-
-Previously, applications that wanted to use Kerberos authentication
-would have to punch a sandbox hole for the host's KCM socket. In
-contrast, this gssproxy socket is designed for use by sandboxed apps.
-
-See also: https://github.com/gssapi/gssproxy/issues/45
---
- common/flatpak-run.c | 18 +++++++++++++++++-
- 1 file changed, 17 insertions(+), 1 deletion(-)
-
-diff --git a/common/flatpak-run.c b/common/flatpak-run.c
-index bf85f47c..3ec007cf 100644
--- a/common/flatpak-run.c
-+++ b/common/flatpak-run.c
-@@ -955,6 +955,19 @@ flatpak_run_add_pulseaudio_args (FlatpakBwrap         *bwrap,
-     flatpak_bwrap_add_args (bwrap, "--dev-bind", "/dev/snd", "/dev/snd", NULL);
- }
- 
-+static void
-+flatpak_run_add_gssproxy_args (FlatpakBwrap *bwrap)
-+{
-+  /* We only expose the gssproxy user service. The gssproxy system service is
-+   * not intended to be exposed to sandboxed environments.
-+   */
-+  g_autofree char *gssproxy_host_dir = g_build_filename (g_get_user_runtime_dir (), "gssproxy", NULL);
-+  const char *gssproxy_sandboxed_dir = "/run/flatpak/gssproxy/";
-+
-+  if (g_file_test (gssproxy_host_dir, G_FILE_TEST_EXISTS))
-+    flatpak_bwrap_add_args (bwrap, "--ro-bind", gssproxy_host_dir, gssproxy_sandboxed_dir, NULL);
-+}
-+
- static void
- flatpak_run_add_resolved_args (FlatpakBwrap *bwrap)
- {
-@@ -4611,7 +4624,10 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
-     }
- 
-   if ((app_context->shares & FLATPAK_CONTEXT_SHARED_NETWORK) != 0)
-    flatpak_run_add_resolved_args (bwrap);
-+    {
-+      flatpak_run_add_gssproxy_args (bwrap);
-+      flatpak_run_add_resolved_args (bwrap);
-+    }
- 
-   flatpak_run_add_journal_args (bwrap);
-   add_font_path_args (bwrap);
-- 
-2.37.3
-
-From 9e32923a46ffd336dffc4fa7c7a1ee05ae2d39ae Mon Sep 17 00:00:00 2001
-From: Michael Catanzaro <mcatanzaro@redhat.com>
-Date: Mon, 23 May 2022 09:59:48 -0500
-Subject: [PATCH 2/2] Block KRB5CCNAME from inheriting into sandbox
-
-If this environment variable is set on the host, it's going to mess up
-authentication in the sandbox. For example, if the host has:
-
-KRB5CCNAME=KCM:
-
-then the sandboxed process will try to use the host KCM socket, which is
-not available in the sandboxed environment, rather than the gssproxy
-socket that we want it to use. We need to unset it to ensure that
-whatever configuration we ship in the runtime gets used instead. We have
-switched the GNOME runtime to use an empty krb5.conf and it works as
-long as we don't break it with this environment variable meant for the
-host.
---
- common/flatpak-run.c | 4 +++-
- doc/flatpak-run.xml  | 1 +
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/common/flatpak-run.c b/common/flatpak-run.c
-index 3ec007cf..b650be46 100644
--- a/common/flatpak-run.c
-+++ b/common/flatpak-run.c
-@@ -1887,7 +1887,8 @@ static const ExportData default_exports[] = {
-   {"XDG_RUNTIME_DIR", NULL},
- 
-   /* Some env vars are common enough and will affect the sandbox badly
-     if set on the host. We clear these always. */
-+     if set on the host. We clear these always. If updating this list,
-+     also update the list in flatpak-run.xml. */
-   {"PYTHONPATH", NULL},
-   {"PERLLIB", NULL},
-   {"PERL5LIB", NULL},
-@@ -1904,6 +1905,7 @@ static const ExportData default_exports[] = {
-   {"GST_PTP_HELPER", NULL},
-   {"GST_PTP_HELPER_1_0", NULL},
-   {"GST_INSTALL_PLUGINS_HELPER", NULL},
-+  {"KRB5CCNAME", NULL},
- };
- 
- static const ExportData no_ld_so_cache_exports[] = {
-diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml
-index e1aa5e1c..77cd3ad0 100644
--- a/doc/flatpak-run.xml
-+++ b/doc/flatpak-run.xml
-@@ -97,6 +97,7 @@
-             <member>PERLLIB</member>
-             <member>PERL5LIB</member>
-             <member>XCURSOR_PATH</member>
-+            <member>KRB5CCNAME</member>
-         </simplelist>
-         <para>
-             Also several environment variables with the prefix "GST_" that are used by gstreamer
-- 
-2.37.3
--- a/flatpak-1.15.1-install-selinux.patch
+++ b/flatpak-1.15.1-install-selinux.patch
@ -0,0 +1,51 @@
+From 48f7921a0818356e7d7d694bbc3aeef620667cda Mon Sep 17 00:00:00 2001
+From: David King <amigadave@amigadave.com>
+Date: Wed, 14 Dec 2022 11:17:31 +0000
+Subject: [PATCH 1/2] selinux: Install when using meson
+
+With custom_target, providing build_by_default is not enough to install
+the output, which must be explicitly requested.
+---
+ selinux/meson.build | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/selinux/meson.build b/selinux/meson.build
+index 0c3174bf..7dfa79d6 100644
+--- a/selinux/meson.build
+++ b/selinux/meson.build
+@@ -11,6 +11,7 @@ custom_target(
+     '@OUTPUT0@',
+     '@INPUT@',
+   ],
+  install : true,
+   install_dir : get_option('datadir') / 'selinux' / 'packages',
+ )
+ 
+-- 
+2.38.1
+
+
+From f8aca54c5556463b2b42a4e8f48c005f661b86ec Mon Sep 17 00:00:00 2001
+From: David King <amigadave@amigadave.com>
+Date: Wed, 14 Dec 2022 17:26:54 +0000
+Subject: [PATCH 2/2] selinux: Install to previous location
+
+Install flatpak.if to the same location for Autotools and meson.
+---
+ selinux/meson.build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/selinux/meson.build b/selinux/meson.build
+index 7dfa79d6..238a46f1 100644
+--- a/selinux/meson.build
+++ b/selinux/meson.build
+@@ -17,5 +17,5 @@ custom_target(
+ 
+ install_data(
+   'flatpak.if',
+-  install_dir : get_option('datadir') / 'selinux' / 'include' / 'contrib',
+  install_dir : get_option('datadir') / 'selinux' / 'devel' / 'include' / 'contrib',
+ )
+-- 
+2.38.1
+
--- a/flatpak.spec
+++ b/flatpak.spec
@ -5,12 +5,12 @@
 %global ostree_version 2020.8

 Name:           flatpak
-Version:        1.14.1
+Version:        1.15.1
 Release:        1%{?dist}
 Summary:        Application deployment framework for desktop apps

 License:        LGPLv2+
-URL:            http://flatpak.org/
+URL:            https://flatpak.org/
 Source0:        https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz

 %if 0%{?fedora}
@ -22,12 +22,12 @@ Source1:        flatpak-add-fedora-repos.service
 # with the config from upstream sources.
 Source2:        flatpak.sysusers.conf

-# https://github.com/flatpak/flatpak/pull/4914
-Patch0:         flatpak-1.13.3-add-gssproxy-support.patch
+# https://github.com/flatpak/flatpak/pull/5217
+Patch0:         flatpak-1.15.1-install-selinux.patch

 BuildRequires:  pkgconfig(appstream) >= %{appstream_version}
 BuildRequires:  pkgconfig(dconf)
-BuildRequires:  pkgconfig(fuse)
+BuildRequires:  pkgconfig(fuse3)
 BuildRequires:  pkgconfig(gdk-pixbuf-2.0)
 BuildRequires:  pkgconfig(gio-unix-2.0) >= %{glib_version}
 BuildRequires:  pkgconfig(gobject-introspection-1.0) >= 1.40.0
@ -42,7 +42,6 @@ BuildRequires:  pkgconfig(malcontent-0)
 BuildRequires:  pkgconfig(ostree-1) >= %{ostree_version}
 BuildRequires:  pkgconfig(polkit-gobject-1)
 BuildRequires:  pkgconfig(xau)
-BuildRequires:  autoconf automake libtool
 BuildRequires:  bison
 BuildRequires:  bubblewrap >= %{bubblewrap_version}
 BuildRequires:  docbook-dtds
@ -51,9 +50,12 @@ BuildRequires:  gettext-devel
 BuildRequires:  gpgme-devel
 BuildRequires:  gtk-doc
 BuildRequires:  libcap-devel
+BuildRequires:  meson
 BuildRequires:  python3-pyparsing
 BuildRequires:  systemd
 BuildRequires:  systemd-rpm-macros
+BuildRequires:  /usr/bin/pkcheck
+BuildRequires:  /usr/bin/socat
 BuildRequires:  /usr/bin/xdg-dbus-proxy
 BuildRequires:  /usr/bin/xmlto
 BuildRequires:  /usr/bin/xsltproc
@ -142,24 +144,15 @@ This package contains installed tests for %{name}.


 %build
-rm configure
-(if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi;
- # Generate consistent IDs between runs to avoid multilib problems.
- export XMLTO_FLAGS="--stringparam generate.consistent.ids=1"
- %configure \
-            --enable-docbook-docs \
-            --enable-installed-tests \
-            --enable-selinux-module \
-            --with-curl \
-            --with-priv-mode=none \
-            --with-system-bubblewrap \
-            --with-system-dbus-proxy \
-            $CONFIGFLAGS)
-%make_build V=1
+%meson \
+    -Dinstalled_tests=true \
+    -Dsystem_bubblewrap=/usr/bin/bwrap \
+    -Dsystem_dbus_proxy=/usr/bin/xdg-dbus-proxy
+%meson_build


 %install
-%make_install
+%meson_install
 install -pm 644 NEWS README.md %{buildroot}/%{_pkgdocdir}
 # The system repo is not installed by the flatpak build system.
 install -d %{buildroot}%{_localstatedir}/lib/flatpak
@ -279,6 +272,9 @@ fi


 %changelog
+* Tue Dec 13 2022 David King <amigadave@amigadave.com> - 1.15.1-1
+- Update to 1.15.1
+
 * Thu Dec 08 2022 David King <amigadave@amigadave.com> - 1.14.1-1
 - Update to 1.14.1 (#2151850)

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (flatpak-1.14.1.tar.xz) = 1f22622b9a797b644b5fe9d26c3c4ec3f6b1a3b81a12d498e5aeeecb1a965c9aaa5c1d18843c938f116855bbbed3a8d9866997440f86241abe70eae13be7cdcb
+SHA512 (flatpak-1.15.1.tar.xz) = 807bc318d13882aa20d43282204661b02853464a88544588f1692bce675ade9d0ebb74b29fa6d243f0cd77f5fe725879db0baf7bf0169d30a9fe69b5df3d4b52