From 684f7eba6bec0d1638983fdd94d41862938fa530 Mon Sep 17 00:00:00 2001 From: David King Date: Wed, 14 Dec 2022 12:22:38 +0000 Subject: [PATCH] Update to 1.15.1 --- .gitignore | 1 + flatpak-1.13.3-add-gssproxy-support.patch | 116 ---------------------- flatpak-1.15.1-install-selinux.patch | 51 ++++++++++ flatpak.spec | 38 ++++--- sources | 2 +- 5 files changed, 70 insertions(+), 138 deletions(-) delete mode 100644 flatpak-1.13.3-add-gssproxy-support.patch create mode 100644 flatpak-1.15.1-install-selinux.patch diff --git a/.gitignore b/.gitignore index e9fb9a9..7eb9cb4 100644 --- a/.gitignore +++ b/.gitignore @@ -107,3 +107,4 @@ /flatpak-1.13.3.tar.xz /flatpak-1.14.0.tar.xz /flatpak-1.14.1.tar.xz +/flatpak-1.15.1.tar.xz diff --git a/flatpak-1.13.3-add-gssproxy-support.patch b/flatpak-1.13.3-add-gssproxy-support.patch deleted file mode 100644 index 3e22d45..0000000 --- a/flatpak-1.13.3-add-gssproxy-support.patch +++ /dev/null @@ -1,116 +0,0 @@ -From b9f4200b9674638ee2879db568e30219e81d5ed8 Mon Sep 17 00:00:00 2001 -From: Michael Catanzaro -Date: Thu, 12 May 2022 12:44:59 -0500 -Subject: [PATCH 1/2] Bind gssproxy socket into sandbox environment - -We're using a directory rather than binding a socket directly for -increased robustness. In theory, if gssproxy crashes on the host, a new -socket that a new gssproxy process creates should be immediately visible -inside the sandbox. Nifty. - -Previously, applications that wanted to use Kerberos authentication -would have to punch a sandbox hole for the host's KCM socket. In -contrast, this gssproxy socket is designed for use by sandboxed apps. - -See also: https://github.com/gssapi/gssproxy/issues/45 ---- - common/flatpak-run.c | 18 +++++++++++++++++- - 1 file changed, 17 insertions(+), 1 deletion(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index bf85f47c..3ec007cf 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -955,6 +955,19 @@ flatpak_run_add_pulseaudio_args (FlatpakBwrap *bwrap, - flatpak_bwrap_add_args (bwrap, "--dev-bind", "/dev/snd", "/dev/snd", NULL); - } - -+static void -+flatpak_run_add_gssproxy_args (FlatpakBwrap *bwrap) -+{ -+ /* We only expose the gssproxy user service. The gssproxy system service is -+ * not intended to be exposed to sandboxed environments. -+ */ -+ g_autofree char *gssproxy_host_dir = g_build_filename (g_get_user_runtime_dir (), "gssproxy", NULL); -+ const char *gssproxy_sandboxed_dir = "/run/flatpak/gssproxy/"; -+ -+ if (g_file_test (gssproxy_host_dir, G_FILE_TEST_EXISTS)) -+ flatpak_bwrap_add_args (bwrap, "--ro-bind", gssproxy_host_dir, gssproxy_sandboxed_dir, NULL); -+} -+ - static void - flatpak_run_add_resolved_args (FlatpakBwrap *bwrap) - { -@@ -4611,7 +4624,10 @@ flatpak_run_app (FlatpakDecomposed *app_ref, - } - - if ((app_context->shares & FLATPAK_CONTEXT_SHARED_NETWORK) != 0) -- flatpak_run_add_resolved_args (bwrap); -+ { -+ flatpak_run_add_gssproxy_args (bwrap); -+ flatpak_run_add_resolved_args (bwrap); -+ } - - flatpak_run_add_journal_args (bwrap); - add_font_path_args (bwrap); --- -2.37.3 - -From 9e32923a46ffd336dffc4fa7c7a1ee05ae2d39ae Mon Sep 17 00:00:00 2001 -From: Michael Catanzaro -Date: Mon, 23 May 2022 09:59:48 -0500 -Subject: [PATCH 2/2] Block KRB5CCNAME from inheriting into sandbox - -If this environment variable is set on the host, it's going to mess up -authentication in the sandbox. For example, if the host has: - -KRB5CCNAME=KCM: - -then the sandboxed process will try to use the host KCM socket, which is -not available in the sandboxed environment, rather than the gssproxy -socket that we want it to use. We need to unset it to ensure that -whatever configuration we ship in the runtime gets used instead. We have -switched the GNOME runtime to use an empty krb5.conf and it works as -long as we don't break it with this environment variable meant for the -host. ---- - common/flatpak-run.c | 4 +++- - doc/flatpak-run.xml | 1 + - 2 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 3ec007cf..b650be46 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -1887,7 +1887,8 @@ static const ExportData default_exports[] = { - {"XDG_RUNTIME_DIR", NULL}, - - /* Some env vars are common enough and will affect the sandbox badly -- if set on the host. We clear these always. */ -+ if set on the host. We clear these always. If updating this list, -+ also update the list in flatpak-run.xml. */ - {"PYTHONPATH", NULL}, - {"PERLLIB", NULL}, - {"PERL5LIB", NULL}, -@@ -1904,6 +1905,7 @@ static const ExportData default_exports[] = { - {"GST_PTP_HELPER", NULL}, - {"GST_PTP_HELPER_1_0", NULL}, - {"GST_INSTALL_PLUGINS_HELPER", NULL}, -+ {"KRB5CCNAME", NULL}, - }; - - static const ExportData no_ld_so_cache_exports[] = { -diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml -index e1aa5e1c..77cd3ad0 100644 ---- a/doc/flatpak-run.xml -+++ b/doc/flatpak-run.xml -@@ -97,6 +97,7 @@ - PERLLIB - PERL5LIB - XCURSOR_PATH -+ KRB5CCNAME - - - Also several environment variables with the prefix "GST_" that are used by gstreamer --- -2.37.3 diff --git a/flatpak-1.15.1-install-selinux.patch b/flatpak-1.15.1-install-selinux.patch new file mode 100644 index 0000000..782e7aa --- /dev/null +++ b/flatpak-1.15.1-install-selinux.patch @@ -0,0 +1,51 @@ +From 48f7921a0818356e7d7d694bbc3aeef620667cda Mon Sep 17 00:00:00 2001 +From: David King +Date: Wed, 14 Dec 2022 11:17:31 +0000 +Subject: [PATCH 1/2] selinux: Install when using meson + +With custom_target, providing build_by_default is not enough to install +the output, which must be explicitly requested. +--- + selinux/meson.build | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/selinux/meson.build b/selinux/meson.build +index 0c3174bf..7dfa79d6 100644 +--- a/selinux/meson.build ++++ b/selinux/meson.build +@@ -11,6 +11,7 @@ custom_target( + '@OUTPUT0@', + '@INPUT@', + ], ++ install : true, + install_dir : get_option('datadir') / 'selinux' / 'packages', + ) + +-- +2.38.1 + + +From f8aca54c5556463b2b42a4e8f48c005f661b86ec Mon Sep 17 00:00:00 2001 +From: David King +Date: Wed, 14 Dec 2022 17:26:54 +0000 +Subject: [PATCH 2/2] selinux: Install to previous location + +Install flatpak.if to the same location for Autotools and meson. +--- + selinux/meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/selinux/meson.build b/selinux/meson.build +index 7dfa79d6..238a46f1 100644 +--- a/selinux/meson.build ++++ b/selinux/meson.build +@@ -17,5 +17,5 @@ custom_target( + + install_data( + 'flatpak.if', +- install_dir : get_option('datadir') / 'selinux' / 'include' / 'contrib', ++ install_dir : get_option('datadir') / 'selinux' / 'devel' / 'include' / 'contrib', + ) +-- +2.38.1 + diff --git a/flatpak.spec b/flatpak.spec index 448a478..71bc8dc 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -5,12 +5,12 @@ %global ostree_version 2020.8 Name: flatpak -Version: 1.14.1 +Version: 1.15.1 Release: 1%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ -URL: http://flatpak.org/ +URL: https://flatpak.org/ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz %if 0%{?fedora} @@ -22,12 +22,12 @@ Source1: flatpak-add-fedora-repos.service # with the config from upstream sources. Source2: flatpak.sysusers.conf -# https://github.com/flatpak/flatpak/pull/4914 -Patch0: flatpak-1.13.3-add-gssproxy-support.patch +# https://github.com/flatpak/flatpak/pull/5217 +Patch0: flatpak-1.15.1-install-selinux.patch BuildRequires: pkgconfig(appstream) >= %{appstream_version} BuildRequires: pkgconfig(dconf) -BuildRequires: pkgconfig(fuse) +BuildRequires: pkgconfig(fuse3) BuildRequires: pkgconfig(gdk-pixbuf-2.0) BuildRequires: pkgconfig(gio-unix-2.0) >= %{glib_version} BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0 @@ -42,7 +42,6 @@ BuildRequires: pkgconfig(malcontent-0) BuildRequires: pkgconfig(ostree-1) >= %{ostree_version} BuildRequires: pkgconfig(polkit-gobject-1) BuildRequires: pkgconfig(xau) -BuildRequires: autoconf automake libtool BuildRequires: bison BuildRequires: bubblewrap >= %{bubblewrap_version} BuildRequires: docbook-dtds @@ -51,9 +50,12 @@ BuildRequires: gettext-devel BuildRequires: gpgme-devel BuildRequires: gtk-doc BuildRequires: libcap-devel +BuildRequires: meson BuildRequires: python3-pyparsing BuildRequires: systemd BuildRequires: systemd-rpm-macros +BuildRequires: /usr/bin/pkcheck +BuildRequires: /usr/bin/socat BuildRequires: /usr/bin/xdg-dbus-proxy BuildRequires: /usr/bin/xmlto BuildRequires: /usr/bin/xsltproc @@ -142,24 +144,15 @@ This package contains installed tests for %{name}. %build -rm configure -(if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi; - # Generate consistent IDs between runs to avoid multilib problems. - export XMLTO_FLAGS="--stringparam generate.consistent.ids=1" - %configure \ - --enable-docbook-docs \ - --enable-installed-tests \ - --enable-selinux-module \ - --with-curl \ - --with-priv-mode=none \ - --with-system-bubblewrap \ - --with-system-dbus-proxy \ - $CONFIGFLAGS) -%make_build V=1 +%meson \ + -Dinstalled_tests=true \ + -Dsystem_bubblewrap=/usr/bin/bwrap \ + -Dsystem_dbus_proxy=/usr/bin/xdg-dbus-proxy +%meson_build %install -%make_install +%meson_install install -pm 644 NEWS README.md %{buildroot}/%{_pkgdocdir} # The system repo is not installed by the flatpak build system. install -d %{buildroot}%{_localstatedir}/lib/flatpak @@ -279,6 +272,9 @@ fi %changelog +* Tue Dec 13 2022 David King - 1.15.1-1 +- Update to 1.15.1 + * Thu Dec 08 2022 David King - 1.14.1-1 - Update to 1.14.1 (#2151850) diff --git a/sources b/sources index e13d1d7..30e8e83 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (flatpak-1.14.1.tar.xz) = 1f22622b9a797b644b5fe9d26c3c4ec3f6b1a3b81a12d498e5aeeecb1a965c9aaa5c1d18843c938f116855bbbed3a8d9866997440f86241abe70eae13be7cdcb +SHA512 (flatpak-1.15.1.tar.xz) = 807bc318d13882aa20d43282204661b02853464a88544588f1692bce675ade9d0ebb74b29fa6d243f0cd77f5fe725879db0baf7bf0169d30a9fe69b5df3d4b52