import flatpak-1.8.5-2.el8
This commit is contained in:
parent
27ebb4221c
commit
7b337a111f
@ -1 +1 @@
|
|||||||
6763d41ca91cb2547456c16ca5f7d53c95d89a14 SOURCES/flatpak-1.6.2.tar.xz
|
a3dcd13e85090e9d8156f1db2a375074e459aa79 SOURCES/flatpak-1.8.5.tar.xz
|
||||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/flatpak-1.6.2.tar.xz
|
SOURCES/flatpak-1.8.5.tar.xz
|
||||||
|
@ -1,161 +0,0 @@
|
|||||||
diff -urN flatpak-1.6.2/common/flatpak-oci-registry.c flatpak-1.6.2.new/common/flatpak-oci-registry.c
|
|
||||||
--- flatpak-1.6.2/common/flatpak-oci-registry.c 2019-12-20 09:52:17.000000000 +0000
|
|
||||||
+++ flatpak-1.6.2.new/common/flatpak-oci-registry.c 2020-03-20 12:01:39.923000000 +0000
|
|
||||||
@@ -901,6 +901,7 @@
|
|
||||||
|
|
||||||
static char *
|
|
||||||
get_token_for_www_auth (FlatpakOciRegistry *self,
|
|
||||||
+ const char *repository,
|
|
||||||
const char *www_authenticate,
|
|
||||||
const char *auth,
|
|
||||||
GCancellable *cancellable,
|
|
||||||
@@ -911,6 +912,7 @@
|
|
||||||
g_autoptr(GHashTable) params = NULL;
|
|
||||||
g_autoptr(GHashTable) args = NULL;
|
|
||||||
const char *realm, *service, *scope, *token;
|
|
||||||
+ g_autofree char *default_scope = NULL;
|
|
||||||
g_autoptr(SoupURI) auth_uri = NULL;
|
|
||||||
g_autoptr(GBytes) body = NULL;
|
|
||||||
g_autoptr(JsonNode) json = NULL;
|
|
||||||
@@ -941,16 +943,21 @@
|
|
||||||
service = g_hash_table_lookup (params, "service");
|
|
||||||
if (service)
|
|
||||||
g_hash_table_insert (args, "service", (char *)service);
|
|
||||||
+
|
|
||||||
scope = g_hash_table_lookup (params, "scope");
|
|
||||||
- if (scope)
|
|
||||||
- g_hash_table_insert (args, "scope", (char *)scope);
|
|
||||||
+ if (scope == NULL)
|
|
||||||
+ scope = default_scope = g_strdup_printf("repository:%s:pull", repository);
|
|
||||||
+ g_hash_table_insert (args, "scope", (char *)scope);
|
|
||||||
|
|
||||||
soup_uri_set_query_from_form (auth_uri, args);
|
|
||||||
|
|
||||||
auth_msg = soup_message_new_from_uri ("GET", auth_uri);
|
|
||||||
|
|
||||||
- g_autofree char *basic_auth = g_strdup_printf ("Basic %s", auth);
|
|
||||||
- soup_message_headers_replace (auth_msg->request_headers, "Authorization", basic_auth);
|
|
||||||
+ if (auth)
|
|
||||||
+ {
|
|
||||||
+ g_autofree char *basic_auth = g_strdup_printf ("Basic %s", auth);
|
|
||||||
+ soup_message_headers_replace (auth_msg->request_headers, "Authorization", basic_auth);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
auth_stream = soup_session_send (self->soup_session, auth_msg, NULL, error);
|
|
||||||
if (auth_stream == NULL)
|
|
||||||
@@ -1030,7 +1037,7 @@
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- token = get_token_for_www_auth (self, www_authenticate, basic_auth, cancellable, error);
|
|
||||||
+ token = get_token_for_www_auth (self, repository, www_authenticate, basic_auth, cancellable, error);
|
|
||||||
if (token == NULL)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
diff -urN flatpak-1.6.2/oci-authenticator/flatpak-oci-authenticator.c flatpak-1.6.2.new/oci-authenticator/flatpak-oci-authenticator.c
|
|
||||||
--- flatpak-1.6.2/oci-authenticator/flatpak-oci-authenticator.c 2019-12-19 09:33:40.000000000 +0000
|
|
||||||
+++ flatpak-1.6.2.new/oci-authenticator/flatpak-oci-authenticator.c 2020-03-20 12:01:39.936000000 +0000
|
|
||||||
@@ -428,10 +428,12 @@
|
|
||||||
g_autoptr(GError) error = NULL;
|
|
||||||
g_autoptr(AutoFlatpakAuthenticatorRequest) request = NULL;
|
|
||||||
const char *auth = NULL;
|
|
||||||
+ gboolean have_auth;
|
|
||||||
const char *oci_registry_uri = NULL;
|
|
||||||
gsize n_refs, i;
|
|
||||||
gboolean no_interaction = FALSE;
|
|
||||||
g_autoptr(FlatpakOciRegistry) registry = NULL;
|
|
||||||
+ g_autofree char *first_token = NULL;
|
|
||||||
GVariantBuilder tokens;
|
|
||||||
GVariantBuilder results;
|
|
||||||
g_autofree char *sender = g_strdup (g_dbus_method_invocation_get_sender (invocation));
|
|
||||||
@@ -439,6 +441,7 @@
|
|
||||||
g_debug ("handling Authenticator.RequestRefTokens");
|
|
||||||
|
|
||||||
g_variant_lookup (arg_authenticator_options, "auth", "&s", &auth);
|
|
||||||
+ have_auth = auth != NULL;
|
|
||||||
|
|
||||||
if (!g_variant_lookup (arg_options, "xa.oci-registry-uri", "&s", &oci_registry_uri))
|
|
||||||
{
|
|
||||||
@@ -476,18 +479,33 @@
|
|
||||||
return error_request (request, sender, error->message);
|
|
||||||
|
|
||||||
|
|
||||||
- if (auth == NULL)
|
|
||||||
+ /* Look up credentials in config files */
|
|
||||||
+ if (!have_auth)
|
|
||||||
{
|
|
||||||
g_debug ("Looking for %s in auth info", oci_registry_uri);
|
|
||||||
auth = lookup_auth_from_config (oci_registry_uri);
|
|
||||||
+ have_auth = auth != NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* Try to see if we can get a token without presenting credentials */
|
|
||||||
n_refs = g_variant_n_children (arg_refs);
|
|
||||||
- if (auth == NULL && n_refs > 0 &&
|
|
||||||
+ if (!have_auth && n_refs > 0)
|
|
||||||
+ {
|
|
||||||
+ g_autoptr(GVariant) ref_data = g_variant_get_child_value (arg_refs, 0);
|
|
||||||
+
|
|
||||||
+ first_token = get_token_for_ref (registry, ref_data, NULL, &error);
|
|
||||||
+ if (first_token != NULL)
|
|
||||||
+ have_auth = TRUE;
|
|
||||||
+ else
|
|
||||||
+ g_clear_error (&error);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Prompt the user for credentials */
|
|
||||||
+ n_refs = g_variant_n_children (arg_refs);
|
|
||||||
+ if (!have_auth && n_refs > 0 &&
|
|
||||||
!no_interaction)
|
|
||||||
{
|
|
||||||
g_autoptr(GVariant) ref_data = g_variant_get_child_value (arg_refs, 0);
|
|
||||||
- g_autofree char *token = NULL;
|
|
||||||
|
|
||||||
while (auth == NULL)
|
|
||||||
{
|
|
||||||
@@ -498,13 +516,21 @@
|
|
||||||
if (test_auth == NULL)
|
|
||||||
return cancel_request (request, sender);
|
|
||||||
|
|
||||||
- token = get_token_for_ref (registry, ref_data, test_auth, &error);
|
|
||||||
- if (token != NULL)
|
|
||||||
- auth = g_steal_pointer (&test_auth);
|
|
||||||
+ first_token = get_token_for_ref (registry, ref_data, test_auth, &error);
|
|
||||||
+ if (first_token != NULL)
|
|
||||||
+ {
|
|
||||||
+ auth = g_steal_pointer (&test_auth);
|
|
||||||
+ have_auth = TRUE;
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ g_debug ("Failed to get token: %s", error->message);
|
|
||||||
+ g_clear_error (&error);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (auth == NULL)
|
|
||||||
+ if (!have_auth)
|
|
||||||
return error_request (request, sender, "No authentication information available");
|
|
||||||
|
|
||||||
g_variant_builder_init (&tokens, G_VARIANT_TYPE ("a{sas}"));
|
|
||||||
@@ -515,9 +541,16 @@
|
|
||||||
char *for_refs_strv[2] = { NULL, NULL};
|
|
||||||
g_autofree char *token = NULL;
|
|
||||||
|
|
||||||
- token = get_token_for_ref (registry, ref_data, auth, &error);
|
|
||||||
- if (token == NULL)
|
|
||||||
- return error_request (request, sender, error->message);
|
|
||||||
+ if (i == 0 && first_token != NULL)
|
|
||||||
+ {
|
|
||||||
+ token = g_steal_pointer (&first_token);
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ token = get_token_for_ref (registry, ref_data, auth, &error);
|
|
||||||
+ if (token == NULL)
|
|
||||||
+ return error_request (request, sender, error->message);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
g_variant_get_child (ref_data, 0, "&s", &for_refs_strv[0]);
|
|
||||||
g_variant_builder_add (&tokens, "{s^as}", token, for_refs_strv);
|
|
@ -1,322 +0,0 @@
|
|||||||
From 1b9a64e943e2233e009e01a08191b4c17580b3f6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Larsson <alexl@redhat.com>
|
|
||||||
Date: Mon, 4 May 2020 13:00:35 +0200
|
|
||||||
Subject: [PATCH 1/7] oci authenticator: Accept the right docker manifest when
|
|
||||||
authenticating
|
|
||||||
|
|
||||||
Without this I got for the fedora registry:
|
|
||||||
|
|
||||||
```
|
|
||||||
getting token for https://registry.fedoraproject.org/v2/f32/flatpak-runtime/manifests/sha256:bd83b4f6974094848efac22b933419c1dbe11b553def148a82f821faf595de8a
|
|
||||||
F: Anonymous authentication failed: Unexpected response status 404 from repo
|
|
||||||
```
|
|
||||||
|
|
||||||
(cherry picked from commit 1ee132e70e5d0cb5fa0e022c2271f76bcfd03054)
|
|
||||||
---
|
|
||||||
common/flatpak-oci-registry.c | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c
|
|
||||||
index 2505771ee..ae363bc1a 100644
|
|
||||||
--- a/common/flatpak-oci-registry.c
|
|
||||||
+++ b/common/flatpak-oci-registry.c
|
|
||||||
@@ -1015,6 +1015,9 @@ flatpak_oci_registry_get_token (FlatpakOciRegistry *self,
|
|
||||||
|
|
||||||
msg = soup_message_new_from_uri ("HEAD", uri);
|
|
||||||
|
|
||||||
+ soup_message_headers_replace (msg->request_headers, "Accept",
|
|
||||||
+ FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST ", " FLATPAK_DOCKER_MEDIA_TYPE_IMAGE_MANIFEST2);
|
|
||||||
+
|
|
||||||
stream = soup_session_send (self->soup_session, msg, NULL, error);
|
|
||||||
if (stream == NULL)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
From 0d4deebbd5855ceef1cdb5bac3d5c6fb630dc29e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Larsson <alexl@redhat.com>
|
|
||||||
Date: Mon, 4 May 2020 12:35:16 +0200
|
|
||||||
Subject: [PATCH 2/7] By default, always try to auth to OCI remotes
|
|
||||||
|
|
||||||
This makes for instance docker hub work.
|
|
||||||
|
|
||||||
(cherry picked from commit fdfcae7a91e3af207c4acec918276511f112cafe)
|
|
||||||
---
|
|
||||||
common/flatpak-auth.c | 4 ++++
|
|
||||||
common/flatpak-dir.c | 5 +++++
|
|
||||||
2 files changed, 9 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/common/flatpak-auth.c b/common/flatpak-auth.c
|
|
||||||
index 9d0f689fc..9e45da41e 100644
|
|
||||||
--- a/common/flatpak-auth.c
|
|
||||||
+++ b/common/flatpak-auth.c
|
|
||||||
@@ -49,6 +49,10 @@ flatpak_auth_new_for_remote (FlatpakDir *dir,
|
|
||||||
if (!ostree_repo_get_remote_option (repo, remote, FLATPAK_REMOTE_CONFIG_AUTHENTICATOR_NAME, NULL, &name, error))
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if (name == NULL && flatpak_dir_get_remote_oci (dir, remote))
|
|
||||||
+ name = g_strdup ("org.flatpak.Authenticator.Oci");
|
|
||||||
+
|
|
||||||
if (name == NULL || *name == 0 /* or if no repo */)
|
|
||||||
{
|
|
||||||
flatpak_fail (error, _("No authenticator configured for remote `%s`"), remote);
|
|
||||||
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
|
||||||
index 2c8e12eaf..19de4fd38 100644
|
|
||||||
--- a/common/flatpak-dir.c
|
|
||||||
+++ b/common/flatpak-dir.c
|
|
||||||
@@ -11233,6 +11233,11 @@ _flatpak_dir_get_remote_state (FlatpakDir *self,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (flatpak_dir_get_remote_oci (self, remote_or_uri))
|
|
||||||
+ {
|
|
||||||
+ state->default_token_type = 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (state->collection_id == NULL)
|
|
||||||
{
|
|
||||||
if (state->summary != NULL) /* In the optional case we might not have a summary */
|
|
||||||
|
|
||||||
From 77e4db40f40a92f4f7e0ddb21ae367e9a0af9cb4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Larsson <alexl@redhat.com>
|
|
||||||
Date: Fri, 8 May 2020 15:09:02 +0200
|
|
||||||
Subject: [PATCH 3/7] oci: Add flatpak_oci_registry_is_local()
|
|
||||||
|
|
||||||
(cherry picked from commit d4962628aa8db6132e98660fe52aa5a9ac5d3637)
|
|
||||||
---
|
|
||||||
common/flatpak-oci-registry-private.h | 1 +
|
|
||||||
common/flatpak-oci-registry.c | 6 ++++++
|
|
||||||
2 files changed, 7 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/common/flatpak-oci-registry-private.h b/common/flatpak-oci-registry-private.h
|
|
||||||
index 1804e43b6..6745c5f65 100644
|
|
||||||
--- a/common/flatpak-oci-registry-private.h
|
|
||||||
+++ b/common/flatpak-oci-registry-private.h
|
|
||||||
@@ -62,6 +62,7 @@ FlatpakOciRegistry * flatpak_oci_registry_new (const char *uri,
|
|
||||||
GError **error);
|
|
||||||
void flatpak_oci_registry_set_token (FlatpakOciRegistry *self,
|
|
||||||
const char *token);
|
|
||||||
+gboolean flatpak_oci_registry_is_local (FlatpakOciRegistry *self);
|
|
||||||
const char * flatpak_oci_registry_get_uri (FlatpakOciRegistry *self);
|
|
||||||
FlatpakOciIndex * flatpak_oci_registry_load_index (FlatpakOciRegistry *self,
|
|
||||||
GCancellable *cancellable,
|
|
||||||
diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c
|
|
||||||
index ae363bc1a..fdeee56bd 100644
|
|
||||||
--- a/common/flatpak-oci-registry.c
|
|
||||||
+++ b/common/flatpak-oci-registry.c
|
|
||||||
@@ -205,6 +205,12 @@ flatpak_oci_registry_init (FlatpakOciRegistry *self)
|
|
||||||
self->tmp_dfd = -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
+gboolean
|
|
||||||
+flatpak_oci_registry_is_local (FlatpakOciRegistry *self)
|
|
||||||
+{
|
|
||||||
+ return self->dfd != -1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
const char *
|
|
||||||
flatpak_oci_registry_get_uri (FlatpakOciRegistry *self)
|
|
||||||
{
|
|
||||||
|
|
||||||
From 3deeea1ad50b469f7daaca7e2e0d7ba9c5efc26e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Larsson <alexl@redhat.com>
|
|
||||||
Date: Fri, 8 May 2020 15:10:38 +0200
|
|
||||||
Subject: [PATCH 4/7] oci: Set token on child oci registry and pass to
|
|
||||||
system-helper
|
|
||||||
|
|
||||||
When we create a system child registry we also set the current token on
|
|
||||||
it. This is not used directly in the client, however its saved in a
|
|
||||||
file called .token and re-read in the system-helper, allowing it to
|
|
||||||
also do the remote registry operations it needs to verify the child
|
|
||||||
registry.
|
|
||||||
|
|
||||||
(cherry picked from commit 5d8fd2d1be914a26e128ab97be6f00e9c34bfa9d)
|
|
||||||
---
|
|
||||||
common/flatpak-dir.c | 8 ++++++--
|
|
||||||
common/flatpak-oci-registry.c | 15 +++++++++++++++
|
|
||||||
2 files changed, 21 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
|
||||||
index 19de4fd38..25f874ecf 100644
|
|
||||||
--- a/common/flatpak-dir.c
|
|
||||||
+++ b/common/flatpak-dir.c
|
|
||||||
@@ -92,6 +92,7 @@ G_DEFINE_AUTOPTR_CLEANUP_FUNC (AutoPolkitSubject, g_object_unref)
|
|
||||||
|
|
||||||
static FlatpakOciRegistry *flatpak_dir_create_system_child_oci_registry (FlatpakDir *self,
|
|
||||||
GLnxLockFile *file_lock,
|
|
||||||
+ const char *token,
|
|
||||||
GError **error);
|
|
||||||
|
|
||||||
static OstreeRepo * flatpak_dir_create_child_repo (FlatpakDir *self,
|
|
||||||
@@ -8602,6 +8603,7 @@ flatpak_dir_deploy_update (FlatpakDir *self,
|
|
||||||
static FlatpakOciRegistry *
|
|
||||||
flatpak_dir_create_system_child_oci_registry (FlatpakDir *self,
|
|
||||||
GLnxLockFile *file_lock,
|
|
||||||
+ const char *token,
|
|
||||||
GError **error)
|
|
||||||
{
|
|
||||||
g_autoptr(GFile) cache_dir = NULL;
|
|
||||||
@@ -8636,6 +8638,8 @@ flatpak_dir_create_system_child_oci_registry (FlatpakDir *self,
|
|
||||||
if (new_registry == NULL)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
+ flatpak_oci_registry_set_token (new_registry, token);
|
|
||||||
+
|
|
||||||
return g_steal_pointer (&new_registry);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -8952,7 +8956,7 @@ flatpak_dir_install (FlatpakDir *self,
|
|
||||||
g_autoptr(FlatpakOciRegistry) registry = NULL;
|
|
||||||
g_autoptr(GFile) registry_file = NULL;
|
|
||||||
|
|
||||||
- registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, error);
|
|
||||||
+ registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, token, error);
|
|
||||||
if (registry == NULL)
|
|
||||||
return FALSE;
|
|
||||||
|
|
||||||
@@ -9662,7 +9666,7 @@ flatpak_dir_update (FlatpakDir *self,
|
|
||||||
g_autoptr(FlatpakOciRegistry) registry = NULL;
|
|
||||||
g_autoptr(GFile) registry_file = NULL;
|
|
||||||
|
|
||||||
- registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, error);
|
|
||||||
+ registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, token, error);
|
|
||||||
if (registry == NULL)
|
|
||||||
return FALSE;
|
|
||||||
|
|
||||||
diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c
|
|
||||||
index fdeee56bd..c3ddb8c2b 100644
|
|
||||||
--- a/common/flatpak-oci-registry.c
|
|
||||||
+++ b/common/flatpak-oci-registry.c
|
|
||||||
@@ -223,8 +223,15 @@ flatpak_oci_registry_set_token (FlatpakOciRegistry *self,
|
|
||||||
{
|
|
||||||
g_free (self->token);
|
|
||||||
self->token = g_strdup (token);
|
|
||||||
+
|
|
||||||
+ if (self->token)
|
|
||||||
+ (void)glnx_file_replace_contents_at (self->dfd, ".token",
|
|
||||||
+ (guchar *)self->token,
|
|
||||||
+ strlen (self->token),
|
|
||||||
+ 0, NULL, NULL);
|
|
||||||
}
|
|
||||||
|
|
||||||
+
|
|
||||||
FlatpakOciRegistry *
|
|
||||||
flatpak_oci_registry_new (const char *uri,
|
|
||||||
gboolean for_write,
|
|
||||||
@@ -415,6 +422,7 @@ flatpak_oci_registry_ensure_local (FlatpakOciRegistry *self,
|
|
||||||
int dfd;
|
|
||||||
g_autoptr(GError) local_error = NULL;
|
|
||||||
g_autoptr(GBytes) oci_layout_bytes = NULL;
|
|
||||||
+ g_autoptr(GBytes) token_bytes = NULL;
|
|
||||||
gboolean not_json;
|
|
||||||
|
|
||||||
if (self->dfd != -1)
|
|
||||||
@@ -476,6 +484,13 @@ flatpak_oci_registry_ensure_local (FlatpakOciRegistry *self,
|
|
||||||
else if (!verify_oci_version (oci_layout_bytes, ¬_json, cancellable, error))
|
|
||||||
return FALSE;
|
|
||||||
|
|
||||||
+ if (self->dfd != -1)
|
|
||||||
+ {
|
|
||||||
+ token_bytes = local_load_file (self->dfd, ".token", cancellable, NULL);
|
|
||||||
+ if (token_bytes != NULL)
|
|
||||||
+ self->token = g_strndup (g_bytes_get_data (token_bytes, NULL), g_bytes_get_size (token_bytes));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (self->dfd == -1 && local_dfd != -1)
|
|
||||||
self->dfd = glnx_steal_fd (&local_dfd);
|
|
||||||
|
|
||||||
|
|
||||||
From 36f87863baa848c8709b75958c85857f45e97e0a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Larsson <alexl@redhat.com>
|
|
||||||
Date: Thu, 11 Jun 2020 15:43:16 +0200
|
|
||||||
Subject: [PATCH 5/7] OCI: Also look for the docker media type when looking
|
|
||||||
manifests
|
|
||||||
|
|
||||||
We handle both types, so look for both.
|
|
||||||
|
|
||||||
(cherry picked from commit 0fdec95fe068cd497b1c5a5b60d21103c711d2a4)
|
|
||||||
---
|
|
||||||
common/flatpak-json-oci.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/common/flatpak-json-oci.c b/common/flatpak-json-oci.c
|
|
||||||
index 6d60279d0..f5b3f0a0c 100644
|
|
||||||
--- a/common/flatpak-json-oci.c
|
|
||||||
+++ b/common/flatpak-json-oci.c
|
|
||||||
@@ -469,7 +469,8 @@ const char *
|
|
||||||
flatpak_oci_manifest_descriptor_get_ref (FlatpakOciManifestDescriptor *m)
|
|
||||||
{
|
|
||||||
if (m->parent.mediatype == NULL ||
|
|
||||||
- strcmp (m->parent.mediatype, FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST) != 0)
|
|
||||||
+ (strcmp (m->parent.mediatype, FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST) != 0 &&
|
|
||||||
+ strcmp (m->parent.mediatype, FLATPAK_DOCKER_MEDIA_TYPE_IMAGE_MANIFEST2) != 0))
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
if (m->parent.annotations == NULL)
|
|
||||||
|
|
||||||
From 0da4a6c82c16d4560d4931d567e2685efd8dff0d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Larsson <alexl@redhat.com>
|
|
||||||
Date: Mon, 4 May 2020 15:51:48 +0200
|
|
||||||
Subject: [PATCH 6/7] tests: Make OCI authenticator available
|
|
||||||
|
|
||||||
(cherry picked from commit 4d79110cb682b79819913aa6ce033cb7a7787c86)
|
|
||||||
---
|
|
||||||
tests/Makefile.am.inc | 7 ++++++-
|
|
||||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/tests/Makefile.am.inc b/tests/Makefile.am.inc
|
|
||||||
index 7c2e8271f..15f521485 100644
|
|
||||||
--- a/tests/Makefile.am.inc
|
|
||||||
+++ b/tests/Makefile.am.inc
|
|
||||||
@@ -105,11 +105,15 @@ tests/services/org.flatpak.Authenticator.test.service: tests/org.flatpak.Authent
|
|
||||||
mkdir -p tests/services
|
|
||||||
$(AM_V_GEN) $(SED) -e "s|\@libexecdir\@|$(abs_top_builddir)/tests|" $< > $@
|
|
||||||
|
|
||||||
+tests/services/org.flatpak.Authenticator.Oci.service: oci-authenticator/org.flatpak.Authenticator.Oci.service.in
|
|
||||||
+ mkdir -p tests/services
|
|
||||||
+ $(AM_V_GEN) $(SED) -e "s|\@libexecdir\@|$(abs_top_builddir)|" $< > $@
|
|
||||||
+
|
|
||||||
tests/share/xdg-desktop-portal/portals/test.portal: tests/test.portal.in
|
|
||||||
mkdir -p tests/share/xdg-desktop-portal/portals
|
|
||||||
$(AM_V_GEN) install -m644 $< $@
|
|
||||||
|
|
||||||
-tests/libtest.sh: tests/services/org.freedesktop.Flatpak.service tests/services/org.freedesktop.Flatpak.SystemHelper.service tests/services/org.freedesktop.portal.Flatpak.service tests/share/xdg-desktop-portal/portals/test.portal tests/services/org.freedesktop.impl.portal.desktop.test.service tests/services/org.flatpak.Authenticator.test.service
|
|
||||||
+tests/libtest.sh: tests/services/org.freedesktop.Flatpak.service tests/services/org.freedesktop.Flatpak.SystemHelper.service tests/services/org.freedesktop.portal.Flatpak.service tests/share/xdg-desktop-portal/portals/test.portal tests/services/org.freedesktop.impl.portal.desktop.test.service tests/services/org.flatpak.Authenticator.test.service tests/services/org.flatpak.Authenticator.Oci.service
|
|
||||||
|
|
||||||
install-test-data-hook:
|
|
||||||
if ENABLE_INSTALLED_TESTS
|
|
||||||
@@ -223,6 +227,7 @@ DISTCLEANFILES += \
|
|
||||||
tests/services/org.freedesktop.portal.Flatpak.service \
|
|
||||||
tests/services/org.freedesktop.impl.portal.desktop.test.service \
|
|
||||||
tests/services/org.flatpak.Authenticator.test.service \
|
|
||||||
+ tests/services/org.flatpak.Authenticator.Oci.service \
|
|
||||||
tests/share/xdg-desktop-portal/portals/test.portal \
|
|
||||||
tests/package_version.txt \
|
|
||||||
$(NULL)
|
|
||||||
|
|
||||||
From 8fb4369439e57cc25c706610c5ce1ee776220278 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Larsson <alexl@redhat.com>
|
|
||||||
Date: Mon, 4 May 2020 15:51:59 +0200
|
|
||||||
Subject: [PATCH 7/7] Tests: Support HEAD requests in oci-registry-server
|
|
||||||
|
|
||||||
This just does a GET, which is not quite right, but will work.
|
|
||||||
This is needed for the authenticator.
|
|
||||||
|
|
||||||
(cherry picked from commit 530475b9abff81d990424ca46ec57458e1bb9604)
|
|
||||||
---
|
|
||||||
tests/oci-registry-server.py | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/tests/oci-registry-server.py b/tests/oci-registry-server.py
|
|
||||||
index 23c2db916..33c3b646b 100755
|
|
||||||
--- a/tests/oci-registry-server.py
|
|
||||||
+++ b/tests/oci-registry-server.py
|
|
||||||
@@ -135,6 +135,9 @@ def do_GET(self):
|
|
||||||
else:
|
|
||||||
self.wfile.write(response_string.encode('utf-8'))
|
|
||||||
|
|
||||||
+ def do_HEAD(self):
|
|
||||||
+ return self.do_GET()
|
|
||||||
+
|
|
||||||
def do_POST(self):
|
|
||||||
if self.check_route('/testing/@repo_name/@tag'):
|
|
||||||
repo_name = self.matches['repo_name']
|
|
73
SOURCES/flatpak-1.8.5-post-cve-fixes.patch
Normal file
73
SOURCES/flatpak-1.8.5-post-cve-fixes.patch
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simon McVittie <smcv@collabora.com>
|
||||||
|
Date: Mon, 18 Jan 2021 17:52:13 +0000
|
||||||
|
Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments
|
||||||
|
|
||||||
|
This means we can systematically pass the environment variables
|
||||||
|
through bwrap(1), even if it is setuid and thus is filtering out
|
||||||
|
security-sensitive environment variables. bwrap itself ends up being
|
||||||
|
run with an empty environment instead.
|
||||||
|
|
||||||
|
This fixes a regression when CVE-2021-21261 was fixed: before the
|
||||||
|
CVE fixes, LD_LIBRARY_PATH would have been passed through like this
|
||||||
|
and appeared in the `flatpak build` shell, but during the CVE fixes,
|
||||||
|
the special case that protected LD_LIBRARY_PATH was removed in favour
|
||||||
|
of the more general flatpak_bwrap_envp_to_args(). That reasoning only
|
||||||
|
works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
|
||||||
|
that we run the potentially-setuid bwrap.
|
||||||
|
|
||||||
|
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
|
||||||
|
Resolves: https://github.com/flatpak/flatpak/issues/4080
|
||||||
|
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
|
||||||
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||||
|
(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0)
|
||||||
|
---
|
||||||
|
app/flatpak-builtins-build.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
|
||||||
|
index 8da0de814..07ef6fc07 100644
|
||||||
|
--- a/app/flatpak-builtins-build.c
|
||||||
|
+++ b/app/flatpak-builtins-build.c
|
||||||
|
@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
|
||||||
|
NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ flatpak_bwrap_envp_to_args (bwrap);
|
||||||
|
+
|
||||||
|
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
|
||||||
|
return FALSE;
|
||||||
|
|
||||||
|
From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simon McVittie <smcv@collabora.com>
|
||||||
|
Date: Mon, 18 Jan 2021 18:07:38 +0000
|
||||||
|
Subject: [PATCH] dir: Pass environment via bwrap --setenv when running
|
||||||
|
apply_extra
|
||||||
|
|
||||||
|
This means we can systematically pass the environment variables
|
||||||
|
through bwrap(1), even if it is setuid and thus is filtering out
|
||||||
|
security-sensitive environment variables. bwrap ends up being
|
||||||
|
run with an empty environment instead.
|
||||||
|
|
||||||
|
As with the previous commit, this regressed while fixing CVE-2021-21261.
|
||||||
|
|
||||||
|
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
|
||||||
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||||
|
(cherry picked from commit fb473cad801c6b61706353256cab32330557374a)
|
||||||
|
---
|
||||||
|
common/flatpak-dir.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
||||||
|
index ed1248e74..40767fa77 100644
|
||||||
|
--- a/common/flatpak-dir.c
|
||||||
|
+++ b/common/flatpak-dir.c
|
||||||
|
@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir *self,
|
||||||
|
app_context, NULL, NULL, NULL, cancellable, error))
|
||||||
|
return FALSE;
|
||||||
|
|
||||||
|
+ flatpak_bwrap_envp_to_args (bwrap);
|
||||||
|
+
|
||||||
|
flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra");
|
||||||
|
|
||||||
|
flatpak_bwrap_finish (bwrap);
|
@ -2,17 +2,15 @@
|
|||||||
%global ostree_version 2018.9
|
%global ostree_version 2018.9
|
||||||
|
|
||||||
Name: flatpak
|
Name: flatpak
|
||||||
Version: 1.6.2
|
Version: 1.8.5
|
||||||
Release: 3%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: Application deployment framework for desktop apps
|
Summary: Application deployment framework for desktop apps
|
||||||
|
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
URL: http://flatpak.org/
|
URL: http://flatpak.org/
|
||||||
Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
|
Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1814045
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1918776
|
||||||
Patch0: flatpak-1.6.2-oci-fixes.patch
|
Patch0: flatpak-1.8.5-post-cve-fixes.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1847201
|
|
||||||
Patch1: flatpak-1.6.2-oci-fixes2.patch
|
|
||||||
|
|
||||||
BuildRequires: pkgconfig(appstream-glib)
|
BuildRequires: pkgconfig(appstream-glib)
|
||||||
BuildRequires: pkgconfig(dconf)
|
BuildRequires: pkgconfig(dconf)
|
||||||
@ -26,6 +24,7 @@ BuildRequires: pkgconfig(libseccomp)
|
|||||||
BuildRequires: pkgconfig(libsoup-2.4)
|
BuildRequires: pkgconfig(libsoup-2.4)
|
||||||
BuildRequires: pkgconfig(libsystemd)
|
BuildRequires: pkgconfig(libsystemd)
|
||||||
BuildRequires: pkgconfig(libxml-2.0) >= 2.4
|
BuildRequires: pkgconfig(libxml-2.0) >= 2.4
|
||||||
|
BuildRequires: pkgconfig(libzstd) >= 0.8.1
|
||||||
BuildRequires: pkgconfig(ostree-1) >= %{ostree_version}
|
BuildRequires: pkgconfig(ostree-1) >= %{ostree_version}
|
||||||
BuildRequires: pkgconfig(polkit-gobject-1)
|
BuildRequires: pkgconfig(polkit-gobject-1)
|
||||||
BuildRequires: pkgconfig(xau)
|
BuildRequires: pkgconfig(xau)
|
||||||
@ -36,7 +35,9 @@ BuildRequires: docbook-style-xsl
|
|||||||
BuildRequires: gettext
|
BuildRequires: gettext
|
||||||
BuildRequires: gpgme-devel
|
BuildRequires: gpgme-devel
|
||||||
BuildRequires: libcap-devel
|
BuildRequires: libcap-devel
|
||||||
|
BuildRequires: python3-pyparsing
|
||||||
BuildRequires: systemd
|
BuildRequires: systemd
|
||||||
|
BuildRequires: /usr/bin/python3
|
||||||
BuildRequires: /usr/bin/xmlto
|
BuildRequires: /usr/bin/xmlto
|
||||||
BuildRequires: /usr/bin/xsltproc
|
BuildRequires: /usr/bin/xsltproc
|
||||||
|
|
||||||
@ -185,8 +186,7 @@ fi
|
|||||||
%{_datadir}/dbus-1/services/org.flatpak.Authenticator.Oci.service
|
%{_datadir}/dbus-1/services/org.flatpak.Authenticator.Oci.service
|
||||||
%{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service
|
%{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service
|
||||||
%{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service
|
%{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service
|
||||||
# Co-own directory.
|
%{_datadir}/fish
|
||||||
%{_datadir}/gdm/env.d
|
|
||||||
%{_datadir}/%{name}
|
%{_datadir}/%{name}
|
||||||
%{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy
|
%{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy
|
||||||
%{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules
|
%{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules
|
||||||
@ -207,6 +207,7 @@ fi
|
|||||||
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf
|
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf
|
||||||
%{_sysconfdir}/flatpak/remotes.d
|
%{_sysconfdir}/flatpak/remotes.d
|
||||||
%{_sysconfdir}/profile.d/flatpak.sh
|
%{_sysconfdir}/profile.d/flatpak.sh
|
||||||
|
%{_sysusersdir}/flatpak.conf
|
||||||
%{_unitdir}/flatpak-system-helper.service
|
%{_unitdir}/flatpak-system-helper.service
|
||||||
%{_userunitdir}/flatpak-oci-authenticator.service
|
%{_userunitdir}/flatpak-oci-authenticator.service
|
||||||
%{_userunitdir}/flatpak-portal.service
|
%{_userunitdir}/flatpak-portal.service
|
||||||
@ -241,6 +242,21 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jan 25 2021 David King <dking@redhat.com> - 1.8.5-2
|
||||||
|
- Apply post-release CVE fixes (#1918776)
|
||||||
|
|
||||||
|
* Thu Jan 14 2021 David King <dking@redhat.com> - 1.8.5-1
|
||||||
|
- Rebase to 1.8.5 (#1851958)
|
||||||
|
|
||||||
|
* Tue Nov 17 2020 David King <dking@redhat.com> - 1.8.3-1
|
||||||
|
- Rebase to 1.8.3 (#1851958)
|
||||||
|
|
||||||
|
* Mon Oct 05 2020 David King <dking@redhat.com> - 1.8.2-1
|
||||||
|
- Rebase to 1.8.2 (#1851958)
|
||||||
|
|
||||||
|
* Mon Sep 14 2020 Kalev Lember <klember@redhat.com> - 1.6.2-4
|
||||||
|
- OCI: extract appstream data for runtimes (#1878231)
|
||||||
|
|
||||||
* Wed Jun 17 2020 David King <dking@redhat.com> - 1.6.2-3
|
* Wed Jun 17 2020 David King <dking@redhat.com> - 1.6.2-3
|
||||||
- Further fixes for OCI authenticator (#1847201)
|
- Further fixes for OCI authenticator (#1847201)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user