From 8cbbf308540580010cc153aa89d1e9934ec32888 Mon Sep 17 00:00:00 2001 From: David King Date: Tue, 7 Jun 2022 14:20:36 +0100 Subject: [PATCH] Add gssproxy support --- flatpak-1.13.2-add-gssproxy-support.patch | 118 ++++++++++++++++++++++ flatpak.spec | 7 +- 2 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 flatpak-1.13.2-add-gssproxy-support.patch diff --git a/flatpak-1.13.2-add-gssproxy-support.patch b/flatpak-1.13.2-add-gssproxy-support.patch new file mode 100644 index 0000000..4881999 --- /dev/null +++ b/flatpak-1.13.2-add-gssproxy-support.patch @@ -0,0 +1,118 @@ +From 50c12cbeea35590779098e2e01313cc781f91f31 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 12 May 2022 12:44:59 -0500 +Subject: [PATCH 1/2] Bind gssproxy socket into sandbox environment + +We're using a directory rather than binding a socket directly for +increased robustness. In theory, if gssproxy crashes on the host, a new +socket that a new gssproxy process creates should be immediately visible +inside the sandbox. Nifty. + +Previously, applications that wanted to use Kerberos authentication +would have to punch a sandbox hole for the host's KCM socket. In +contrast, this gssproxy socket is designed for use by sandboxed apps. + +See also: https://github.com/gssapi/gssproxy/issues/45 +--- + common/flatpak-run.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index b91be51b..ccf9807b 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -924,6 +924,19 @@ flatpak_run_add_pulseaudio_args (FlatpakBwrap *bwrap, + flatpak_bwrap_add_args (bwrap, "--dev-bind", "/dev/snd", "/dev/snd", NULL); + } + ++static void ++flatpak_run_add_gssproxy_args (FlatpakBwrap *bwrap) ++{ ++ /* We only expose the gssproxy user service. The gssproxy system service is ++ * not intended to be exposed to sandboxed environments. ++ */ ++ g_autofree char *gssproxy_host_dir = g_build_filename (g_get_user_runtime_dir (), "gssproxy", NULL); ++ const char *gssproxy_sandboxed_dir = "/var/lib/gssproxy/"; ++ ++ if (g_file_test (gssproxy_host_dir, G_FILE_TEST_EXISTS)) ++ flatpak_bwrap_add_args (bwrap, "--bind", gssproxy_host_dir, gssproxy_sandboxed_dir, NULL); ++} ++ + static void + flatpak_run_add_resolved_args (FlatpakBwrap *bwrap) + { +@@ -4561,7 +4574,10 @@ flatpak_run_app (FlatpakDecomposed *app_ref, + } + + if ((app_context->shares & FLATPAK_CONTEXT_SHARED_NETWORK) != 0) +- flatpak_run_add_resolved_args (bwrap); ++ { ++ flatpak_run_add_gssproxy_args (bwrap); ++ flatpak_run_add_resolved_args (bwrap); ++ } + + flatpak_run_add_journal_args (bwrap); + add_font_path_args (bwrap); +-- +2.36.1 + + +From b4eb25dacbe745b10606adb8b0080c75490e9070 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Mon, 23 May 2022 09:59:48 -0500 +Subject: [PATCH 2/2] Block KRB5CCNAME from inheriting into sandbox + +If this environment variable is set on the host, it's going to mess up +authentication in the sandbox. For example, if the host has: + +KRB5CCNAME=KCM: + +then the sandboxed process will try to use the host KCM socket, which is +not available in the sandboxed environment, rather than the gssproxy +socket that we want it to use. We need to unset it to ensure that +whatever configuration we ship in the runtime gets used instead. We have +switched the GNOME runtime to use an empty krb5.conf and it works as +long as we don't break it with this environment variable meant for the +host. +--- + common/flatpak-run.c | 4 +++- + doc/flatpak-run.xml | 1 + + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index ccf9807b..b66f326c 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -1851,7 +1851,8 @@ static const ExportData default_exports[] = { + {"XDG_RUNTIME_DIR", NULL}, + + /* Some env vars are common enough and will affect the sandbox badly +- if set on the host. We clear these always. */ ++ if set on the host. We clear these always. If updating this list, ++ also update the list in flatpak-run.xml. */ + {"PYTHONPATH", NULL}, + {"PERLLIB", NULL}, + {"PERL5LIB", NULL}, +@@ -1868,6 +1869,7 @@ static const ExportData default_exports[] = { + {"GST_PTP_HELPER", NULL}, + {"GST_PTP_HELPER_1_0", NULL}, + {"GST_INSTALL_PLUGINS_HELPER", NULL}, ++ {"KRB5CCNAME", NULL}, + }; + + static const ExportData no_ld_so_cache_exports[] = { +diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml +index c1396b07..ca181f32 100644 +--- a/doc/flatpak-run.xml ++++ b/doc/flatpak-run.xml +@@ -89,6 +89,7 @@ + PERLLIB + PERL5LIB + XCURSOR_PATH ++ KRB5CCNAME + + + Flatpak also overrides the XDG environment variables to point sandboxed applications +-- +2.36.1 + diff --git a/flatpak.spec b/flatpak.spec index c01fc6b..5862acf 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -4,7 +4,7 @@ Name: flatpak Version: 1.13.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ @@ -21,6 +21,8 @@ Source1: flatpak-add-fedora-repos.service Source2: flatpak.sysusers.conf Patch0: flatpak-selinux-permissions.patch +# https://github.com/flatpak/flatpak/pull/4914 +Patch1: flatpak-1.13.2-add-gssproxy-support.patch BuildRequires: pkgconfig(appstream) >= %{appstream_version} BuildRequires: pkgconfig(dconf) @@ -268,6 +270,9 @@ fi %changelog +* Tue Jun 07 2022 David King - 1.13.2-4 +- Add gssproxy support + * Tue May 17 2022 Timothée Ravier - 1.13.2-3 - Use sysusers_create_compat macro to create user & group.