rpms/flatpak
7
0
Fork 1
Code Issues Pull Requests Releases Activity

import UBI flatpak-1.16.0-9.el10

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-05-19 19:11:57 -04:00
parent a28bb95c05
commit e37ada1959
3 changed files with 286 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

152
flatpak-kill-Do-not-kill-pid-0-and-embrace-races.patch Normal file
View File

@ -0,0 +1,152 @@
From 8354ee56cfe5b77afed1a31148dc557d46ca64ac Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Thu, 30 Oct 2025 16:09:00 +0100
Subject: [PATCH] kill: Do not kill pid 0 and embrace races
There are a number of races, and failure conditions which can lead to a
pid of 0 being returned from flatpak_instance_get_child_pid. This would
lead to a whole bunch of things getting killed.
We will skip the instance in those cases now, and retry a few times. We
also notice when the instance just goes away by itself now.
This should make killing more robust, and especially not SIGKILL pid 0.
---
app/flatpak-builtins-kill.c | 90 +++++++++++++++++++++++++++++--------
1 file changed, 72 insertions(+), 18 deletions(-)
diff --git ./app/flatpak-builtins-kill.c ../app/flatpak-builtins-kill.c
index c1a1ee11..081911de 100644
--- ./app/flatpak-builtins-kill.c
+++ ../app/flatpak-builtins-kill.c
@@ -36,37 +36,91 @@
#include "flatpak-builtins.h"
#include "flatpak-instance.h"
+#define FLATPAK_BUILTIN_KILL_N_RETRIES 5
+#define FLATPAK_BUILTIN_KILL_RETRY_SLEEP_USEC (G_USEC_PER_SEC / 10)
+
static GOptionEntry options[] = {
{ NULL }
};
static gboolean
-kill_instance (const char *id,
- GError **error)
+instance_equal (FlatpakInstance *a,
+ FlatpakInstance *b)
{
- g_autoptr(GPtrArray) instances = NULL;
- int j;
- int killed = 0;
+ return g_strcmp0 (flatpak_instance_get_id (a),
+ flatpak_instance_get_id (b)) == 0;
+}
- instances = flatpak_instance_get_all ();
+static GPtrArray *
+kill_instances (GPtrArray *kill_list)
+{
+ g_autoptr(GPtrArray) instances = flatpak_instance_get_all ();
+ g_autoptr(GPtrArray) remaining =
+ g_ptr_array_new_with_free_func (g_object_unref);
- for (j = 0; j < instances->len; j++)
+ for (size_t i = 0; i < kill_list->len; i++)
{
- FlatpakInstance *instance = (FlatpakInstance *) g_ptr_array_index (instances, j);
- if (g_strcmp0 (id, flatpak_instance_get_app (instance)) == 0 ||
- strcmp (id, flatpak_instance_get_id (instance)) == 0)
+ FlatpakInstance *to_kill = g_ptr_array_index (kill_list, i);
+ pid_t pid;
+
+ if (!g_ptr_array_find_with_equal_func (instances, to_kill,
+ (GEqualFunc) instance_equal,
+ NULL))
{
- pid_t pid = flatpak_instance_get_child_pid (instance);
- kill (pid, SIGKILL);
- killed++;
+ g_info ("Instance %s disappeared", flatpak_instance_get_id (to_kill));
+ continue;
}
+
+ pid = flatpak_instance_get_child_pid (to_kill);
+ if (pid != 0)
+ {
+ kill (pid, SIGKILL);
+ g_info ("Instance %s killed", flatpak_instance_get_id (to_kill));
+ continue;
+ }
+
+ g_ptr_array_add (remaining, g_object_ref (to_kill));
}
- g_info ("Killed %d instances", killed);
+ return g_steal_pointer (&remaining);
+}
- if (killed == 0)
+static gboolean
+kill_id (const char *id,
+ GError **error)
+{
+ g_autoptr(GPtrArray) instances = flatpak_instance_get_all ();
+ g_autoptr(GPtrArray) kill_list =
+ g_ptr_array_new_with_free_func (g_object_unref);
+
+ for (size_t i = 0; i < instances->len; i++)
+ {
+ FlatpakInstance *instance = g_ptr_array_index (instances, i);
+
+ if (g_strcmp0 (id, flatpak_instance_get_app (instance)) != 0 &&
+ g_strcmp0 (id, flatpak_instance_get_id (instance)) != 0)
+ continue;
+
+ g_info ("Found instance %s to kill", flatpak_instance_get_id (instance));
+
+ g_ptr_array_add (kill_list, g_object_ref (instance));
+ }
+
+ if (kill_list->len == 0)
return flatpak_fail (error, _("%s is not running"), id);
+ for (size_t i = 0; i < FLATPAK_BUILTIN_KILL_N_RETRIES && kill_list->len > 0; i++)
+ {
+ g_autoptr (GPtrArray) remaining = NULL;
+
+ if (i > 0)
+ g_usleep (FLATPAK_BUILTIN_KILL_RETRY_SLEEP_USEC);
+
+ remaining = kill_instances (kill_list);
+ g_clear_pointer (&kill_list, g_ptr_array_unref);
+ kill_list = g_steal_pointer (&remaining);
+ }
+
return TRUE;
}
@@ -77,7 +131,7 @@ flatpak_builtin_kill (int argc,
GError **error)
{
g_autoptr(GOptionContext) context = NULL;
- const char *instance;
+ const char *id;
context = g_option_context_new (_("INSTANCE - Stop a running application"));
g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
@@ -97,9 +151,9 @@ flatpak_builtin_kill (int argc,
return FALSE;
}
- instance = argv[1];
+ id = argv[1];
- return kill_instance (instance, error);
+ return kill_id (id, error);
}
gboolean
--
2.51.0

119
flatpak-run-Enable-FIPS-crypto-policy-if-it-is-enabled-on-th.patch Normal file
View File

@ -0,0 +1,119 @@
From 5f5aeea8d8be071468fb8e9640554518fb65885e Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Tue, 16 Dec 2025 17:15:32 +0100
Subject: [PATCH] run: Enable FIPS crypto policy if it is enabled on the host
This is a close copy of what podman/containers does to support FIPS. Any
other crypto policy is ignored for now.
---
common/flatpak-run.c | 87 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 87 insertions(+)
diff --git ./common/flatpak-run.c ../common/flatpak-run.c
index 6c319231..b51cc637 100644
--- ./common/flatpak-run.c
+++ ../common/flatpak-run.c
@@ -2215,6 +2215,91 @@ flatpak_run_setup_usr_links (FlatpakBwrap *bwrap,
}
}
+static void
+flatpak_run_setup_fips (FlatpakBwrap *bwrap,
+ GFile *runtime_files)
+{
+ g_autoptr(GFile) runtime_crypto_policies = NULL;
+ g_autoptr(GFile) runtime_fips_backend = NULL;
+ g_autoptr(GFile) runtime_fips_config = NULL;
+ g_autofree char *fips_enabled = NULL;
+ g_autoptr(GError) error = NULL;
+
+ if (!g_file_get_contents ("/proc/sys/crypto/fips_enabled",
+ &fips_enabled,
+ NULL, &error))
+ {
+ if (!g_error_matches (error, G_FILE_ERROR, G_FILE_ERROR_NOENT))
+ {
+ g_warning ("Failed to read /proc/sys/crypto/fips_enabled to determine FIPS state: %s",
+ error->message);
+ }
+
+ return;
+ }
+
+ g_strstrip (fips_enabled);
+
+ if (g_strcmp0 (fips_enabled, "1") != 0)
+ {
+ g_info ("FIPS is disabled");
+ return;
+ }
+
+ runtime_crypto_policies =
+ g_file_resolve_relative_path (runtime_files, "etc/crypto-policies");
+
+ if (!g_file_query_exists (runtime_crypto_policies, NULL))
+ {
+ g_info ("FIPS is enabled, but runtime does not support it");
+ return;
+ }
+
+ runtime_fips_backend =
+ g_file_resolve_relative_path (runtime_files,
+ "share/crypto-policies/back-ends/FIPS");
+
+ if (!g_file_query_exists (runtime_fips_backend, NULL))
+ {
+ g_info ("FIPS is enabled, but runtime does not support it");
+ return;
+ }
+
+ runtime_fips_config =
+ g_file_resolve_relative_path (runtime_files,
+ "share/crypto-policies/default-fips-config");
+
+ if (g_file_query_exists (runtime_fips_config, NULL))
+ {
+ flatpak_bwrap_add_args (bwrap, "--ro-bind",
+ flatpak_file_get_path_cached (runtime_fips_config),
+ "/etc/crypto-policies/config",
+ NULL);
+ }
+ else
+ {
+ if (!flatpak_bwrap_add_args_data (bwrap,
+ "default-fips-config",
+ "FIPS\n",
+ -1,
+ "/etc/crypto-policies/config",
+ &error))
+ {
+ g_warning ("Failed to enable FIPS configuration: "
+ "creating default-fips-config tmpfile failed: %s",
+ error->message);
+ return;
+ }
+ }
+
+ flatpak_bwrap_add_args (bwrap, "--ro-bind",
+ flatpak_file_get_path_cached (runtime_fips_backend),
+ "/etc/crypto-policies/back-ends",
+ NULL);
+
+ g_info ("Enabled FIPS configuration");
+}
+
/* Directories in /sys to share with the sandbox if accessible. */
static const char *const sysfs_dirs[] =
{
@@ -2405,6 +2490,8 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
}
}
+ flatpak_run_setup_fips (bwrap, runtime_files);
+
if (app_id_dir != NULL)
{
g_autoptr(GFile) app_cache_dir = g_file_get_child (app_id_dir, "cache");
--
2.51.0

18
flatpak.spec
View File

@ -12,7 +12,7 @@
Name: flatpak
Version: 1.16.0
Release: 6%{?dist}.1
Release: 9%{?dist}
Summary: Application deployment framework for desktop apps
License: LGPL-2.1-or-later
@ -47,6 +47,10 @@ Patch4: flatpak-enable-collection-ids-for-oci-remotes.patch
Patch5: flatpak-pass-token-to-flatpak-image-source-new-remote.patch
# /etc/pki/entitlement
Patch6: flatpak-for-registry.redhat.io-get-certificates-from-etc-pki.patch
# Enable FIPS support
Patch7: flatpak-run-Enable-FIPS-crypto-policy-if-it-is-enabled-on-th.patch
# Stop killing the session when stopping background apps
Patch9: flatpak-kill-Do-not-kill-pid-0-and-embrace-races.patch
# ostree not on i686 for RHEL 10
# https://github.com/containers/composefs/pull/229#issuecomment-1838735764
@ -316,9 +320,17 @@ fi
%changelog
* Mon Oct 13 2025 Jan Grulich <jgrulich@redhat.com> - 1.16.0-6.1
* Tue Jan 13 2026 Sebastian Wick <sebastian.wick@redhat.com> - 1.16.0-9
- kill: Do not kill pid 0 and embrace races
Resolves: RHEL-140924
* Tue Dec 16 2025 Sebastian Wick <sebastian.wick@redhat.com> - 1.16.0-8
- Enable FIPS crypto policy if it is enabled on the host
Resolves: RHEL-77484
* Mon Oct 13 2025 Jan Grulich <jgrulich@redhat.com> - 1.16.0-7
- Get certificates from /etc/pki/entitlement for registry.redhat.io
Resolves: RHEL-127936
Resolves: RHEL-85004
* Mon Aug 04 2025 Jan Grulich <jgrulich@redhat.com> - 1.16.0-6
- Fix wrongly marked failed installs as pre-installed