From e37ada195959e747d10487503c12df0a3f6359f5 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Tue, 19 May 2026 19:11:57 -0400 Subject: [PATCH] import UBI flatpak-1.16.0-9.el10 --- ...-Do-not-kill-pid-0-and-embrace-races.patch | 152 ++++++++++++++++++ ...crypto-policy-if-it-is-enabled-on-th.patch | 119 ++++++++++++++ flatpak.spec | 18 ++- 3 files changed, 286 insertions(+), 3 deletions(-) create mode 100644 flatpak-kill-Do-not-kill-pid-0-and-embrace-races.patch create mode 100644 flatpak-run-Enable-FIPS-crypto-policy-if-it-is-enabled-on-th.patch diff --git a/flatpak-kill-Do-not-kill-pid-0-and-embrace-races.patch b/flatpak-kill-Do-not-kill-pid-0-and-embrace-races.patch new file mode 100644 index 0000000..2e38b6d --- /dev/null +++ b/flatpak-kill-Do-not-kill-pid-0-and-embrace-races.patch @@ -0,0 +1,152 @@ +From 8354ee56cfe5b77afed1a31148dc557d46ca64ac Mon Sep 17 00:00:00 2001 +From: Sebastian Wick +Date: Thu, 30 Oct 2025 16:09:00 +0100 +Subject: [PATCH] kill: Do not kill pid 0 and embrace races + +There are a number of races, and failure conditions which can lead to a +pid of 0 being returned from flatpak_instance_get_child_pid. This would +lead to a whole bunch of things getting killed. + +We will skip the instance in those cases now, and retry a few times. We +also notice when the instance just goes away by itself now. + +This should make killing more robust, and especially not SIGKILL pid 0. +--- + app/flatpak-builtins-kill.c | 90 +++++++++++++++++++++++++++++-------- + 1 file changed, 72 insertions(+), 18 deletions(-) + +diff --git ./app/flatpak-builtins-kill.c ../app/flatpak-builtins-kill.c +index c1a1ee11..081911de 100644 +--- ./app/flatpak-builtins-kill.c ++++ ../app/flatpak-builtins-kill.c +@@ -36,37 +36,91 @@ + #include "flatpak-builtins.h" + #include "flatpak-instance.h" + ++#define FLATPAK_BUILTIN_KILL_N_RETRIES 5 ++#define FLATPAK_BUILTIN_KILL_RETRY_SLEEP_USEC (G_USEC_PER_SEC / 10) ++ + static GOptionEntry options[] = { + { NULL } + }; + + static gboolean +-kill_instance (const char *id, +- GError **error) ++instance_equal (FlatpakInstance *a, ++ FlatpakInstance *b) + { +- g_autoptr(GPtrArray) instances = NULL; +- int j; +- int killed = 0; ++ return g_strcmp0 (flatpak_instance_get_id (a), ++ flatpak_instance_get_id (b)) == 0; ++} + +- instances = flatpak_instance_get_all (); ++static GPtrArray * ++kill_instances (GPtrArray *kill_list) ++{ ++ g_autoptr(GPtrArray) instances = flatpak_instance_get_all (); ++ g_autoptr(GPtrArray) remaining = ++ g_ptr_array_new_with_free_func (g_object_unref); + +- for (j = 0; j < instances->len; j++) ++ for (size_t i = 0; i < kill_list->len; i++) + { +- FlatpakInstance *instance = (FlatpakInstance *) g_ptr_array_index (instances, j); +- if (g_strcmp0 (id, flatpak_instance_get_app (instance)) == 0 || +- strcmp (id, flatpak_instance_get_id (instance)) == 0) ++ FlatpakInstance *to_kill = g_ptr_array_index (kill_list, i); ++ pid_t pid; ++ ++ if (!g_ptr_array_find_with_equal_func (instances, to_kill, ++ (GEqualFunc) instance_equal, ++ NULL)) + { +- pid_t pid = flatpak_instance_get_child_pid (instance); +- kill (pid, SIGKILL); +- killed++; ++ g_info ("Instance %s disappeared", flatpak_instance_get_id (to_kill)); ++ continue; + } ++ ++ pid = flatpak_instance_get_child_pid (to_kill); ++ if (pid != 0) ++ { ++ kill (pid, SIGKILL); ++ g_info ("Instance %s killed", flatpak_instance_get_id (to_kill)); ++ continue; ++ } ++ ++ g_ptr_array_add (remaining, g_object_ref (to_kill)); + } + +- g_info ("Killed %d instances", killed); ++ return g_steal_pointer (&remaining); ++} + +- if (killed == 0) ++static gboolean ++kill_id (const char *id, ++ GError **error) ++{ ++ g_autoptr(GPtrArray) instances = flatpak_instance_get_all (); ++ g_autoptr(GPtrArray) kill_list = ++ g_ptr_array_new_with_free_func (g_object_unref); ++ ++ for (size_t i = 0; i < instances->len; i++) ++ { ++ FlatpakInstance *instance = g_ptr_array_index (instances, i); ++ ++ if (g_strcmp0 (id, flatpak_instance_get_app (instance)) != 0 && ++ g_strcmp0 (id, flatpak_instance_get_id (instance)) != 0) ++ continue; ++ ++ g_info ("Found instance %s to kill", flatpak_instance_get_id (instance)); ++ ++ g_ptr_array_add (kill_list, g_object_ref (instance)); ++ } ++ ++ if (kill_list->len == 0) + return flatpak_fail (error, _("%s is not running"), id); + ++ for (size_t i = 0; i < FLATPAK_BUILTIN_KILL_N_RETRIES && kill_list->len > 0; i++) ++ { ++ g_autoptr (GPtrArray) remaining = NULL; ++ ++ if (i > 0) ++ g_usleep (FLATPAK_BUILTIN_KILL_RETRY_SLEEP_USEC); ++ ++ remaining = kill_instances (kill_list); ++ g_clear_pointer (&kill_list, g_ptr_array_unref); ++ kill_list = g_steal_pointer (&remaining); ++ } ++ + return TRUE; + } + +@@ -77,7 +131,7 @@ flatpak_builtin_kill (int argc, + GError **error) + { + g_autoptr(GOptionContext) context = NULL; +- const char *instance; ++ const char *id; + + context = g_option_context_new (_("INSTANCE - Stop a running application")); + g_option_context_set_translation_domain (context, GETTEXT_PACKAGE); +@@ -97,9 +151,9 @@ flatpak_builtin_kill (int argc, + return FALSE; + } + +- instance = argv[1]; ++ id = argv[1]; + +- return kill_instance (instance, error); ++ return kill_id (id, error); + } + + gboolean +-- +2.51.0 + diff --git a/flatpak-run-Enable-FIPS-crypto-policy-if-it-is-enabled-on-th.patch b/flatpak-run-Enable-FIPS-crypto-policy-if-it-is-enabled-on-th.patch new file mode 100644 index 0000000..afdf34e --- /dev/null +++ b/flatpak-run-Enable-FIPS-crypto-policy-if-it-is-enabled-on-th.patch @@ -0,0 +1,119 @@ +From 5f5aeea8d8be071468fb8e9640554518fb65885e Mon Sep 17 00:00:00 2001 +From: Sebastian Wick +Date: Tue, 16 Dec 2025 17:15:32 +0100 +Subject: [PATCH] run: Enable FIPS crypto policy if it is enabled on the host + +This is a close copy of what podman/containers does to support FIPS. Any +other crypto policy is ignored for now. +--- + common/flatpak-run.c | 87 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 87 insertions(+) + +diff --git ./common/flatpak-run.c ../common/flatpak-run.c +index 6c319231..b51cc637 100644 +--- ./common/flatpak-run.c ++++ ../common/flatpak-run.c +@@ -2215,6 +2215,91 @@ flatpak_run_setup_usr_links (FlatpakBwrap *bwrap, + } + } + ++static void ++flatpak_run_setup_fips (FlatpakBwrap *bwrap, ++ GFile *runtime_files) ++{ ++ g_autoptr(GFile) runtime_crypto_policies = NULL; ++ g_autoptr(GFile) runtime_fips_backend = NULL; ++ g_autoptr(GFile) runtime_fips_config = NULL; ++ g_autofree char *fips_enabled = NULL; ++ g_autoptr(GError) error = NULL; ++ ++ if (!g_file_get_contents ("/proc/sys/crypto/fips_enabled", ++ &fips_enabled, ++ NULL, &error)) ++ { ++ if (!g_error_matches (error, G_FILE_ERROR, G_FILE_ERROR_NOENT)) ++ { ++ g_warning ("Failed to read /proc/sys/crypto/fips_enabled to determine FIPS state: %s", ++ error->message); ++ } ++ ++ return; ++ } ++ ++ g_strstrip (fips_enabled); ++ ++ if (g_strcmp0 (fips_enabled, "1") != 0) ++ { ++ g_info ("FIPS is disabled"); ++ return; ++ } ++ ++ runtime_crypto_policies = ++ g_file_resolve_relative_path (runtime_files, "etc/crypto-policies"); ++ ++ if (!g_file_query_exists (runtime_crypto_policies, NULL)) ++ { ++ g_info ("FIPS is enabled, but runtime does not support it"); ++ return; ++ } ++ ++ runtime_fips_backend = ++ g_file_resolve_relative_path (runtime_files, ++ "share/crypto-policies/back-ends/FIPS"); ++ ++ if (!g_file_query_exists (runtime_fips_backend, NULL)) ++ { ++ g_info ("FIPS is enabled, but runtime does not support it"); ++ return; ++ } ++ ++ runtime_fips_config = ++ g_file_resolve_relative_path (runtime_files, ++ "share/crypto-policies/default-fips-config"); ++ ++ if (g_file_query_exists (runtime_fips_config, NULL)) ++ { ++ flatpak_bwrap_add_args (bwrap, "--ro-bind", ++ flatpak_file_get_path_cached (runtime_fips_config), ++ "/etc/crypto-policies/config", ++ NULL); ++ } ++ else ++ { ++ if (!flatpak_bwrap_add_args_data (bwrap, ++ "default-fips-config", ++ "FIPS\n", ++ -1, ++ "/etc/crypto-policies/config", ++ &error)) ++ { ++ g_warning ("Failed to enable FIPS configuration: " ++ "creating default-fips-config tmpfile failed: %s", ++ error->message); ++ return; ++ } ++ } ++ ++ flatpak_bwrap_add_args (bwrap, "--ro-bind", ++ flatpak_file_get_path_cached (runtime_fips_backend), ++ "/etc/crypto-policies/back-ends", ++ NULL); ++ ++ g_info ("Enabled FIPS configuration"); ++} ++ + /* Directories in /sys to share with the sandbox if accessible. */ + static const char *const sysfs_dirs[] = + { +@@ -2405,6 +2490,8 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap, + } + } + ++ flatpak_run_setup_fips (bwrap, runtime_files); ++ + if (app_id_dir != NULL) + { + g_autoptr(GFile) app_cache_dir = g_file_get_child (app_id_dir, "cache"); +-- +2.51.0 + diff --git a/flatpak.spec b/flatpak.spec index 3facd26..0b89681 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -12,7 +12,7 @@ Name: flatpak Version: 1.16.0 -Release: 6%{?dist}.1 +Release: 9%{?dist} Summary: Application deployment framework for desktop apps License: LGPL-2.1-or-later @@ -47,6 +47,10 @@ Patch4: flatpak-enable-collection-ids-for-oci-remotes.patch Patch5: flatpak-pass-token-to-flatpak-image-source-new-remote.patch # /etc/pki/entitlement Patch6: flatpak-for-registry.redhat.io-get-certificates-from-etc-pki.patch +# Enable FIPS support +Patch7: flatpak-run-Enable-FIPS-crypto-policy-if-it-is-enabled-on-th.patch +# Stop killing the session when stopping background apps +Patch9: flatpak-kill-Do-not-kill-pid-0-and-embrace-races.patch # ostree not on i686 for RHEL 10 # https://github.com/containers/composefs/pull/229#issuecomment-1838735764 @@ -316,9 +320,17 @@ fi %changelog -* Mon Oct 13 2025 Jan Grulich - 1.16.0-6.1 +* Tue Jan 13 2026 Sebastian Wick - 1.16.0-9 +- kill: Do not kill pid 0 and embrace races + Resolves: RHEL-140924 + +* Tue Dec 16 2025 Sebastian Wick - 1.16.0-8 +- Enable FIPS crypto policy if it is enabled on the host + Resolves: RHEL-77484 + +* Mon Oct 13 2025 Jan Grulich - 1.16.0-7 - Get certificates from /etc/pki/entitlement for registry.redhat.io - Resolves: RHEL-127936 + Resolves: RHEL-85004 * Mon Aug 04 2025 Jan Grulich - 1.16.0-6 - Fix wrongly marked failed installs as pre-installed