Enable FIPS crypto policy if it is enabled on the host

Resolves: RHEL-77484
2025-12-16 17:23:50 +01:00 · 2025-12-16 17:23:50 +01:00 · e7a00620dc
commit e7a00620dc
parent dc31c506f0
2 changed files with 126 additions and 1 deletions
--- a/flatpak-run-Enable-FIPS-crypto-policy-if-it-is-enabled-on-th.patch
+++ b/flatpak-run-Enable-FIPS-crypto-policy-if-it-is-enabled-on-th.patch
@ -0,0 +1,119 @@
+From 5f5aeea8d8be071468fb8e9640554518fb65885e Mon Sep 17 00:00:00 2001
+From: Sebastian Wick <sebastian.wick@redhat.com>
+Date: Tue, 16 Dec 2025 17:15:32 +0100
+Subject: [PATCH] run: Enable FIPS crypto policy if it is enabled on the host
+
+This is a close copy of what podman/containers does to support FIPS. Any
+other crypto policy is ignored for now.
+---
+ common/flatpak-run.c | 87 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 87 insertions(+)
+
+diff --git ./common/flatpak-run.c ../common/flatpak-run.c
+index 6c319231..b51cc637 100644
+--- ./common/flatpak-run.c
+++ ../common/flatpak-run.c
+@@ -2215,6 +2215,91 @@ flatpak_run_setup_usr_links (FlatpakBwrap *bwrap,
+     }
+ }
+ 
+static void
+flatpak_run_setup_fips (FlatpakBwrap *bwrap,
+                        GFile        *runtime_files)
+{
+  g_autoptr(GFile) runtime_crypto_policies = NULL;
+  g_autoptr(GFile) runtime_fips_backend = NULL;
+  g_autoptr(GFile) runtime_fips_config = NULL;
+  g_autofree char *fips_enabled = NULL;
+  g_autoptr(GError) error = NULL;
+
+  if (!g_file_get_contents ("/proc/sys/crypto/fips_enabled",
+                            &fips_enabled,
+                            NULL, &error))
+    {
+      if (!g_error_matches (error, G_FILE_ERROR, G_FILE_ERROR_NOENT))
+        {
+          g_warning ("Failed to read /proc/sys/crypto/fips_enabled to determine FIPS state: %s",
+                     error->message);
+        }
+
+      return;
+    }
+
+  g_strstrip (fips_enabled);
+
+  if (g_strcmp0 (fips_enabled, "1") != 0)
+    {
+      g_info ("FIPS is disabled");
+      return;
+    }
+
+  runtime_crypto_policies =
+    g_file_resolve_relative_path (runtime_files, "etc/crypto-policies");
+
+  if (!g_file_query_exists (runtime_crypto_policies, NULL))
+    {
+      g_info ("FIPS is enabled, but runtime does not support it");
+      return;
+    }
+
+  runtime_fips_backend =
+    g_file_resolve_relative_path (runtime_files,
+                                  "share/crypto-policies/back-ends/FIPS");
+
+  if (!g_file_query_exists (runtime_fips_backend, NULL))
+    {
+      g_info ("FIPS is enabled, but runtime does not support it");
+      return;
+    }
+
+  runtime_fips_config =
+    g_file_resolve_relative_path (runtime_files,
+                                  "share/crypto-policies/default-fips-config");
+
+  if (g_file_query_exists (runtime_fips_config, NULL))
+    {
+      flatpak_bwrap_add_args (bwrap, "--ro-bind",
+                              flatpak_file_get_path_cached (runtime_fips_config),
+                              "/etc/crypto-policies/config",
+                              NULL);
+    }
+  else
+    {
+      if (!flatpak_bwrap_add_args_data (bwrap,
+                                        "default-fips-config",
+                                        "FIPS\n",
+                                        -1,
+                                        "/etc/crypto-policies/config",
+                                        &error))
+        {
+          g_warning ("Failed to enable FIPS configuration: "
+                     "creating default-fips-config tmpfile failed: %s",
+                     error->message);
+          return;
+        }
+    }
+
+  flatpak_bwrap_add_args (bwrap, "--ro-bind",
+                          flatpak_file_get_path_cached (runtime_fips_backend),
+                          "/etc/crypto-policies/back-ends",
+                          NULL);
+
+  g_info ("Enabled FIPS configuration");
+}
+
+ /* Directories in /sys to share with the sandbox if accessible. */
+ static const char *const sysfs_dirs[] =
+ {
+@@ -2405,6 +2490,8 @@ flatpak_run_setup_base_argv (FlatpakBwrap   *bwrap,
+         }
+     }
+ 
+  flatpak_run_setup_fips (bwrap, runtime_files);
+
+   if (app_id_dir != NULL)
+     {
+       g_autoptr(GFile) app_cache_dir = g_file_get_child (app_id_dir, "cache");
+-- 
+2.51.0
+
--- a/flatpak.spec
+++ b/flatpak.spec
@ -12,7 +12,7 @@

 Name:           flatpak
 Version:        1.16.0
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        Application deployment framework for desktop apps

 License:        LGPL-2.1-or-later
@ -47,6 +47,8 @@ Patch4:         flatpak-enable-collection-ids-for-oci-remotes.patch
 Patch5:         flatpak-pass-token-to-flatpak-image-source-new-remote.patch
 # /etc/pki/entitlement
 Patch6:         flatpak-for-registry.redhat.io-get-certificates-from-etc-pki.patch
+# Enable FIPS support
+Patch7:         flatpak-run-Enable-FIPS-crypto-policy-if-it-is-enabled-on-th.patch

 # ostree not on i686 for RHEL 10
 # https://github.com/containers/composefs/pull/229#issuecomment-1838735764
@ -316,6 +318,10 @@ fi


 %changelog
+* Tue Dec 16 2025 Sebastian Wick <sebastian.wick@redhat.com> - 1.16.0-8
+- Enable FIPS crypto policy if it is enabled on the host
+  Resolves: RHEL-77484
+
 * Mon Oct 13 2025 Jan Grulich <jgrulich@redhat.com> - 1.16.0-7
 - Get certificates from /etc/pki/entitlement for registry.redhat.io
  Resolves: RHEL-85004