From e7a00620dc185876d08f035d3cebeaf16e66f068 Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Tue, 16 Dec 2025 17:23:50 +0100
Subject: [PATCH] Enable FIPS crypto policy if it is enabled on the host

Resolves: RHEL-77484
---
 ...crypto-policy-if-it-is-enabled-on-th.patch | 119 ++++++++++++++++++
 flatpak.spec                                  |   8 +-
 2 files changed, 126 insertions(+), 1 deletion(-)
 create mode 100644 flatpak-run-Enable-FIPS-crypto-policy-if-it-is-enabled-on-th.patch

diff --git a/flatpak-run-Enable-FIPS-crypto-policy-if-it-is-enabled-on-th.patch b/flatpak-run-Enable-FIPS-crypto-policy-if-it-is-enabled-on-th.patch
new file mode 100644
index 0000000..afdf34e
--- /dev/null
+++ b/flatpak-run-Enable-FIPS-crypto-policy-if-it-is-enabled-on-th.patch
@@ -0,0 +1,119 @@
+From 5f5aeea8d8be071468fb8e9640554518fb65885e Mon Sep 17 00:00:00 2001
+From: Sebastian Wick <sebastian.wick@redhat.com>
+Date: Tue, 16 Dec 2025 17:15:32 +0100
+Subject: [PATCH] run: Enable FIPS crypto policy if it is enabled on the host
+
+This is a close copy of what podman/containers does to support FIPS. Any
+other crypto policy is ignored for now.
+---
+ common/flatpak-run.c | 87 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 87 insertions(+)
+
+diff --git ./common/flatpak-run.c ../common/flatpak-run.c
+index 6c319231..b51cc637 100644
+--- ./common/flatpak-run.c
++++ ../common/flatpak-run.c
+@@ -2215,6 +2215,91 @@ flatpak_run_setup_usr_links (FlatpakBwrap *bwrap,
+     }
+ }
+ 
++static void
++flatpak_run_setup_fips (FlatpakBwrap *bwrap,
++                        GFile        *runtime_files)
++{
++  g_autoptr(GFile) runtime_crypto_policies = NULL;
++  g_autoptr(GFile) runtime_fips_backend = NULL;
++  g_autoptr(GFile) runtime_fips_config = NULL;
++  g_autofree char *fips_enabled = NULL;
++  g_autoptr(GError) error = NULL;
++
++  if (!g_file_get_contents ("/proc/sys/crypto/fips_enabled",
++                            &fips_enabled,
++                            NULL, &error))
++    {
++      if (!g_error_matches (error, G_FILE_ERROR, G_FILE_ERROR_NOENT))
++        {
++          g_warning ("Failed to read /proc/sys/crypto/fips_enabled to determine FIPS state: %s",
++                     error->message);
++        }
++
++      return;
++    }
++
++  g_strstrip (fips_enabled);
++
++  if (g_strcmp0 (fips_enabled, "1") != 0)
++    {
++      g_info ("FIPS is disabled");
++      return;
++    }
++
++  runtime_crypto_policies =
++    g_file_resolve_relative_path (runtime_files, "etc/crypto-policies");
++
++  if (!g_file_query_exists (runtime_crypto_policies, NULL))
++    {
++      g_info ("FIPS is enabled, but runtime does not support it");
++      return;
++    }
++
++  runtime_fips_backend =
++    g_file_resolve_relative_path (runtime_files,
++                                  "share/crypto-policies/back-ends/FIPS");
++
++  if (!g_file_query_exists (runtime_fips_backend, NULL))
++    {
++      g_info ("FIPS is enabled, but runtime does not support it");
++      return;
++    }
++
++  runtime_fips_config =
++    g_file_resolve_relative_path (runtime_files,
++                                  "share/crypto-policies/default-fips-config");
++
++  if (g_file_query_exists (runtime_fips_config, NULL))
++    {
++      flatpak_bwrap_add_args (bwrap, "--ro-bind",
++                              flatpak_file_get_path_cached (runtime_fips_config),
++                              "/etc/crypto-policies/config",
++                              NULL);
++    }
++  else
++    {
++      if (!flatpak_bwrap_add_args_data (bwrap,
++                                        "default-fips-config",
++                                        "FIPS\n",
++                                        -1,
++                                        "/etc/crypto-policies/config",
++                                        &error))
++        {
++          g_warning ("Failed to enable FIPS configuration: "
++                     "creating default-fips-config tmpfile failed: %s",
++                     error->message);
++          return;
++        }
++    }
++
++  flatpak_bwrap_add_args (bwrap, "--ro-bind",
++                          flatpak_file_get_path_cached (runtime_fips_backend),
++                          "/etc/crypto-policies/back-ends",
++                          NULL);
++
++  g_info ("Enabled FIPS configuration");
++}
++
+ /* Directories in /sys to share with the sandbox if accessible. */
+ static const char *const sysfs_dirs[] =
+ {
+@@ -2405,6 +2490,8 @@ flatpak_run_setup_base_argv (FlatpakBwrap   *bwrap,
+         }
+     }
+ 
++  flatpak_run_setup_fips (bwrap, runtime_files);
++
+   if (app_id_dir != NULL)
+     {
+       g_autoptr(GFile) app_cache_dir = g_file_get_child (app_id_dir, "cache");
+-- 
+2.51.0
+
diff --git a/flatpak.spec b/flatpak.spec
index 9657102..d250ca2 100644
--- a/flatpak.spec
+++ b/flatpak.spec
@@ -12,7 +12,7 @@
 
 Name:           flatpak
 Version:        1.16.0
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        Application deployment framework for desktop apps
 
 License:        LGPL-2.1-or-later
@@ -47,6 +47,8 @@ Patch4:         flatpak-enable-collection-ids-for-oci-remotes.patch
 Patch5:         flatpak-pass-token-to-flatpak-image-source-new-remote.patch
 # /etc/pki/entitlement
 Patch6:         flatpak-for-registry.redhat.io-get-certificates-from-etc-pki.patch
+# Enable FIPS support
+Patch7:         flatpak-run-Enable-FIPS-crypto-policy-if-it-is-enabled-on-th.patch
 
 # ostree not on i686 for RHEL 10
 # https://github.com/containers/composefs/pull/229#issuecomment-1838735764
@@ -316,6 +318,10 @@ fi
 
 
 %changelog
+* Tue Dec 16 2025 Sebastian Wick <sebastian.wick@redhat.com> - 1.16.0-8
+- Enable FIPS crypto policy if it is enabled on the host
+  Resolves: RHEL-77484
+
 * Mon Oct 13 2025 Jan Grulich <jgrulich@redhat.com> - 1.16.0-7
 - Get certificates from /etc/pki/entitlement for registry.redhat.io
   Resolves: RHEL-85004