rpms/flatpak
7
0
Fork 1
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:c8
Branches Tags
rpms:c8
rpms:c9
rpms:c10
rpms:c8s
rpms:c9s
rpms:c10s
rpms:c9-beta
rpms:c10-beta
rpms:c8-beta
rpms:imports/c9/flatpak-1.12.9-4.el9_8.1
rpms:imports/c8/flatpak-1.12.9-4.el8_10
rpms:imports/c10/flatpak-1.16.0-9.el10_2.1
rpms:imports/c10/flatpak-1.16.0-9.el10
rpms:imports/c10s/flatpak-1.17.3-1.el10
rpms:imports/c10/flatpak-1.16.0-6.el10_1.1
rpms:imports/c10s/flatpak-1.17.2-1.el10
rpms:imports/c10s/flatpak-1.16.0-9.el10
rpms:imports/c10s/flatpak-1.16.0-8.el10
rpms:imports/c9/flatpak-1.12.9-4.el9_6
rpms:imports/c10s/flatpak-1.16.0-7.el10
rpms:imports/c10/flatpak-1.16.0-6.el10
rpms:imports/c10s/flatpak-1.16.0-6.el10
rpms:imports/c9-beta/flatpak-1.12.9-4.el9_6
rpms:imports/c10s/flatpak-1.16.0-5.el10
rpms:imports/c10s/flatpak-1.16.0-4.el10
rpms:imports/c10s/flatpak-1.16.0-3.el10
rpms:imports/c10s/flatpak-1.16.0-2.el10
rpms:imports/c10s/flatpak-1.16.0-1.el10
rpms:imports/c10-beta/flatpak-1.15.8-2.el10
rpms:imports/c9/flatpak-1.12.9-3.el9_5
rpms:imports/c10s/flatpak-1.15.10-2.el10
rpms:imports/c8/flatpak-1.12.9-3.el8_10
rpms:imports/c9/flatpak-1.12.9-3.el9_4
rpms:imports/c10s/flatpak-1.15.10-1.el10
rpms:imports/c10s/flatpak-1.15.8-2.el10
rpms:imports/c9/flatpak-1.12.9-1.el9_4
rpms:imports/c8/flatpak-1.12.9-1.el8_10
rpms:imports/c8/flatpak-1.10.8-2.el8
rpms:imports/c9/flatpak-1.12.8-1.el9
rpms:imports/c8-beta/flatpak-1.10.8-1.el8
rpms:imports/c9-beta/flatpak-1.12.8-1.el9
rpms:imports/c9/flatpak-1.12.7-2.el9
rpms:imports/c8/flatpak-1.10.7-1.el8
rpms:imports/c9-beta/flatpak-1.12.7-2.el9
rpms:imports/c8-beta/flatpak-1.10.7-1.el8
rpms:imports/c9/flatpak-1.12.5-2.el9_0
rpms:imports/c8/flatpak-1.8.7-1.el8
rpms:imports/c9-beta/flatpak-1.12.5-2.el9_0
rpms:imports/c8-beta/flatpak-1.8.7-1.el8
rpms:imports/c8s/flatpak-1.10.7-1.el8
rpms:imports/c9-beta/flatpak-1.12.4-2.el9
rpms:imports/c8s/flatpak-1.8.7-1.el8
rpms:imports/c8s/flatpak-1.8.6-1.el8
rpms:imports/c9-beta/flatpak-1.10.5-1.el9
rpms:imports/c9-beta/flatpak-1.10.2-6.el9
rpms:imports/c8/flatpak-1.8.5-5.el8_5
rpms:imports/c8/flatpak-1.8.5-4.el8
rpms:imports/c8/flatpak-1.8.5-4.el8_4
rpms:imports/c8s/flatpak-1.8.5-6.el8
rpms:imports/c8s/flatpak-1.8.5-5.el8
rpms:imports/c8-beta/flatpak-1.8.5-4.el8
rpms:imports/c8-beta/flatpak-1.8.5-2.el8
rpms:imports/c8-beta/flatpak-1.6.2-3.el8
rpms:imports/c8-beta/flatpak-1.4.3-2.el8
rpms:imports/c8-beta/flatpak-1.0.6-4.el8
rpms:imports/c8s/flatpak-1.8.5-4.el8
rpms:imports/c8s/flatpak-1.8.5-3.el8
rpms:imports/c8s/flatpak-1.8.5-2.el8
rpms:imports/c8s/flatpak-1.8.5-1.el8
rpms:imports/c8s/flatpak-1.8.3-1.el8
rpms:imports/c8/flatpak-1.8.5-3.el8
rpms:imports/c8/flatpak-1.6.2-6.el8_3
rpms:imports/c8/flatpak-1.6.2-5.el8_3
rpms:imports/c8/flatpak-1.6.2-4.el8
rpms:imports/c8/flatpak-1.6.2-3.el8_2
..
compare: rpms:c10-beta
Branches Tags
rpms:c9
rpms:c8
rpms:c10
rpms:c8s
rpms:c9s
rpms:c10s
rpms:c9-beta
rpms:c10-beta
rpms:c8-beta
rpms:imports/c9/flatpak-1.12.9-4.el9_8.1
rpms:imports/c8/flatpak-1.12.9-4.el8_10
rpms:imports/c10/flatpak-1.16.0-9.el10_2.1
rpms:imports/c10/flatpak-1.16.0-9.el10
rpms:imports/c10s/flatpak-1.17.3-1.el10
rpms:imports/c10/flatpak-1.16.0-6.el10_1.1
rpms:imports/c10s/flatpak-1.17.2-1.el10
rpms:imports/c10s/flatpak-1.16.0-9.el10
rpms:imports/c10s/flatpak-1.16.0-8.el10
rpms:imports/c9/flatpak-1.12.9-4.el9_6
rpms:imports/c10s/flatpak-1.16.0-7.el10
rpms:imports/c10/flatpak-1.16.0-6.el10
rpms:imports/c10s/flatpak-1.16.0-6.el10
rpms:imports/c9-beta/flatpak-1.12.9-4.el9_6
rpms:imports/c10s/flatpak-1.16.0-5.el10
rpms:imports/c10s/flatpak-1.16.0-4.el10
rpms:imports/c10s/flatpak-1.16.0-3.el10
rpms:imports/c10s/flatpak-1.16.0-2.el10
rpms:imports/c10s/flatpak-1.16.0-1.el10
rpms:imports/c10-beta/flatpak-1.15.8-2.el10
rpms:imports/c9/flatpak-1.12.9-3.el9_5
rpms:imports/c10s/flatpak-1.15.10-2.el10
rpms:imports/c8/flatpak-1.12.9-3.el8_10
rpms:imports/c9/flatpak-1.12.9-3.el9_4
rpms:imports/c10s/flatpak-1.15.10-1.el10
rpms:imports/c10s/flatpak-1.15.8-2.el10
rpms:imports/c9/flatpak-1.12.9-1.el9_4
rpms:imports/c8/flatpak-1.12.9-1.el8_10
rpms:imports/c8/flatpak-1.10.8-2.el8
rpms:imports/c9/flatpak-1.12.8-1.el9
rpms:imports/c8-beta/flatpak-1.10.8-1.el8
rpms:imports/c9-beta/flatpak-1.12.8-1.el9
rpms:imports/c9/flatpak-1.12.7-2.el9
rpms:imports/c8/flatpak-1.10.7-1.el8
rpms:imports/c9-beta/flatpak-1.12.7-2.el9
rpms:imports/c8-beta/flatpak-1.10.7-1.el8
rpms:imports/c9/flatpak-1.12.5-2.el9_0
rpms:imports/c8/flatpak-1.8.7-1.el8
rpms:imports/c9-beta/flatpak-1.12.5-2.el9_0
rpms:imports/c8-beta/flatpak-1.8.7-1.el8
rpms:imports/c8s/flatpak-1.10.7-1.el8
rpms:imports/c9-beta/flatpak-1.12.4-2.el9
rpms:imports/c8s/flatpak-1.8.7-1.el8
rpms:imports/c8s/flatpak-1.8.6-1.el8
rpms:imports/c9-beta/flatpak-1.10.5-1.el9
rpms:imports/c9-beta/flatpak-1.10.2-6.el9
rpms:imports/c8/flatpak-1.8.5-5.el8_5
rpms:imports/c8/flatpak-1.8.5-4.el8
rpms:imports/c8/flatpak-1.8.5-4.el8_4
rpms:imports/c8s/flatpak-1.8.5-6.el8
rpms:imports/c8s/flatpak-1.8.5-5.el8
rpms:imports/c8-beta/flatpak-1.8.5-4.el8
rpms:imports/c8-beta/flatpak-1.8.5-2.el8
rpms:imports/c8-beta/flatpak-1.6.2-3.el8
rpms:imports/c8-beta/flatpak-1.4.3-2.el8
rpms:imports/c8-beta/flatpak-1.0.6-4.el8
rpms:imports/c8s/flatpak-1.8.5-4.el8
rpms:imports/c8s/flatpak-1.8.5-3.el8
rpms:imports/c8s/flatpak-1.8.5-2.el8
rpms:imports/c8s/flatpak-1.8.5-1.el8
rpms:imports/c8s/flatpak-1.8.3-1.el8
rpms:imports/c8/flatpak-1.8.5-3.el8
rpms:imports/c8/flatpak-1.6.2-6.el8_3
rpms:imports/c8/flatpak-1.6.2-5.el8_3
rpms:imports/c8/flatpak-1.6.2-4.el8
rpms:imports/c8/flatpak-1.6.2-3.el8_2

1 Commits
c8 ... c10-beta

Author SHA1 Message Date
eabdullin
2db8c2549c import RHEL 10 Beta flatpak-1.15.8-2.el10 2024-11-20 13:12:10 +00:00
41 changed files with 884 additions and 11022 deletions
Show Stats Expand all files Collapse all files

1
.flatpak.metadata
View File

@ -1 +0,0 @@
41429400eab33868b6c6045fe235e86e1086a056 SOURCES/flatpak-1.12.9.tar.xz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/flatpak-1.12.9.tar.xz flatpak-1.15.8.tar.xz

61
SOURCES/CVE-2026-34078-1-flatpak-bwrap-add-dup-ing-variant-flatpak-bwrap-add-args-data-fd-dup.patch
View File

@ -1,61 +0,0 @@
From fbe7a80a9e49ed364af2d7caf5902e3088f54587 Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Fri, 6 Feb 2026 17:56:21 +0100
Subject: [PATCH] flatpak-bwrap: Add dup-ing variant
flatpak_bwrap_add_args_data_fd_dup
---
common/flatpak-bwrap-private.h | 5 +++++
common/flatpak-bwrap.c | 20 ++++++++++++++++++++
2 files changed, 25 insertions(+)
diff --git a/common/flatpak-bwrap-private.h b/common/flatpak-bwrap-private.h
index 207d23a0..64bd26b6 100644
--- a/common/flatpak-bwrap-private.h
+++ b/common/flatpak-bwrap-private.h
@@ -62,6 +62,11 @@ void flatpak_bwrap_append_bwrap (FlatpakBwrap *bwrap,
FlatpakBwrap *other); /* Steals the fds */
void flatpak_bwrap_append_args (FlatpakBwrap *bwrap,
GPtrArray *other_array);
+gboolean flatpak_bwrap_add_args_data_fd_dup (FlatpakBwrap *bwrap,
+ const char *op,
+ int fd,
+ const char *path_optional,
+ GError **error);
void flatpak_bwrap_add_args_data_fd (FlatpakBwrap *bwrap,
const char *op,
int fd,
diff --git a/common/flatpak-bwrap.c b/common/flatpak-bwrap.c
index cda0dbfb..1694ffd4 100644
--- a/common/flatpak-bwrap.c
+++ b/common/flatpak-bwrap.c
@@ -141,6 +141,26 @@ flatpak_bwrap_add_fd (FlatpakBwrap *bwrap,
g_array_append_val (bwrap->fds, fd);
}
+gboolean
+flatpak_bwrap_add_args_data_fd_dup (FlatpakBwrap *bwrap,
+ const char *op,
+ int fd,
+ const char *path_optional,
+ GError **error)
+{
+ glnx_autofd int fd_dup = -1;
+
+ fd_dup = fcntl (fd, F_DUPFD_CLOEXEC, 3);
+ if (fd_dup < 0)
+ return glnx_throw_errno_prefix (error, "Failed to dup fd %d", fd);
+
+ flatpak_bwrap_add_args_data_fd (bwrap,
+ op,
+ g_steal_fd (&fd_dup),
+ path_optional);
+ return TRUE;
+}
+
void
flatpak_bwrap_add_arg_printf (FlatpakBwrap *bwrap, const char *format, ...)
{
--
2.54.0

34
SOURCES/CVE-2026-34078-10-run-mount-original-app-on-run-parent-app-when-using-app-path.patch
View File

@ -1,34 +0,0 @@
From 5096a974bcba5dfeddaea197b2ac63f558100858 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 8 Apr 2026 09:44:55 +0100
Subject: [PATCH] run: Mount original app on /run/parent/app when using
--app-path=""
Before addressing CVE-2026-34078, we would always mount the original app
*somewhere*, either /app (in the normal case) or /run/parent/app (when
using a custom or empty /app for the subsandbox). The empty-app case
regressed during the fix for CVE-2026-34078; bring back previous behaviour.
Fixes: ac62ebe3 "run: Use O_PATH fds for the runtime and app deploy directories"
Resolves: https://github.com/flatpak/flatpak/issues/6568
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit fde4716f67b6620da57fd74481694eb58795d589)
---
common/flatpak-run.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 4ffc5fa3..a80d0050 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -4476,6 +4476,7 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
}
else if (custom_app_fd == FLATPAK_RUN_APP_DEPLOY_APP_EMPTY)
{
+ original_app_target_path = "/run/parent/app";
app_fd = -1;
app_files = NULL;
}
--
2.54.0

31
SOURCES/CVE-2026-34078-11-portal-update-max-fd-after-creating-the-instance-id-pipe.patch
View File

@ -1,31 +0,0 @@
From d05aeb399ba56e46ab3b7b4eed3669ab98a0df56 Mon Sep 17 00:00:00 2001
From: Alberto Garcia <berto@igalia.com>
Date: Wed, 8 Apr 2026 19:28:32 +0200
Subject: [PATCH] portal: update max_fd after creating the instance ID pipe
fd_map_remap_fd() is called several times after this, and without this
change it can allocate a target fd that collides with instance_id_fd.
Only the write end of the pipe needs to be considered because that's
the one passed to the child.
Closes: https://github.com/flatpak/flatpak/issues/6570
---
portal/flatpak-portal.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/portal/flatpak-portal.c b/portal/flatpak-portal.c
index a4378f77..3110071c 100644
--- a/portal/flatpak-portal.c
+++ b/portal/flatpak-portal.c
@@ -1075,6 +1075,7 @@ handle_spawn (PortalFlatpak *object,
g_ptr_array_add (flatpak_argv, g_strdup_printf ("--instance-id-fd=%d", pipe_fds[1]));
child_setup_data.instance_id_fd = pipe_fds[1];
+ max_fd = MAX(max_fd, pipe_fds[1]);
}
if (devel)
--
2.54.0

122
SOURCES/CVE-2026-34078-12-run-fix-fd-tracking-in-flatpak-run-add-app-info-args.patch
View File

@ -1,122 +0,0 @@
From 559c415b517c2533cf6b7294fb3f4cf99ed8e2ae Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Wed, 8 Apr 2026 17:47:48 +0200
Subject: [PATCH] run: Fix fd tracking in flatpak_run_add_app_info_args
Calls to flatpak_bwrap_add_args_data_fd take ownership over the fd they
take. Closing them while they are still in the bwrap struct will abort
later when the bwrap struct gets freed and it tries to close the already
closed fd.
Fix this by using glnx_autofd and g_steal_fd.
---
common/flatpak-run.c | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index a80d0050..a11e26d6 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2602,13 +2602,17 @@ flatpak_run_add_app_info_args (FlatpakBwrap *bwrap,
gboolean build,
gboolean devel,
char **app_info_path_out,
- int instance_id_fd,
+ int instance_id_fd_arg,
char **instance_id_host_dir_out,
GError **error)
{
g_autofree char *info_path = NULL;
g_autofree char *bwrapinfo_path = NULL;
- int fd, fd2, fd3;
+ glnx_autofd int fd1 = -1;
+ glnx_autofd int fd2 = -1;
+ glnx_autofd int fd3 = -1;
+ int info_fd;
+ glnx_autofd int instance_id_fd = instance_id_fd_arg;
g_autoptr(GKeyFile) keyfile = NULL;
g_autofree char *runtime_path = NULL;
const char *group;
@@ -2754,8 +2758,8 @@ flatpak_run_add_app_info_args (FlatpakBwrap *bwrap,
This way even if the bind-mount is unmounted we can find the real data.
*/
- fd = open (info_path, O_RDONLY);
- if (fd == -1)
+ fd1 = info_fd = open (info_path, O_RDONLY);
+ if (fd1 == -1)
{
int errsv = errno;
g_set_error (error, G_IO_ERROR, g_io_error_from_errno (errsv),
@@ -2766,7 +2770,6 @@ flatpak_run_add_app_info_args (FlatpakBwrap *bwrap,
fd2 = open (info_path, O_RDONLY);
if (fd2 == -1)
{
- close (fd);
int errsv = errno;
g_set_error (error, G_IO_ERROR, g_io_error_from_errno (errsv),
_("Failed to open flatpak-info file: %s"), g_strerror (errsv));
@@ -2774,9 +2777,9 @@ flatpak_run_add_app_info_args (FlatpakBwrap *bwrap,
}
flatpak_bwrap_add_args_data_fd (bwrap,
- "--file", fd, "/.flatpak-info");
+ "--file", g_steal_fd (&fd1), "/.flatpak-info");
flatpak_bwrap_add_args_data_fd (bwrap,
- "--ro-bind-data", fd2, "/.flatpak-info");
+ "--ro-bind-data", g_steal_fd (&fd2), "/.flatpak-info");
/* Tell the application that it's running under Flatpak in a generic way. */
flatpak_bwrap_add_args (bwrap,
@@ -2793,8 +2796,6 @@ flatpak_run_add_app_info_args (FlatpakBwrap *bwrap,
fd3 = open (bwrapinfo_path, O_RDWR | O_CREAT, 0644);
if (fd3 == -1)
{
- close (fd);
- close (fd2);
int errsv = errno;
g_set_error (error, G_IO_ERROR, g_io_error_from_errno (errsv),
_("Failed to open bwrapinfo.json file: %s"), g_strerror (errsv));
@@ -2817,10 +2818,6 @@ flatpak_run_add_app_info_args (FlatpakBwrap *bwrap,
if (errsv == EINTR)
continue;
- close (fd);
- close (fd2);
- close (fd3);
-
g_set_error (error, G_IO_ERROR, g_io_error_from_errno (errsv),
_("Failed to write to instance id fd: %s"), g_strerror (errsv));
return FALSE;
@@ -2830,13 +2827,14 @@ flatpak_run_add_app_info_args (FlatpakBwrap *bwrap,
instance_id_size -= bytes_written;
}
- close (instance_id_fd);
+ /* explicitly close this as soon as we're done to notify the other side */
+ g_clear_fd (&instance_id_fd, NULL);
}
- flatpak_bwrap_add_args_data_fd (bwrap, "--info-fd", fd3, NULL);
+ flatpak_bwrap_add_args_data_fd (bwrap, "--info-fd", g_steal_fd (&fd3), NULL);
if (app_info_path_out != NULL)
- *app_info_path_out = g_strdup_printf ("/proc/self/fd/%d", fd);
+ *app_info_path_out = g_strdup_printf ("/proc/self/fd/%d", info_fd);
if (instance_id_host_dir_out != NULL)
*instance_id_host_dir_out = g_steal_pointer (&instance_id_host_dir);
@@ -4697,7 +4695,9 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
app_id, flatpak_decomposed_get_branch (app_ref),
runtime_ref, app_id_dir, app_context, extra_context,
sandboxed, FALSE, flags & FLATPAK_RUN_FLAG_DEVEL,
- &app_info_path, instance_id_fd, &instance_id_host_dir,
+ &app_info_path,
+ g_steal_fd (&instance_id_fd),
+ &instance_id_host_dir,
error))
return FALSE;
--
2.54.0

28
SOURCES/CVE-2026-34078-13-utils-improve-error-message-when-passing-an-fd-numer-which-is-not-a-fd.patch
View File

@ -1,28 +0,0 @@
From 9462b0f980aa0718a41601aaa87125f545c424eb Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Wed, 8 Apr 2026 18:15:42 +0200
Subject: [PATCH] utils: Improve error message when passing an FD numer which
is not a FD
---
common/flatpak-utils.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c
index c2015941..938d8131 100644
--- a/common/flatpak-utils.c
+++ b/common/flatpak-utils.c
@@ -9205,8 +9205,8 @@ flatpak_parse_fd (const char *fd_string,
fd = (int) parsed;
- if (!glnx_fstat (fd, &stbuf, error))
- return -1;
+ if (!glnx_fstat (fd, &stbuf, NULL))
+ return glnx_fd_throw (error, "Not an open file descriptor: %d", fd);
return fd;
}
--
2.54.0

32
SOURCES/CVE-2026-34078-14-run-do-not-close-bind-ro-bind.patch
View File

@ -1,32 +0,0 @@
From 9e145899fe0a28ce79d905b5efabc253b5c8050b Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Wed, 8 Apr 2026 18:14:19 +0200
Subject: [PATCH] run: Do not close --bind/--ro-bind
---
app/flatpak-builtins-run.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/app/flatpak-builtins-run.c b/app/flatpak-builtins-run.c
index 7edd7326..701e3454 100644
--- a/app/flatpak-builtins-run.c
+++ b/app/flatpak-builtins-run.c
@@ -82,6 +82,7 @@ option_bind_fd_cb (const char *option_name,
return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
g_array_append_val (opt_bind_fds, fd);
+ fd = -1; /* ownership transferred to GArray */
return TRUE;
}
@@ -101,6 +102,7 @@ option_ro_bind_fd_cb (const char *option_name,
return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
g_array_append_val (opt_ro_bind_fds, fd);
+ fd = -1; /* ownership transferred to GArray */
return TRUE;
}
--
2.54.0

95
SOURCES/CVE-2026-34078-15-run-use-the-same-fd-validation-for-all-fd-options.patch
View File

@ -1,95 +0,0 @@
From 8708ab052d884cc84e6e71ea012e8d11eba41982 Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Wed, 8 Apr 2026 18:19:20 +0200
Subject: [PATCH] run: Use the same FD validation for all FD options
---
app/flatpak-builtins-run.c | 63 ++++++++++++++++++++++++++++++++++++--
1 file changed, 60 insertions(+), 3 deletions(-)
diff --git a/app/flatpak-builtins-run.c b/app/flatpak-builtins-run.c
index 701e3454..d97dc0bf 100644
--- a/app/flatpak-builtins-run.c
+++ b/app/flatpak-builtins-run.c
@@ -106,6 +106,63 @@ option_ro_bind_fd_cb (const char *option_name,
return TRUE;
}
+static gboolean
+opt_instance_id_fd_cb (const char *option_name,
+ const char *value,
+ gpointer data,
+ GError **error)
+{
+ glnx_autofd int fd = -1;
+
+ fd = flatpak_parse_fd (value, error);
+ if (fd < 0)
+ return FALSE;
+
+ if (fd < 3)
+ return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+
+ opt_instance_id_fd = g_steal_fd (&fd);
+ return TRUE;
+}
+
+static gboolean
+opt_app_fd_cb (const char *option_name,
+ const char *value,
+ gpointer data,
+ GError **error)
+{
+ glnx_autofd int fd = -1;
+
+ fd = flatpak_parse_fd (value, error);
+ if (fd < 0)
+ return FALSE;
+
+ if (fd < 3)
+ return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+
+ opt_app_fd = g_steal_fd (&fd);
+ return TRUE;
+}
+
+static gboolean
+opt_usr_fd_cb (const char *option_name,
+ const char *value,
+ gpointer data,
+ GError **error)
+{
+ glnx_autofd int fd = -1;
+
+ fd = flatpak_parse_fd (value, error);
+ if (fd < 0)
+ return FALSE;
+
+ if (fd < 3)
+ return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+
+ opt_usr_fd = g_steal_fd (&fd);
+ return TRUE;
+}
+
static GOptionEntry options[] = {
{ "arch", 0, 0, G_OPTION_ARG_STRING, &opt_arch, N_("Arch to use"), N_("ARCH") },
{ "command", 0, 0, G_OPTION_ARG_STRING, &opt_command, N_("Command to run"), N_("COMMAND") },
@@ -130,11 +187,11 @@ static GOptionEntry options[] = {
{ "parent-pid", 0, 0, G_OPTION_ARG_INT, &opt_parent_pid, N_("Use PID as parent pid for sharing namespaces"), N_("PID") },
{ "parent-expose-pids", 0, 0, G_OPTION_ARG_NONE, &opt_parent_expose_pids, N_("Make processes visible in parent namespace"), NULL },
{ "parent-share-pids", 0, 0, G_OPTION_ARG_NONE, &opt_parent_share_pids, N_("Share process ID namespace with parent"), NULL },
- { "instance-id-fd", 0, 0, G_OPTION_ARG_INT, &opt_instance_id_fd, N_("Write the instance ID to the given file descriptor"), NULL },
+ { "instance-id-fd", 0, 0, G_OPTION_ARG_CALLBACK, &opt_instance_id_fd_cb, N_("Write the instance ID to the given file descriptor"), NULL },
{ "app-path", 0, 0, G_OPTION_ARG_FILENAME, &opt_app_path, N_("Use PATH instead of the app's /app"), N_("PATH") },
- { "app-fd", 0, 0, G_OPTION_ARG_INT, &opt_app_fd, N_("Use FD instead of the app's /app"), N_("FD") },
+ { "app-fd", 0, 0, G_OPTION_ARG_CALLBACK, &opt_app_fd_cb, N_("Use FD instead of the app's /app"), N_("FD") },
{ "usr-path", 0, 0, G_OPTION_ARG_FILENAME, &opt_usr_path, N_("Use PATH instead of the runtime's /usr"), N_("PATH") },
- { "usr-fd", 0, 0, G_OPTION_ARG_INT, &opt_usr_fd, N_("Use FD instead of the runtime's /usr"), N_("FD") },
+ { "usr-fd", 0, 0, G_OPTION_ARG_INT, &opt_usr_fd_cb, N_("Use FD instead of the runtime's /usr"), N_("FD") },
{ "bind-fd", 0, 0, G_OPTION_ARG_CALLBACK | G_OPTION_FLAG_HIDDEN, &option_bind_fd_cb, N_("Bind mount the file or directory referred to by FD to its canonicalized path"), N_("FD") },
{ "ro-bind-fd", 0, 0, G_OPTION_ARG_CALLBACK | G_OPTION_FLAG_HIDDEN, &option_ro_bind_fd_cb, N_("Bind mount the file or directory referred to by FD read-only to its canonicalized path"), N_("FD") },
{ NULL }
--
2.54.0

101
SOURCES/CVE-2026-34078-16-run-add-bind-fd-and-ro-bind-fd-binds-after-all-other-binds.patch
View File

@ -1,101 +0,0 @@
From 3469414dbb068f770b594e6a3f47cd143aff6172 Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Wed, 8 Apr 2026 21:59:19 +0200
Subject: [PATCH] run: Add bind-fd and ro-bind-fd binds after all other binds
This is only moving it a bit down because
flatpak_run_add_environment_args still adds a whole bunch of binds which
then can over-mount the user requested binds (bind-fd, ro-bind-fd).
---
common/flatpak-run.c | 68 ++++++++++++++++++++++----------------------
1 file changed, 34 insertions(+), 34 deletions(-)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index a11e26d6..58b96dc1 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -4720,40 +4720,6 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
flatpak_bwrap_add_arg_printf (bwrap, "/run/user/%d", getuid ());
}
- for (i = 0; bind_fds && i < bind_fds->len; i++)
- {
- int fd = g_array_index (bind_fds, int, i);
- g_autofree char *path = NULL;
-
- /* We get the path the fd refers to, to determine to mount point
- * destination inside the sandbox */
- path = get_path_for_fd (fd, error);
- if (!path)
- return FALSE;
-
- if (!flatpak_bwrap_add_args_data_fd_dup (bwrap,
- "--bind-fd", fd, path,
- error))
- return FALSE;
- }
-
- for (i = 0; ro_bind_fds && i < ro_bind_fds->len; i++)
- {
- int fd = g_array_index (ro_bind_fds, int, i);
- g_autofree char *path = NULL;
-
- /* We get the path the fd refers to, to determine to mount point
- * destination inside the sandbox */
- path = get_path_for_fd (fd, error);
- if (!path)
- return FALSE;
-
- if (!flatpak_bwrap_add_args_data_fd_dup (bwrap,
- "--ro-bind-fd", fd, path,
- error))
- return FALSE;
- }
-
if (!flatpak_run_add_dconf_args (bwrap, app_id, metakey, error))
return FALSE;
@@ -4789,6 +4755,40 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
"--symlink", "/usr/lib/debug/source", "/run/build-runtime",
NULL);
+ for (i = 0; bind_fds && i < bind_fds->len; i++)
+ {
+ int fd = g_array_index (bind_fds, int, i);
+ g_autofree char *path = NULL;
+
+ /* We get the path the fd refers to, to determine to mount point
+ * destination inside the sandbox */
+ path = get_path_for_fd (fd, error);
+ if (!path)
+ return FALSE;
+
+ if (!flatpak_bwrap_add_args_data_fd_dup (bwrap,
+ "--bind-fd", fd, path,
+ error))
+ return FALSE;
+ }
+
+ for (i = 0; ro_bind_fds && i < ro_bind_fds->len; i++)
+ {
+ int fd = g_array_index (ro_bind_fds, int, i);
+ g_autofree char *path = NULL;
+
+ /* We get the path the fd refers to, to determine to mount point
+ * destination inside the sandbox */
+ path = get_path_for_fd (fd, error);
+ if (!path)
+ return FALSE;
+
+ if (!flatpak_bwrap_add_args_data_fd_dup (bwrap,
+ "--ro-bind-fd", fd, path,
+ error))
+ return FALSE;
+ }
+
if (cwd)
flatpak_bwrap_add_args (bwrap, "--chdir", cwd, NULL);
--
2.54.0

38
SOURCES/CVE-2026-34078-17-portal-use-g-array-index-to-read-from-expose-fds-expose-fds-ro.patch
View File

@ -1,38 +0,0 @@
From dd0a1c25299907b69085aae0fab32becbfca884e Mon Sep 17 00:00:00 2001
From: Alberto Garcia <berto@igalia.com>
Date: Wed, 8 Apr 2026 19:44:29 +0200
Subject: [PATCH] portal: use g_array_index() to read from expose_fds /
expose_fds_ro
The data field of a GArray is a gchar* but we're storing integers
here, so use the proper method to ensure that we're getting the
element at the right offset and with the correct type.
---
portal/flatpak-portal.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/portal/flatpak-portal.c b/portal/flatpak-portal.c
index 3110071c..59a17b2b 100644
--- a/portal/flatpak-portal.c
+++ b/portal/flatpak-portal.c
@@ -1219,7 +1219,7 @@ handle_spawn (PortalFlatpak *object,
{
int remapped_fd;
- remapped_fd = fd_map_remap_fd (fd_map, &max_fd, expose_fds->data[i]);
+ remapped_fd = fd_map_remap_fd (fd_map, &max_fd, g_array_index (expose_fds, int, i));
g_ptr_array_add (flatpak_argv, g_strdup_printf ("--bind-fd=%d",
remapped_fd));
@@ -1229,7 +1229,7 @@ handle_spawn (PortalFlatpak *object,
{
int remapped_fd;
- remapped_fd = fd_map_remap_fd (fd_map, &max_fd, expose_fds_ro->data[i]);
+ remapped_fd = fd_map_remap_fd (fd_map, &max_fd, g_array_index (expose_fds_ro, int, i));
g_ptr_array_add (flatpak_argv, g_strdup_printf ("--ro-bind-fd=%d",
remapped_fd));
--
2.54.0

28
SOURCES/CVE-2026-34078-18-run-fix-backport-mistake.patch
View File

@ -1,28 +0,0 @@
From 37a73712d0e5b20d31fd1a1bd4df1b66e53b32ee Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Thu, 9 Apr 2026 00:56:40 +0200
Subject: [PATCH] run: Fix backport mistake
Not even sure how this happened. Whoops. It's time to get some sleep.
Fixes: c89a0c50 ("run: Use the same FD validation for all FD options")
---
app/flatpak-builtins-run.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/app/flatpak-builtins-run.c b/app/flatpak-builtins-run.c
index d97dc0bf..e174848e 100644
--- a/app/flatpak-builtins-run.c
+++ b/app/flatpak-builtins-run.c
@@ -191,7 +191,7 @@ static GOptionEntry options[] = {
{ "app-path", 0, 0, G_OPTION_ARG_FILENAME, &opt_app_path, N_("Use PATH instead of the app's /app"), N_("PATH") },
{ "app-fd", 0, 0, G_OPTION_ARG_CALLBACK, &opt_app_fd_cb, N_("Use FD instead of the app's /app"), N_("FD") },
{ "usr-path", 0, 0, G_OPTION_ARG_FILENAME, &opt_usr_path, N_("Use PATH instead of the runtime's /usr"), N_("PATH") },
- { "usr-fd", 0, 0, G_OPTION_ARG_INT, &opt_usr_fd_cb, N_("Use FD instead of the runtime's /usr"), N_("FD") },
+ { "usr-fd", 0, 0, G_OPTION_ARG_CALLBACK, &opt_usr_fd_cb, N_("Use FD instead of the runtime's /usr"), N_("FD") },
{ "bind-fd", 0, 0, G_OPTION_ARG_CALLBACK | G_OPTION_FLAG_HIDDEN, &option_bind_fd_cb, N_("Bind mount the file or directory referred to by FD to its canonicalized path"), N_("FD") },
{ "ro-bind-fd", 0, 0, G_OPTION_ARG_CALLBACK | G_OPTION_FLAG_HIDDEN, &option_ro_bind_fd_cb, N_("Bind mount the file or directory referred to by FD read-only to its canonicalized path"), N_("FD") },
{ NULL }
--
2.54.0

100
SOURCES/CVE-2026-34078-19-run-cope-with-an-empty-runtime.patch
View File

@ -1,100 +0,0 @@
From dc40c215b8678a5eabdb3b3ff8556d29c67f8fde Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 9 Apr 2026 18:45:04 +0100
Subject: [PATCH] run: Cope with an empty runtime
When FlatpakDir runs extra-data helpers in apply_extra_data(),
if the helper is statically linked, it might not need a runtime at all.
For example the helper for openh264 falls into this category.
Fixes: ac62ebe3 "run: Use O_PATH fds for the runtime and app deploy directories"
Helps: https://github.com/flatpak/flatpak/issues/6583
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit aa1a54c9dae25fd13ebc936e06996f8db39f4aa5)
---
common/flatpak-run.c | 30 +++++++++++++++++++++++++-----
1 file changed, 25 insertions(+), 5 deletions(-)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 58b96dc1..bd6536ac 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2842,6 +2842,10 @@ flatpak_run_add_app_info_args (FlatpakBwrap *bwrap,
return TRUE;
}
+/*
+ * @runtime_fd: the /usr for the runtime, or -1 if running with no runtime,
+ * perhaps to unpack extra-data
+ */
static void
add_tzdata_args (FlatpakBwrap *bwrap,
int runtime_fd)
@@ -2853,14 +2857,19 @@ add_tzdata_args (FlatpakBwrap *bwrap,
g_autofree char *runtime_zoneinfo = NULL;
g_autoptr(GError) error = NULL;
+ g_return_if_fail (runtime_fd >= -1);
+
raw_timezone = flatpak_get_timezone ();
timezone_content = g_strdup_printf ("%s\n", raw_timezone);
localtime_content = g_strconcat ("../usr/share/zoneinfo/", raw_timezone, NULL);
- zoneinfo_fd = glnx_chaseat (runtime_fd, "share/zoneinfo",
- GLNX_CHASE_RESOLVE_BENEATH |
- GLNX_CHASE_MUST_BE_DIRECTORY,
- NULL);
+ if (runtime_fd >= 0)
+ {
+ zoneinfo_fd = glnx_chaseat (runtime_fd, "share/zoneinfo",
+ GLNX_CHASE_RESOLVE_BENEATH |
+ GLNX_CHASE_MUST_BE_DIRECTORY,
+ NULL);
+ }
runtime_zoneinfo = g_strconcat ("share/zoneinfo/", raw_timezone, NULL);
@@ -3370,6 +3379,10 @@ setup_seccomp (FlatpakBwrap *bwrap,
}
#endif
+/*
+ * @runtime_fd: the /usr for the runtime, or -1 if running with no runtime,
+ * perhaps to unpack extra-data
+ */
static void
flatpak_run_setup_usr_links (FlatpakBwrap *bwrap,
int runtime_fd,
@@ -3423,6 +3436,10 @@ flatpak_run_setup_usr_links (FlatpakBwrap *bwrap,
}
}
+/*
+ * @runtime_fd: the /usr for the runtime, or -1 if running with no runtime,
+ * perhaps to unpack extra-data
+ */
gboolean
flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
int runtime_fd,
@@ -3439,6 +3456,8 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
gulong pers;
gid_t gid = getgid ();
+ g_return_val_if_fail (runtime_fd >= -1, FALSE);
+
run_dir = g_strdup_printf ("/run/user/%d", getuid ());
passwd_contents = g_strdup_printf ("%s:x:%d:%d:%s:%s:%s\n"
@@ -3512,7 +3531,8 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
else if (g_file_test ("/var/lib/dbus/machine-id", G_FILE_TEST_EXISTS))
flatpak_bwrap_add_args (bwrap, "--ro-bind", "/var/lib/dbus/machine-id", "/etc/machine-id", NULL);
- if ((flags & FLATPAK_RUN_FLAG_WRITABLE_ETC) == 0)
+ if (runtime_fd >= 0
+ && (flags & FLATPAK_RUN_FLAG_WRITABLE_ETC) == 0)
{
g_auto(GLnxDirFdIterator) dfd_iter = { 0, };
struct dirent *dent;
--
2.54.0

94
SOURCES/CVE-2026-34078-2-utils-add-flatpak-parse-fd.patch
View File

@ -1,94 +0,0 @@
From 8ce576a3b950d6ab735a5e049342d91b36685f94 Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Fri, 6 Feb 2026 17:14:49 +0100
Subject: [PATCH] utils: Add flatpak_parse_fd
This is meant to parse file descriptor strings passed via the command
line. It is not a security mechanism and will happily accept fds 0-3 as
well.
---
common/flatpak-context.c | 19 +++++++------------
common/flatpak-utils-private.h | 3 +++
common/flatpak-utils.c | 22 ++++++++++++++++++++++
3 files changed, 32 insertions(+), 12 deletions(-)
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 53b79807..992243e3 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -1304,21 +1304,16 @@ option_env_fd_cb (const gchar *option_name,
GError **error)
{
FlatpakContext *context = data;
- guint64 fd;
- gchar *endptr;
- gboolean ret;
+ glnx_autofd int fd = -1;
- fd = g_ascii_strtoull (value, &endptr, 10);
-
- if (endptr == NULL || *endptr != '\0' || fd > G_MAXINT)
- return glnx_throw (error, "Not a valid file descriptor: %s", value);
-
- ret = flatpak_context_parse_env_fd (context, (int) fd, error);
+ fd = flatpak_parse_fd (value, error);
+ if (fd < 0)
+ return FALSE;
- if (fd >= 3)
- close (fd);
+ if (fd < 3)
+ return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
- return ret;
+ return flatpak_context_parse_env_fd (context, fd, error);
}
static gboolean
diff --git a/common/flatpak-utils-private.h b/common/flatpak-utils-private.h
index f79b22c8..754fe412 100644
--- a/common/flatpak-utils-private.h
+++ b/common/flatpak-utils-private.h
@@ -927,6 +927,9 @@ void flatpak_print_escaped_string (const char *s,
gboolean flatpak_validate_path_characters (const char *path,
GError **error);
+int flatpak_parse_fd (const char *fd_string,
+ GError **error);
+
#define FLATPAK_MESSAGE_ID "c7b39b1e006b464599465e105b361485"
#endif /* __FLATPAK_UTILS_H__ */
diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c
index 0ab84064..c2015941 100644
--- a/common/flatpak-utils.c
+++ b/common/flatpak-utils.c
@@ -9188,3 +9188,25 @@ flatpak_validate_path_characters (const char *path,
return TRUE;
}
+
+int
+flatpak_parse_fd (const char *fd_string,
+ GError **error)
+{
+ guint64 parsed;
+ char *endptr;
+ int fd;
+ struct stat stbuf;
+
+ parsed = g_ascii_strtoull (fd_string, &endptr, 10);
+
+ if (endptr == NULL || *endptr != '\0' || parsed > G_MAXINT)
+ return glnx_fd_throw (error, "Not a valid file descriptor: %s", fd_string);
+
+ fd = (int) parsed;
+
+ if (!glnx_fstat (fd, &stbuf, error))
+ return -1;
+
+ return fd;
+}
--
2.54.0

44
SOURCES/CVE-2026-34078-20-dir-in-apply-extra-data-don-t-assume-there-is-always-a-runtime.patch
View File

@ -1,44 +0,0 @@
From 630fcba57765ac64a0cebc31257e63a5bc530961 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 9 Apr 2026 18:47:40 +0100
Subject: [PATCH] dir: In apply_extra_data(), don't assume there is always a
runtime
org.freedesktop.Platform.openh264 is one example of an extension that
runs a statically-linked extra-data helper, with no runtime. Only open
the runtime if there is one.
Fixes: ac62ebe3 "run: Use O_PATH fds for the runtime and app deploy directories"
Resolves: https://github.com/flatpak/flatpak/issues/6583
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit c14ad3722940706730a76997c6925f9998106f90)
---
common/flatpak-dir.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 94d2d4f2..adc9bf62 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -8015,10 +8015,14 @@ apply_extra_data (FlatpakDir *self,
NULL);
glnx_autofd int usr_fd = -1;
- usr_fd = open (flatpak_file_get_path_cached (runtime_files),
- O_PATH | O_CLOEXEC | O_NOFOLLOW);
- if (usr_fd < 0)
- return glnx_throw_errno_prefix (error, "Failed to open runtime files");
+
+ if (runtime_files != NULL)
+ {
+ usr_fd = open (flatpak_file_get_path_cached (runtime_files),
+ O_PATH | O_CLOEXEC | O_NOFOLLOW);
+ if (usr_fd < 0)
+ return glnx_throw_errno_prefix (error, "Failed to open runtime files");
+ }
if (!flatpak_run_setup_base_argv (bwrap, usr_fd, NULL, runtime_arch,
/* Might need multiarch in apply_extra (see e.g. #3742). Should be pretty safe in this limited context */
--
2.54.0

52
SOURCES/CVE-2026-34078-21-utils-add-flatpak-set-cloexec.patch
View File

@ -1,52 +0,0 @@
From 0ac58a6734a3d5f6a0445cfe3310596e382c092b Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 10 Apr 2026 09:58:05 +0100
Subject: [PATCH] utils: Add flatpak_set_cloexec()
Helps: https://github.com/flatpak/flatpak/issues/6582
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 8a989c790d9121f53ada88fd001a3997b9e40632)
---
common/flatpak-utils-private.h | 2 ++
common/flatpak-utils.c | 17 +++++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/common/flatpak-utils-private.h b/common/flatpak-utils-private.h
index 754fe412..fd819c71 100644
--- a/common/flatpak-utils-private.h
+++ b/common/flatpak-utils-private.h
@@ -932,4 +932,6 @@ int flatpak_parse_fd (const char *fd_string,
#define FLATPAK_MESSAGE_ID "c7b39b1e006b464599465e105b361485"
+gboolean flatpak_set_cloexec (int fd);
+
#endif /* __FLATPAK_UTILS_H__ */
diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c
index 938d8131..446b3325 100644
--- a/common/flatpak-utils.c
+++ b/common/flatpak-utils.c
@@ -9210,3 +9210,20 @@ flatpak_parse_fd (const char *fd_string,
return fd;
}
+
+/* Sets errno on failure. */
+gboolean
+flatpak_set_cloexec (int fd)
+{
+ int flags = fcntl (fd, F_GETFD);
+
+ if (flags == -1)
+ return FALSE;
+
+ flags |= FD_CLOEXEC;
+
+ if (fcntl (fd, F_SETFD, flags) < 0)
+ return FALSE;
+
+ return TRUE;
+}
--
2.54.0

102
SOURCES/CVE-2026-34078-22-run-context-mark-fd-arguments-as-close-on-exec.patch
View File

@ -1,102 +0,0 @@
From 5807aa3d7712d2fb5c294056dd90431cd863fded Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 10 Apr 2026 10:07:14 +0100
Subject: [PATCH] run, context: Mark fd arguments as close-on-exec
On entry to `flatpak run`, these fds have been inheritable (not
FD_CLOEXEC), otherwise they would not have been inherited; but we don't
want the "payload" command to inherit them, so set them as
non-close-on-exec as soon as we receive them. In the cases where we pass
them down to the underlying bwrap command, we'll either dup them, or
set them to be inheritable again (in practice we dup them).
In particular, Chromium-derived web browsers get very upset when their
subsandbox processes inherit unexpected fds, which has been causing crashes
with no useful diagnostic information since CVE-2026-34078 was fixed.
Fixes: 1b5e886d "run: Add --usr-fd and --app-fd options"
Fixes: b5ae89ed "run: Add --(ro-)bind-fd options"
Resolves: https://github.com/flatpak/flatpak/issues/6582
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 0902090726c2e51b1c6f22c64d708a4895a196e7)
---
app/flatpak-builtins-run.c | 15 +++++++++++++++
common/flatpak-context.c | 8 ++++++++
2 files changed, 23 insertions(+)
diff --git a/app/flatpak-builtins-run.c b/app/flatpak-builtins-run.c
index e174848e..cc69423e 100644
--- a/app/flatpak-builtins-run.c
+++ b/app/flatpak-builtins-run.c
@@ -81,6 +81,9 @@ option_bind_fd_cb (const char *option_name,
if (fd < 3)
return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ if (!flatpak_set_cloexec (fd))
+ return glnx_throw_errno_prefix (error, "--bind-fd");
+
g_array_append_val (opt_bind_fds, fd);
fd = -1; /* ownership transferred to GArray */
return TRUE;
@@ -101,6 +104,9 @@ option_ro_bind_fd_cb (const char *option_name,
if (fd < 3)
return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ if (!flatpak_set_cloexec (fd))
+ return glnx_throw_errno_prefix (error, "--ro-bind-fd");
+
g_array_append_val (opt_ro_bind_fds, fd);
fd = -1; /* ownership transferred to GArray */
return TRUE;
@@ -121,6 +127,9 @@ opt_instance_id_fd_cb (const char *option_name,
if (fd < 3)
return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ if (!flatpak_set_cloexec (fd))
+ return glnx_throw_errno_prefix (error, "--instance-id-fd");
+
opt_instance_id_fd = g_steal_fd (&fd);
return TRUE;
}
@@ -140,6 +149,9 @@ opt_app_fd_cb (const char *option_name,
if (fd < 3)
return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ if (!flatpak_set_cloexec (fd))
+ return glnx_throw_errno_prefix (error, "--app-fd");
+
opt_app_fd = g_steal_fd (&fd);
return TRUE;
}
@@ -159,6 +171,9 @@ opt_usr_fd_cb (const char *option_name,
if (fd < 3)
return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ if (!flatpak_set_cloexec (fd))
+ return glnx_throw_errno_prefix (error, "--usr-fd");
+
opt_usr_fd = g_steal_fd (&fd);
return TRUE;
}
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 992243e3..3ff4ac16 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -1313,6 +1313,14 @@ option_env_fd_cb (const gchar *option_name,
if (fd < 3)
return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ /* This is not strictly necessary, because we're going to close it after
+ * parsing the environment block, but let's be consistent with other fd
+ * arguments that we need to avoid being inherited by the "payload"
+ * command. This is also a convenient place to validate that it's an
+ * open fd. */
+ if (!flatpak_set_cloexec (fd))
+ return glnx_throw_errno_prefix (error, "--env-fd");
+
return flatpak_context_parse_env_fd (context, fd, error);
}
--
2.54.0

179
SOURCES/CVE-2026-34078-23-utils-move-flatpak-get-path-for-fd-to-here.patch
View File

@ -1,179 +0,0 @@
From 5bd5827412a440b074f9f79ae34073e2554ad76c Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 9 Apr 2026 20:06:18 +0100
Subject: [PATCH] utils: Move flatpak_get_path_for_fd to here
This was originally in flatpak-portal, then was duplicated into
flatpak-run in commit ac62ebe3 "run: Use O_PATH fds for the runtime and
app deploy directories", and subsequently removed from the portal in
commit 3c500145 "portal: Use --bind-fd, --app-fd and --usr-fd options to
avoid races". Now we want to use it in the portal again.
Helps: https://github.com/flatpak/flatpak/issues/6584
Co-authored-by: Sebastian Wick <sebastian.wick@redhat.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 15dc818874514ffbece4c080405353ed396b54a9)
---
common/flatpak-run.c | 44 +++---------------------------
common/flatpak-utils-private.h | 3 ++
common/flatpak-utils.c | 50 ++++++++++++++++++++++++++++++++++
3 files changed, 57 insertions(+), 40 deletions(-)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index bd6536ac..8ce6978c 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -4108,42 +4108,6 @@ check_sudo (GError **error)
return TRUE;
}
-static char *
-get_path_for_fd (int fd,
- GError **error)
-{
- g_autofree char *proc_path = NULL;
- g_autofree char *path = NULL;
-
- proc_path = g_strdup_printf ("/proc/self/fd/%d", fd);
- path = glnx_readlinkat_malloc (AT_FDCWD, proc_path, NULL, error);
- if (path == NULL)
- return NULL;
-
- /* All normal paths start with /, but some weird things
- don't, such as socket:[27345] or anon_inode:[eventfd].
- We don't support any of these */
- if (path[0] != '/')
- {
- return glnx_null_throw (error, "%s resolves to non-absolute path %s",
- proc_path, path);
- }
-
- /* File descriptors to actually deleted files have " (deleted)"
- appended to them. This also happens to some fake fd types
- like shmem which are "/<name> (deleted)". All such
- files are considered invalid. Unfortunately this also
- matches files with filenames that actually end in " (deleted)",
- but there is not much to do about this. */
- if (g_str_has_suffix (path, " (deleted)"))
- {
- return glnx_null_throw (error, "%s resolves to deleted path %s",
- proc_path, path);
- }
-
- return g_steal_pointer (&path);
-}
-
gboolean
flatpak_run_app (FlatpakDecomposed *app_ref,
FlatpakDeploy *app_deploy,
@@ -4354,7 +4318,7 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
{
g_autofree char *path = NULL;
- path = get_path_for_fd (custom_runtime_fd, &my_error);
+ path = flatpak_get_path_for_fd (custom_runtime_fd, &my_error);
if (path == NULL)
{
return flatpak_fail_error (error, FLATPAK_ERROR,
@@ -4476,7 +4440,7 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
{
g_autofree char *path = NULL;
- path = get_path_for_fd (custom_app_fd, error);
+ path = flatpak_get_path_for_fd (custom_app_fd, error);
if (path == NULL)
return glnx_prefix_error (error, "Cannot convert custom app fd to path");
@@ -4782,7 +4746,7 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
/* We get the path the fd refers to, to determine to mount point
* destination inside the sandbox */
- path = get_path_for_fd (fd, error);
+ path = flatpak_get_path_for_fd (fd, error);
if (!path)
return FALSE;
@@ -4799,7 +4763,7 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
/* We get the path the fd refers to, to determine to mount point
* destination inside the sandbox */
- path = get_path_for_fd (fd, error);
+ path = flatpak_get_path_for_fd (fd, error);
if (!path)
return FALSE;
diff --git a/common/flatpak-utils-private.h b/common/flatpak-utils-private.h
index fd819c71..efe8eb2b 100644
--- a/common/flatpak-utils-private.h
+++ b/common/flatpak-utils-private.h
@@ -930,6 +930,9 @@ gboolean flatpak_validate_path_characters (const char *path,
int flatpak_parse_fd (const char *fd_string,
GError **error);
+char * flatpak_get_path_for_fd (int fd,
+ GError **error);
+
#define FLATPAK_MESSAGE_ID "c7b39b1e006b464599465e105b361485"
gboolean flatpak_set_cloexec (int fd);
diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c
index 446b3325..6f09fa09 100644
--- a/common/flatpak-utils.c
+++ b/common/flatpak-utils.c
@@ -9227,3 +9227,53 @@ flatpak_set_cloexec (int fd)
return TRUE;
}
+
+/*
+ * Attempt to discover the filesystem path corresponding to @fd.
+ *
+ * If @fd points to an existing file, return the absolute path of that
+ * file in the environment where it was opened. Note that this is not
+ * necessarily a valid path in the current namespace, if it was
+ * transferred via fd-passing from a process in a different filesystem
+ * namespace.
+ *
+ * If @fd points to a deleted file, or to a socket, fifo, memfd or similar
+ * non-filesystem object, set an error and return %NULL.
+ *
+ * Returns: (type filename) (transfer full) (nullable):
+ */
+char *
+flatpak_get_path_for_fd (int fd,
+ GError **error)
+{
+ g_autofree char *proc_path = NULL;
+ g_autofree char *path = NULL;
+
+ proc_path = g_strdup_printf ("/proc/self/fd/%d", fd);
+ path = glnx_readlinkat_malloc (AT_FDCWD, proc_path, NULL, error);
+ if (path == NULL)
+ return NULL;
+
+ /* All normal paths start with /, but some weird things
+ don't, such as socket:[27345] or anon_inode:[eventfd].
+ We don't support any of these */
+ if (path[0] != '/')
+ {
+ return glnx_null_throw (error, "%s resolves to non-absolute path %s",
+ proc_path, path);
+ }
+
+ /* File descriptors to actually deleted files have " (deleted)"
+ appended to them. This also happens to some fake fd types
+ like shmem which are "/<name> (deleted)". All such
+ files are considered invalid. Unfortunately this also
+ matches files with filenames that actually end in " (deleted)",
+ but there is not much to do about this. */
+ if (g_str_has_suffix (path, " (deleted)"))
+ {
+ return glnx_null_throw (error, "%s resolves to deleted path %s",
+ proc_path, path);
+ }
+
+ return g_steal_pointer (&path);
+}
--
2.54.0

66
SOURCES/CVE-2026-34078-24-portal-avoid-crash-if-sandbox-expose-ro-fd-is-out-of-range.patch
View File

@ -1,66 +0,0 @@
From 0663652213e742df38528f6c929789189831d40a Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 9 Apr 2026 20:16:16 +0100
Subject: [PATCH] portal: Avoid crash if sandbox-expose-[ro-]fd is out of range
If the handle is not in the range `0 <= handle < fds_len`, but no
GError is set, we'd have crashed when we dereferenced error->message.
Instead, log an error and early-return, matching what we do for
app-fd, usr-fd and the array of inheritable fds.
Fixes: 3c500145 "portal: Use --bind-fd, --app-fd and --usr-fd options to avoid races"
Helps: https://github.com/flatpak/flatpak/issues/6584
Co-authored-by: Sebastian Wick <sebastian.wick@redhat.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 4ef2421bd22d8fbf8f17cf9bf5da1dd95aedef8d)
---
portal/flatpak-portal.c | 26 ++++++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/portal/flatpak-portal.c b/portal/flatpak-portal.c
index 59a17b2b..c7310f89 100644
--- a/portal/flatpak-portal.c
+++ b/portal/flatpak-portal.c
@@ -1172,8 +1172,17 @@ handle_spawn (PortalFlatpak *object,
gint32 handle;
g_variant_get_child (sandbox_expose_fd, i, "h", &handle);
- if (handle >= 0 && handle < fds_len &&
- validate_opath_fd (fds[handle], TRUE, &error))
+ if (handle >= fds_len || handle < 0)
+ {
+ g_debug ("Invalid sandbox-expose-fd handle %d", handle);
+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
+ G_DBUS_ERROR_INVALID_ARGS,
+ "No file descriptor for handle %d",
+ handle);
+ return G_DBUS_METHOD_INVOCATION_HANDLED;
+ }
+
+ if (validate_opath_fd (fds[handle], TRUE, &error))
{
g_array_append_val (expose_fds, fds[handle]);
}
@@ -1198,8 +1207,17 @@ handle_spawn (PortalFlatpak *object,
gint32 handle;
g_variant_get_child (sandbox_expose_fd_ro, i, "h", &handle);
- if (handle >= 0 && handle < fds_len &&
- validate_opath_fd (fds[handle], FALSE, &error))
+ if (handle >= fds_len || handle < 0)
+ {
+ g_debug ("Invalid sandbox-expose-ro-fd handle %d", handle);
+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
+ G_DBUS_ERROR_INVALID_ARGS,
+ "No file descriptor for handle %d",
+ handle);
+ return G_DBUS_METHOD_INVOCATION_HANDLED;
+ }
+
+ if (validate_opath_fd (fds[handle], FALSE, &error))
{
g_array_append_val (expose_fds_ro, fds[handle]);
}
--
2.54.0

65
SOURCES/CVE-2026-34078-25-portal-log-and-ignore-unusable-sandbox-expose-fds-instead-of-erroring.patch
View File

@ -1,65 +0,0 @@
From db8a36948a0b9d7bc0b7572a969c148f4a704ed4 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 9 Apr 2026 20:24:48 +0100
Subject: [PATCH] portal: Log and ignore unusable sandbox-expose fds instead of
erroring
For the sandbox expose fds, a historical quirk of this code is that if
the checks in get_path_for_fd() failed, we would merely log at g_info()
level (usually only shown when debugging the portal), and otherwise
silently ignore the request to expose the fd in the sandbox.
With hindsight this was probably not the right thing to do, but apps
could well be relying on it now. For example, there are indications
that Epiphany might send a memfd from the main instance to a subsandbox,
which never actually worked, but will break that subsandbox process
if that's treated as a fatal error.
Fixes: 3c500145 "portal: Use --bind-fd, --app-fd and --usr-fd options to avoid races"
Helps: https://github.com/flatpak/flatpak/issues/6584
Co-authored-by: Sebastian Wick <sebastian.wick@redhat.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 75ab6eebb857fd26172613b69e55f04830ad0d82)
---
portal/flatpak-portal.c | 18 ++++++------------
1 file changed, 6 insertions(+), 12 deletions(-)
diff --git a/portal/flatpak-portal.c b/portal/flatpak-portal.c
index c7310f89..9f8c7918 100644
--- a/portal/flatpak-portal.c
+++ b/portal/flatpak-portal.c
@@ -1188,12 +1188,9 @@ handle_spawn (PortalFlatpak *object,
}
else
{
- g_debug ("Invalid sandbox expose fd: %s", error->message);
- g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
- G_DBUS_ERROR_INVALID_ARGS,
- "No valid file descriptor for handle %d",
- handle);
- return G_DBUS_METHOD_INVOCATION_HANDLED;
+ g_info ("unable to validate sandbox-expose-fd %d, ignoring: %s",
+ fds[handle], error->message);
+ g_clear_error (&error);
}
}
}
@@ -1223,12 +1220,9 @@ handle_spawn (PortalFlatpak *object,
}
else
{
- g_debug ("Invalid sandbox expose ro fd: %s", error->message);
- g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
- G_DBUS_ERROR_INVALID_ARGS,
- "No file descriptor for handle %d",
- handle);
- return G_DBUS_METHOD_INVOCATION_HANDLED;
+ g_info ("unable to validate sandbox-expose-ro-fd %d, ignoring: %s",
+ fds[handle], error->message);
+ g_clear_error (&error);
}
}
}
--
2.54.0

69
SOURCES/CVE-2026-34078-26-portal-reinstate-flatpak-get-path-for-fd-checks.patch
View File

@ -1,69 +0,0 @@
From df7cfbbed0a0576c35f236ab6ba3620cbfeb900f Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 9 Apr 2026 20:28:57 +0100
Subject: [PATCH] portal: Reinstate flatpak_get_path_for_fd() checks
As with the previous commit, historically we would debug-log but
otherwise silently ignore attempts to expose a file in a sandboxed
subsandbox that doesn't have a suitable path.
For example, org.gnome.Epiphany (or possibly WebKitGTK) asks to expose
files from /app and /usr in the subsandbox. When we ignored those
requests (because /app and /usr have a different meaning on the host
system), the app worked as intended anyway, because the subsandbox has
access to the app's /app and the runtime's /usr whether they're
explicitly added or not, so it all worked out OK. However, treating
this as a fatal error (as it arguably should have been) broke
Epiphany's subsandboxes.
Fixes: 3c500145 "portal: Use --bind-fd, --app-fd and --usr-fd options to avoid races"
Resolves: https://github.com/flatpak/flatpak/issues/6584
Co-authored-by: Sebastian Wick <sebastian.wick@redhat.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 28634c7f52e57df7091007973d1bb5e1f87f1e9d)
---
portal/flatpak-portal.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/portal/flatpak-portal.c b/portal/flatpak-portal.c
index 9f8c7918..185ed676 100644
--- a/portal/flatpak-portal.c
+++ b/portal/flatpak-portal.c
@@ -556,7 +556,9 @@ validate_opath_fd (int fd,
{
int fd_flags;
struct stat st_buf;
+ struct stat real_st_buf;
int access_mode;
+ g_autofree char *path = NULL;
/* Must be able to get fd flags */
fd_flags = fcntl (fd, F_GETFL);
@@ -575,6 +577,24 @@ validate_opath_fd (int fd,
if (fstat (fd, &st_buf) < 0)
return glnx_throw_errno_prefix (error, "Failed to fstat");
+ path = flatpak_get_path_for_fd (fd, error);
+ if (path == NULL)
+ return FALSE;
+
+ /* Verify that this is the same file as the app opened.
+ * Note that this is not security relevant because flatpak-run/bwrap will
+ * check things and abort if something is off. We do this only for backwards
+ * compatibility reasons: we need to be able to ignore the issue instead of
+ * aborting the entire sandbox setup later. */
+ if (stat (path, &real_st_buf) < 0 ||
+ st_buf.st_dev != real_st_buf.st_dev ||
+ st_buf.st_ino != real_st_buf.st_ino)
+ {
+ /* Different files on the inside and the outside, reject the request */
+ return glnx_throw (error,
+ "different file inside and outside sandbox");
+ }
+
access_mode = R_OK;
if (S_ISDIR (st_buf.st_mode))
access_mode |= X_OK;
--
2.54.0

37
SOURCES/CVE-2026-34078-27-libtest-allow-adding-a-new-ref-to-an-existing-temporary-ostree-repo.patch
View File

@ -1,37 +0,0 @@
From 313ceb0cac8d28f941421fabb24e7371b2f3cc8d Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 10 Apr 2026 11:38:12 +0100
Subject: [PATCH] libtest: Allow adding a new ref to an existing temporary
ostree repo
When we run `tests/test-run-custom.sh` as a build-time test,
we expect to already have the necessary runtimes, apps, etc. in
`${builddir}/tests/runtime-repo`. However, when running "as-installed"
tests, we're using a fresh temporary ostree repo for each test.
Merely having the repo exist is not enough: for some tests, and in
particular `tests/test-run-custom.sh`, it needs to have more than one
runtime available.
Resolves: https://github.com/flatpak/flatpak/issues/6591
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 50dda82eb054695b3d3758d0a88ef68c8dd79dc4)
---
tests/libtest.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/libtest.sh b/tests/libtest.sh
index 4a9fd481..5dc4011e 100644
--- a/tests/libtest.sh
+++ b/tests/libtest.sh
@@ -302,7 +302,7 @@ make_runtime () {
RUNTIME_REPO=${TEST_DATA_DIR}/runtime-repo
(
flock -s 200
- if [ ! -d ${RUNTIME_REPO} ]; then
+ if [ ! -f "${RUNTIME_REPO}/refs/heads/${RUNTIME_REF}" ]; then
$(dirname $0)/make-test-runtime.sh ${RUNTIME_REPO} org.test.Platform ${BRANCH} "" "" > /dev/null
fi
) 200>${TEST_DATA_DIR}/runtime-repo-lock
--
2.54.0

103
SOURCES/CVE-2026-34078-28-app-context-never-close-fds-0-1-or-2.patch
View File

@ -1,103 +0,0 @@
From 263497107d68e5aa44856b6d1d375fd1adf77879 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 10 Apr 2026 14:00:14 +0100
Subject: [PATCH] app, context: Never close fds 0, 1 or 2
These fds are stdin, stdout and stderr respectively, and are expected
to remain open at all times (if they are not needed then they can point
to /dev/null, but they should always be open). If the user gives us
`--env-fd=2` or similar, we don't want to close fd 2 before exiting
unsuccessfully: that would give us nowhere to display the error message.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit c4ab58cd2e66c4bcf193919ef9cbdce1dac042da)
---
app/flatpak-builtins-run.c | 26 +++++++++++++++++++++-----
common/flatpak-context.c | 6 +++++-
2 files changed, 26 insertions(+), 6 deletions(-)
diff --git a/app/flatpak-builtins-run.c b/app/flatpak-builtins-run.c
index cc69423e..82725119 100644
--- a/app/flatpak-builtins-run.c
+++ b/app/flatpak-builtins-run.c
@@ -79,7 +79,11 @@ option_bind_fd_cb (const char *option_name,
return FALSE;
if (fd < 3)
- return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ {
+ /* Don't close these fds! */
+ fd = -1;
+ return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ }
if (!flatpak_set_cloexec (fd))
return glnx_throw_errno_prefix (error, "--bind-fd");
@@ -102,7 +106,10 @@ option_ro_bind_fd_cb (const char *option_name,
return FALSE;
if (fd < 3)
- return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ {
+ fd = -1;
+ return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ }
if (!flatpak_set_cloexec (fd))
return glnx_throw_errno_prefix (error, "--ro-bind-fd");
@@ -125,7 +132,10 @@ opt_instance_id_fd_cb (const char *option_name,
return FALSE;
if (fd < 3)
- return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ {
+ fd = -1;
+ return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ }
if (!flatpak_set_cloexec (fd))
return glnx_throw_errno_prefix (error, "--instance-id-fd");
@@ -147,7 +157,10 @@ opt_app_fd_cb (const char *option_name,
return FALSE;
if (fd < 3)
- return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ {
+ fd = -1;
+ return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ }
if (!flatpak_set_cloexec (fd))
return glnx_throw_errno_prefix (error, "--app-fd");
@@ -169,7 +182,10 @@ opt_usr_fd_cb (const char *option_name,
return FALSE;
if (fd < 3)
- return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ {
+ fd = -1;
+ return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ }
if (!flatpak_set_cloexec (fd))
return glnx_throw_errno_prefix (error, "--usr-fd");
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 3ff4ac16..3dc8f533 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -1311,7 +1311,11 @@ option_env_fd_cb (const gchar *option_name,
return FALSE;
if (fd < 3)
- return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ {
+ /* Don't close these fds! */
+ fd = -1;
+ return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+ }
/* This is not strictly necessary, because we're going to close it after
* parsing the environment block, but let's be consistent with other fd
--
2.54.0

235
SOURCES/CVE-2026-34078-29-app-context-factor-out-flatpak-accept-fd-argument.patch
View File

@ -1,235 +0,0 @@
From 9c357f7f9d4d781bf04dafab9559343e9ec44f55 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 10 Apr 2026 15:02:43 +0100
Subject: [PATCH] app, context: Factor out flatpak_accept_fd_argument()
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d42037c5267ac7967ce285b9052b25fe7a968368)
---
app/flatpak-builtins-run.c | 61 ++++++----------------------------
common/flatpak-context.c | 18 ++--------
common/flatpak-utils-private.h | 4 +++
common/flatpak-utils.c | 47 ++++++++++++++++++++++++++
4 files changed, 63 insertions(+), 67 deletions(-)
diff --git a/app/flatpak-builtins-run.c b/app/flatpak-builtins-run.c
index 82725119..c9e7e071 100644
--- a/app/flatpak-builtins-run.c
+++ b/app/flatpak-builtins-run.c
@@ -74,20 +74,11 @@ option_bind_fd_cb (const char *option_name,
{
glnx_autofd int fd = -1;
- fd = flatpak_parse_fd (value, error);
+ fd = flatpak_accept_fd_argument (option_name, value, error);
+
if (fd < 0)
return FALSE;
- if (fd < 3)
- {
- /* Don't close these fds! */
- fd = -1;
- return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
- }
-
- if (!flatpak_set_cloexec (fd))
- return glnx_throw_errno_prefix (error, "--bind-fd");
-
g_array_append_val (opt_bind_fds, fd);
fd = -1; /* ownership transferred to GArray */
return TRUE;
@@ -101,19 +92,11 @@ option_ro_bind_fd_cb (const char *option_name,
{
glnx_autofd int fd = -1;
- fd = flatpak_parse_fd (value, error);
+ fd = flatpak_accept_fd_argument (option_name, value, error);
+
if (fd < 0)
return FALSE;
- if (fd < 3)
- {
- fd = -1;
- return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
- }
-
- if (!flatpak_set_cloexec (fd))
- return glnx_throw_errno_prefix (error, "--ro-bind-fd");
-
g_array_append_val (opt_ro_bind_fds, fd);
fd = -1; /* ownership transferred to GArray */
return TRUE;
@@ -127,19 +110,11 @@ opt_instance_id_fd_cb (const char *option_name,
{
glnx_autofd int fd = -1;
- fd = flatpak_parse_fd (value, error);
+ fd = flatpak_accept_fd_argument (option_name, value, error);
+
if (fd < 0)
return FALSE;
- if (fd < 3)
- {
- fd = -1;
- return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
- }
-
- if (!flatpak_set_cloexec (fd))
- return glnx_throw_errno_prefix (error, "--instance-id-fd");
-
opt_instance_id_fd = g_steal_fd (&fd);
return TRUE;
}
@@ -152,19 +127,11 @@ opt_app_fd_cb (const char *option_name,
{
glnx_autofd int fd = -1;
- fd = flatpak_parse_fd (value, error);
+ fd = flatpak_accept_fd_argument (option_name, value, error);
+
if (fd < 0)
return FALSE;
- if (fd < 3)
- {
- fd = -1;
- return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
- }
-
- if (!flatpak_set_cloexec (fd))
- return glnx_throw_errno_prefix (error, "--app-fd");
-
opt_app_fd = g_steal_fd (&fd);
return TRUE;
}
@@ -177,19 +144,11 @@ opt_usr_fd_cb (const char *option_name,
{
glnx_autofd int fd = -1;
- fd = flatpak_parse_fd (value, error);
+ fd = flatpak_accept_fd_argument (option_name, value, error);
+
if (fd < 0)
return FALSE;
- if (fd < 3)
- {
- fd = -1;
- return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
- }
-
- if (!flatpak_set_cloexec (fd))
- return glnx_throw_errno_prefix (error, "--usr-fd");
-
opt_usr_fd = g_steal_fd (&fd);
return TRUE;
}
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 3dc8f533..2165631d 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -1306,25 +1306,11 @@ option_env_fd_cb (const gchar *option_name,
FlatpakContext *context = data;
glnx_autofd int fd = -1;
- fd = flatpak_parse_fd (value, error);
+ fd = flatpak_accept_fd_argument (option_name, value, error);
+
if (fd < 0)
return FALSE;
- if (fd < 3)
- {
- /* Don't close these fds! */
- fd = -1;
- return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
- }
-
- /* This is not strictly necessary, because we're going to close it after
- * parsing the environment block, but let's be consistent with other fd
- * arguments that we need to avoid being inherited by the "payload"
- * command. This is also a convenient place to validate that it's an
- * open fd. */
- if (!flatpak_set_cloexec (fd))
- return glnx_throw_errno_prefix (error, "--env-fd");
-
return flatpak_context_parse_env_fd (context, fd, error);
}
diff --git a/common/flatpak-utils-private.h b/common/flatpak-utils-private.h
index efe8eb2b..215b3c38 100644
--- a/common/flatpak-utils-private.h
+++ b/common/flatpak-utils-private.h
@@ -937,4 +937,8 @@ char * flatpak_get_path_for_fd (int fd,
gboolean flatpak_set_cloexec (int fd);
+int flatpak_accept_fd_argument (const char *option_name,
+ const char *value,
+ GError **error);
+
#endif /* __FLATPAK_UTILS_H__ */
diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c
index 6f09fa09..63a2e325 100644
--- a/common/flatpak-utils.c
+++ b/common/flatpak-utils.c
@@ -9228,6 +9228,53 @@ flatpak_set_cloexec (int fd)
return TRUE;
}
+/*
+ * flatpak_accept_fd_argument:
+ * @option_name: Name of a command-line option such as `--env-fd`
+ * @value: Value of the command-line option
+ *
+ * Parse a command-line argument whose value is a file descriptor to be
+ * used internally by Flatpak.
+ *
+ * The file descriptor must be 3 or higher (cannot be stdin, stdout
+ * or stderr).
+ *
+ * The file descriptor is set to be close-on-execute (CLOEXEC).
+ * If child processes are meant to inherit it, the caller must clear the
+ * close-on-execute flag, or duplicate the fd.
+ *
+ * Returns: A file descriptor to be closed by the caller, or -1 on error
+ */
+int
+flatpak_accept_fd_argument (const char *option_name,
+ const char *value,
+ GError **error)
+{
+ glnx_autofd int fd = -1;
+
+ fd = flatpak_parse_fd (value, error);
+
+ if (fd < 0)
+ {
+ g_prefix_error (error, "%s: ", option_name);
+ return -1;
+ }
+
+ if (fd < 3)
+ {
+ /* We don't want to close stdin, stdout or stderr */
+ fd = -1;
+ return glnx_fd_throw (error,
+ "%s: Cannot use reserved file descriptor 0, 1 or 2",
+ option_name);
+ }
+
+ if (!flatpak_set_cloexec (fd))
+ return glnx_fd_throw_errno_prefix (error, "%s", option_name);
+
+ return g_steal_fd (&fd);
+}
+
/*
* Attempt to discover the filesystem path corresponding to @fd.
*
--
2.54.0

48
SOURCES/CVE-2026-34078-3-flatpak-bwrap-use-glnx-close-fd-as-clear-func.patch
View File

@ -1,48 +0,0 @@
From ba43f074af594705b0aea9f53261d3b61fc3c866 Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Fri, 6 Feb 2026 16:32:50 +0100
Subject: [PATCH] flatpak-bwrap: Use glnx_close_fd as clear func
We already have a function which clears a fd that a pointer points to,
so let's use it instead of duplicating the code.
Will become useful in a later commit as well.
---
common/flatpak-bwrap.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
diff --git a/common/flatpak-bwrap.c b/common/flatpak-bwrap.c
index 1694ffd4..693a1981 100644
--- a/common/flatpak-bwrap.c
+++ b/common/flatpak-bwrap.c
@@ -41,15 +41,6 @@
#include "flatpak-utils-private.h"
#include "flatpak-utils-base-private.h"
-static void
-clear_fd (gpointer data)
-{
- int *fd_p = data;
-
- if (fd_p != NULL && *fd_p != -1)
- close (*fd_p);
-}
-
char *flatpak_bwrap_empty_env[] = { NULL };
FlatpakBwrap *
@@ -59,9 +50,9 @@ flatpak_bwrap_new (char **env)
bwrap->argv = g_ptr_array_new_with_free_func (g_free);
bwrap->noinherit_fds = g_array_new (FALSE, TRUE, sizeof (int));
- g_array_set_clear_func (bwrap->noinherit_fds, clear_fd);
+ g_array_set_clear_func (bwrap->noinherit_fds, (GDestroyNotify) glnx_close_fd);
bwrap->fds = g_array_new (FALSE, TRUE, sizeof (int));
- g_array_set_clear_func (bwrap->fds, clear_fd);
+ g_array_set_clear_func (bwrap->fds, (GDestroyNotify) glnx_close_fd);
if (env)
bwrap->envp = g_strdupv (env);
--
2.54.0

912
SOURCES/CVE-2026-34078-4-run-use-o-path-fds-for-the-runtime-and-app-deploy-directories.patch
View File

@ -1,912 +0,0 @@
From f41f12c98896aced62830bf5f3e21c40ee24a6d7 Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Fri, 6 Feb 2026 20:54:22 +0100
Subject: [PATCH] run: Use O_PATH fds for the runtime and app deploy
directories
This also allows us to use glnx_chaseat, and other at-functions to
traverse the filesystem tree in a safe way.
This is important because the app and runtime deploy directories can be
under an attackers control. The flatpak portal for example allows
sandboxed apps to provide them.
In particular, attacks where the deploy dirs get replaced by a symlink
pointing into the host system will be stopped by this.
Note that this change alone is not enough to avoid the attack, and the
portal has to be changed as well.
---
app/flatpak-builtins-build.c | 8 +-
app/flatpak-builtins-run.c | 37 ++-
common/Makefile.am.inc | 2 +-
common/flatpak-dir.c | 8 +-
common/flatpak-installation.c | 3 +-
common/flatpak-run-private.h | 11 +-
common/flatpak-run.c | 452 +++++++++++++++++++++++-----------
7 files changed, 372 insertions(+), 149 deletions(-)
diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
index 4a1e762..09b469a 100644
--- a/app/flatpak-builtins-build.c
+++ b/app/flatpak-builtins-build.c
@@ -457,7 +457,13 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
/* Never set up an a11y bus for builds */
run_flags |= FLATPAK_RUN_FLAG_NO_A11Y_BUS_PROXY;
- if (!flatpak_run_setup_base_argv (bwrap, runtime_files, app_id_dir, arch,
+ glnx_autofd int usr_fd = -1;
+ usr_fd = open (flatpak_file_get_path_cached (runtime_files),
+ O_PATH | O_CLOEXEC | O_NOFOLLOW);
+ if (usr_fd < 0)
+ return glnx_throw_errno_prefix (error, "Failed to open runtime files");
+
+ if (!flatpak_run_setup_base_argv (bwrap, usr_fd, app_id_dir, arch,
run_flags, error))
return FALSE;
diff --git a/app/flatpak-builtins-run.c b/app/flatpak-builtins-run.c
index ba2ae67..9403d8a 100644
--- a/app/flatpak-builtins-run.c
+++ b/app/flatpak-builtins-run.c
@@ -110,6 +110,8 @@ flatpak_builtin_run (int argc, char **argv, GCancellable *cancellable, GError **
g_autoptr(GError) local_error = NULL;
g_autoptr(GPtrArray) dirs = NULL;
FlatpakRunFlags flags = 0;
+ glnx_autofd int app_fd = -1;
+ glnx_autofd int usr_fd = -1;
context = g_option_context_new (_("APP [ARGUMENT…] - Run an app"));
g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
@@ -305,14 +307,45 @@ flatpak_builtin_run (int argc, char **argv, GCancellable *cancellable, GError **
if (!opt_session_bus)
flags |= FLATPAK_RUN_FLAG_NO_SESSION_BUS_PROXY;
+ if (opt_app_path != NULL)
+ {
+ if (g_strcmp0 (opt_app_path, "") == 0)
+ {
+ app_fd = FLATPAK_RUN_APP_DEPLOY_APP_EMPTY;
+ }
+ else
+ {
+ app_fd = open (opt_app_path, O_PATH | O_CLOEXEC | O_NOFOLLOW);
+
+ if (app_fd < 0)
+ return glnx_throw_errno_prefix (error, "Failed to open app-path");
+ }
+ }
+ else
+ {
+ app_fd = FLATPAK_RUN_APP_DEPLOY_APP_ORIGINAL;
+ }
+
+ if (opt_usr_path != NULL)
+ {
+ usr_fd = open (opt_usr_path, O_PATH | O_CLOEXEC | O_NOFOLLOW);
+
+ if (usr_fd < 0)
+ return glnx_throw_errno_prefix (error, "Failed to open usr-path");
+ }
+ else
+ {
+ usr_fd = FLATPAK_RUN_APP_DEPLOY_USR_ORIGINAL;
+ }
+
if (!flatpak_run_app (app_deploy ? app_ref : runtime_ref,
app_deploy,
- opt_app_path,
+ app_fd,
arg_context,
opt_runtime,
opt_runtime_version,
opt_runtime_commit,
- opt_usr_path,
+ usr_fd,
opt_parent_pid,
flags,
opt_cwd,
diff --git a/common/Makefile.am.inc b/common/Makefile.am.inc
index 892ee4c..3147cc7 100644
--- a/common/Makefile.am.inc
+++ b/common/Makefile.am.inc
@@ -205,6 +205,7 @@ libflatpak_common_la_CFLAGS = \
$(NULL)
libflatpak_common_la_LIBADD = \
$(AM_LIBADD) \
+ libglnx.la \
$(ARCHIVE_LIBS) \
$(ZSTD_LIBS) \
$(BASE_LIBS) \
@@ -249,7 +250,6 @@ libflatpak_la_LIBADD = \
$(AM_LIBADD) \
libflatpak-common.la \
libflatpak-common-base.la \
- libglnx.la \
$(BASE_LIBS) \
$(OSTREE_LIBS) \
$(SOUP_LIBS) \
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 978df03..c18fd44 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -8014,7 +8014,13 @@ apply_extra_data (FlatpakDir *self,
"--cap-drop", "ALL",
NULL);
- if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_arch,
+ glnx_autofd int usr_fd = -1;
+ usr_fd = open (flatpak_file_get_path_cached (runtime_files),
+ O_PATH | O_CLOEXEC | O_NOFOLLOW);
+ if (usr_fd < 0)
+ return glnx_throw_errno_prefix (error, "Failed to open runtime files");
+
+ if (!flatpak_run_setup_base_argv (bwrap, usr_fd, NULL, runtime_arch,
/* Might need multiarch in apply_extra (see e.g. #3742). Should be pretty safe in this limited context */
FLATPAK_RUN_FLAG_MULTIARCH |
FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC,
diff --git a/common/flatpak-installation.c b/common/flatpak-installation.c
index 3c5a12a..9254252 100644
--- a/common/flatpak-installation.c
+++ b/common/flatpak-installation.c
@@ -700,9 +700,10 @@ flatpak_installation_launch_full (FlatpakInstallation *self,
if (!flatpak_run_app (app_ref,
app_deploy,
+ FLATPAK_RUN_APP_DEPLOY_APP_ORIGINAL,
NULL,
- NULL, NULL,
NULL, NULL, NULL,
+ FLATPAK_RUN_APP_DEPLOY_USR_ORIGINAL,
0,
run_flags,
NULL,
diff --git a/common/flatpak-run-private.h b/common/flatpak-run-private.h
index eac25cc..5fc1f29 100644
--- a/common/flatpak-run-private.h
+++ b/common/flatpak-run-private.h
@@ -28,6 +28,11 @@
#include "flatpak-utils-private.h"
#include "flatpak-exports-private.h"
+#define FLATPAK_RUN_APP_DEPLOY_APP_ORIGINAL (-2)
+#define FLATPAK_RUN_APP_DEPLOY_APP_EMPTY (-3)
+
+#define FLATPAK_RUN_APP_DEPLOY_USR_ORIGINAL (-2)
+
gboolean flatpak_run_in_transient_unit (const char *app_id,
GError **error);
@@ -151,7 +156,7 @@ gboolean flatpak_ensure_data_dir (GFile *app_id_dir,
GError **error);
gboolean flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
- GFile *runtime_files,
+ int runtime_fd,
GFile *app_id_dir,
const char *arch,
FlatpakRunFlags flags,
@@ -181,12 +186,12 @@ gboolean flatpak_run_add_app_info_args (FlatpakBwrap *bwrap,
gboolean flatpak_run_app (FlatpakDecomposed *app_ref,
FlatpakDeploy *app_deploy,
- const char *custom_app_path,
+ int custom_app_fd,
FlatpakContext *extra_context,
const char *custom_runtime,
const char *custom_runtime_version,
const char *custom_runtime_commit,
- const char *custom_usr_path,
+ int custom_runtime_fd,
int parent_pid,
FlatpakRunFlags flags,
const char *cwd,
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 4fdb56f..0e1d16f 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2846,19 +2846,37 @@ flatpak_run_add_app_info_args (FlatpakBwrap *bwrap,
static void
add_tzdata_args (FlatpakBwrap *bwrap,
- GFile *runtime_files)
+ int runtime_fd)
{
- g_autofree char *raw_timezone = flatpak_get_timezone ();
- g_autofree char *timezone_content = g_strdup_printf ("%s\n", raw_timezone);
- g_autofree char *localtime_content = g_strconcat ("../usr/share/zoneinfo/", raw_timezone, NULL);
- g_autoptr(GFile) runtime_zoneinfo = NULL;
+ g_autofree char *raw_timezone = NULL;
+ g_autofree char *timezone_content = NULL;
+ g_autofree char *localtime_content = NULL;
+ glnx_autofd int zoneinfo_fd = -1;
+ g_autofree char *runtime_zoneinfo = NULL;
+ g_autoptr(GError) error = NULL;
+
+ raw_timezone = flatpak_get_timezone ();
+ timezone_content = g_strdup_printf ("%s\n", raw_timezone);
+ localtime_content = g_strconcat ("../usr/share/zoneinfo/", raw_timezone, NULL);
+
+ zoneinfo_fd = glnx_chaseat (runtime_fd, "share/zoneinfo",
+ GLNX_CHASE_RESOLVE_BENEATH |
+ GLNX_CHASE_MUST_BE_DIRECTORY,
+ NULL);
- if (runtime_files)
- runtime_zoneinfo = g_file_resolve_relative_path (runtime_files, "share/zoneinfo");
+ runtime_zoneinfo = g_strconcat ("share/zoneinfo/", raw_timezone, NULL);
/* Check for runtime /usr/share/zoneinfo */
- if (runtime_zoneinfo != NULL && g_file_query_exists (runtime_zoneinfo, NULL))
+ if (zoneinfo_fd >= 0)
{
+ glnx_autofd int runtime_zoneinfo_fd = -1;
+
+ /* Check for runtime /usr/share/zoneinfo */
+ runtime_zoneinfo_fd = glnx_chaseat (runtime_fd, runtime_zoneinfo,
+ GLNX_CHASE_RESOLVE_BENEATH |
+ GLNX_CHASE_MUST_BE_REGULAR,
+ NULL);
+
/* Check for host /usr/share/zoneinfo */
if (g_file_test ("/usr/share/zoneinfo", G_FILE_TEST_IS_DIR))
{
@@ -2868,15 +2886,12 @@ add_tzdata_args (FlatpakBwrap *bwrap,
"--symlink", localtime_content, "/etc/localtime",
NULL);
}
- else
+ /* Check if host timezone file exist in the runtime tzdata */
+ else if (runtime_zoneinfo_fd >= 0)
{
- g_autoptr(GFile) runtime_tzfile = g_file_resolve_relative_path (runtime_zoneinfo, raw_timezone);
-
- /* Check if host timezone file exist in the runtime tzdata */
- if (g_file_query_exists (runtime_tzfile, NULL))
- flatpak_bwrap_add_args (bwrap,
- "--symlink", localtime_content, "/etc/localtime",
- NULL);
+ flatpak_bwrap_add_args (bwrap,
+ "--symlink", localtime_content, "/etc/localtime",
+ NULL);
}
}
@@ -3359,24 +3374,41 @@ setup_seccomp (FlatpakBwrap *bwrap,
static void
flatpak_run_setup_usr_links (FlatpakBwrap *bwrap,
- GFile *runtime_files,
+ int runtime_fd,
const char *sysroot)
{
int i;
- if (runtime_files == NULL)
+ g_return_if_fail (runtime_fd >= -1);
+
+ if (runtime_fd < 0)
return;
for (i = 0; flatpak_abs_usrmerged_dirs[i] != NULL; i++)
{
const char *subdir = flatpak_abs_usrmerged_dirs[i];
- g_autoptr(GFile) runtime_subdir = NULL;
+ glnx_autofd int runtime_subdir_fd = -1;
+ g_autoptr(GError) local_error = NULL;
g_assert (subdir[0] == '/');
+
/* Skip the '/' when using as a subdirectory of the runtime */
- runtime_subdir = g_file_get_child (runtime_files, subdir + 1);
+ runtime_subdir_fd = glnx_chaseat (runtime_fd, subdir + 1,
+ GLNX_CHASE_RESOLVE_BENEATH |
+ GLNX_CHASE_NOFOLLOW,
+ &local_error);
- if (g_file_query_exists (runtime_subdir, NULL))
+ if (runtime_subdir_fd < 0 &&
+ !g_error_matches (local_error, G_IO_ERROR, G_IO_ERROR_NOT_FOUND))
+ {
+ g_warning ("Checking for usrmerged dir %s failed: %s",
+ subdir, local_error->message);
+ }
+ else if (runtime_subdir_fd < 0)
+ {
+ g_debug ("%s does not exist in runtime", subdir);
+ }
+ else
{
g_autofree char *link = g_strconcat ("usr", subdir, NULL);
g_autofree char *create = NULL;
@@ -3390,17 +3422,12 @@ flatpak_run_setup_usr_links (FlatpakBwrap *bwrap,
"--symlink", link, create,
NULL);
}
- else
- {
- g_debug ("%s does not exist",
- flatpak_file_get_path_cached (runtime_subdir));
- }
}
}
gboolean
flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
- GFile *runtime_files,
+ int runtime_fd,
GFile *app_id_dir,
const char *arch,
FlatpakRunFlags flags,
@@ -3413,7 +3440,6 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
struct group *g;
gulong pers;
gid_t gid = getgid ();
- g_autoptr(GFile) etc = NULL;
run_dir = g_strdup_printf ("/run/user/%d", getuid ());
@@ -3488,22 +3514,25 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
else if (g_file_test ("/var/lib/dbus/machine-id", G_FILE_TEST_EXISTS))
flatpak_bwrap_add_args (bwrap, "--ro-bind", "/var/lib/dbus/machine-id", "/etc/machine-id", NULL);
- if (runtime_files)
- etc = g_file_get_child (runtime_files, "etc");
- if (etc != NULL &&
- (flags & FLATPAK_RUN_FLAG_WRITABLE_ETC) == 0 &&
- g_file_query_exists (etc, NULL))
+ if ((flags & FLATPAK_RUN_FLAG_WRITABLE_ETC) == 0)
{
g_auto(GLnxDirFdIterator) dfd_iter = { 0, };
struct dirent *dent;
gboolean inited;
+ g_autoptr(GError) local_error = NULL;
- inited = glnx_dirfd_iterator_init_at (AT_FDCWD, flatpak_file_get_path_cached (etc), FALSE, &dfd_iter, NULL);
+ inited = glnx_dirfd_iterator_init_at (runtime_fd, "etc", FALSE, &dfd_iter, &local_error);
+ if (!inited && !g_error_matches (local_error, G_IO_ERROR, G_IO_ERROR_NOT_FOUND))
+ {
+ g_propagate_error (error, g_steal_pointer (&local_error));
+ return FALSE;
+ }
while (inited)
{
- g_autofree char *src = NULL;
g_autofree char *dest = NULL;
+ glnx_autofd int src_fd = -1;
+ struct stat statbuf;
if (!glnx_dirfd_iterator_next_dent_ensure_dtype (&dfd_iter, &dent, NULL, NULL) || dent == NULL)
break;
@@ -3520,9 +3549,19 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
strcmp (dent->d_name, "pkcs11") == 0)
continue;
- src = g_build_filename (flatpak_file_get_path_cached (etc), dent->d_name, NULL);
dest = g_build_filename ("/etc", dent->d_name, NULL);
- if (dent->d_type == DT_LNK)
+
+ src_fd = glnx_chaseat (dfd_iter.fd, dent->d_name,
+ GLNX_CHASE_NOFOLLOW |
+ GLNX_CHASE_RESOLVE_BENEATH,
+ error);
+ if (src_fd < 0)
+ return FALSE;
+
+ if (!glnx_fstat (src_fd, &statbuf, error))
+ return FALSE;
+
+ if (S_ISLNK (statbuf.st_mode))
{
g_autofree char *target = NULL;
@@ -3533,9 +3572,12 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
flatpak_bwrap_add_args (bwrap, "--symlink", target, dest, NULL);
}
- else
+ else if (src_fd >= 0)
{
- flatpak_bwrap_add_args (bwrap, "--ro-bind", src, dest, NULL);
+ flatpak_bwrap_add_args_data_fd (bwrap,
+ "--ro-bind-fd",
+ g_steal_fd (&src_fd),
+ dest);
}
}
}
@@ -3556,9 +3598,9 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
NULL);
}
- flatpak_run_setup_usr_links (bwrap, runtime_files, NULL);
+ flatpak_run_setup_usr_links (bwrap, runtime_fd, NULL);
- add_tzdata_args (bwrap, runtime_files);
+ add_tzdata_args (bwrap, runtime_fd);
pers = PER_LINUX;
@@ -3785,7 +3827,7 @@ regenerate_ld_cache (GPtrArray *base_argv_array,
GArray *base_fd_array,
GFile *app_id_dir,
const char *checksum,
- GFile *runtime_files,
+ int runtime_fd,
gboolean generate_ld_so_conf,
GCancellable *cancellable,
GError **error)
@@ -3825,7 +3867,7 @@ regenerate_ld_cache (GPtrArray *base_argv_array,
flatpak_bwrap_append_args (bwrap, base_argv_array);
- flatpak_run_setup_usr_links (bwrap, runtime_files, NULL);
+ flatpak_run_setup_usr_links (bwrap, runtime_fd, NULL);
if (generate_ld_so_conf)
{
@@ -4048,15 +4090,51 @@ check_sudo (GError **error)
return TRUE;
}
+static char *
+get_path_for_fd (int fd,
+ GError **error)
+{
+ g_autofree char *proc_path = NULL;
+ g_autofree char *path = NULL;
+
+ proc_path = g_strdup_printf ("/proc/self/fd/%d", fd);
+ path = glnx_readlinkat_malloc (AT_FDCWD, proc_path, NULL, error);
+ if (path == NULL)
+ return NULL;
+
+ /* All normal paths start with /, but some weird things
+ don't, such as socket:[27345] or anon_inode:[eventfd].
+ We don't support any of these */
+ if (path[0] != '/')
+ {
+ return glnx_null_throw (error, "%s resolves to non-absolute path %s",
+ proc_path, path);
+ }
+
+ /* File descriptors to actually deleted files have " (deleted)"
+ appended to them. This also happens to some fake fd types
+ like shmem which are "/<name> (deleted)". All such
+ files are considered invalid. Unfortunately this also
+ matches files with filenames that actually end in " (deleted)",
+ but there is not much to do about this. */
+ if (g_str_has_suffix (path, " (deleted)"))
+ {
+ return glnx_null_throw (error, "%s resolves to deleted path %s",
+ proc_path, path);
+ }
+
+ return g_steal_pointer (&path);
+}
+
gboolean
flatpak_run_app (FlatpakDecomposed *app_ref,
FlatpakDeploy *app_deploy,
- const char *custom_app_path,
+ int custom_app_fd,
FlatpakContext *extra_context,
const char *custom_runtime,
const char *custom_runtime_version,
const char *custom_runtime_commit,
- const char *custom_usr_path,
+ int custom_runtime_fd,
int parent_pid,
FlatpakRunFlags flags,
const char *cwd,
@@ -4071,11 +4149,6 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
g_autoptr(FlatpakDeploy) runtime_deploy = NULL;
g_autoptr(GBytes) runtime_deploy_data = NULL;
g_autoptr(GBytes) app_deploy_data = NULL;
- g_autoptr(GFile) app_files = NULL;
- g_autoptr(GFile) original_app_files = NULL;
- g_autoptr(GFile) runtime_files = NULL;
- g_autoptr(GFile) original_runtime_files = NULL;
- g_autoptr(GFile) bin_ldconfig = NULL;
g_autoptr(GFile) app_id_dir = NULL;
g_autoptr(GFile) real_app_id_dir = NULL;
g_autofree char *default_runtime_pref = NULL;
@@ -4107,18 +4180,39 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
g_autofree char *per_app_dir_lock_path = NULL;
g_autofree char *shared_xdg_runtime_dir = NULL;
int ld_so_fd = -1;
- g_autoptr(GFile) runtime_ld_so_conf = NULL;
gboolean generate_ld_so_conf = TRUE;
gboolean use_ld_so_cache = TRUE;
gboolean sandboxed = (flags & FLATPAK_RUN_FLAG_SANDBOX) != 0;
gboolean parent_expose_pids = (flags & FLATPAK_RUN_FLAG_PARENT_EXPOSE_PIDS) != 0;
gboolean parent_share_pids = (flags & FLATPAK_RUN_FLAG_PARENT_SHARE_PIDS) != 0;
- const char *app_target_path = "/app";
- const char *runtime_target_path = "/usr";
- struct stat s;
+ glnx_autofd int original_runtime_fd = -1;
+ g_autoptr(GFile) original_runtime_files = NULL;
+ g_autoptr(GFile) custom_runtime_files = NULL;
+ /* borrows from either original_runtime_fd or custom_runtime_fd */
+ int runtime_fd = -1;
+ /* borrows from either original_runtime_files or custom_runtime_files */
+ GFile *runtime_files = NULL;
+ const char *original_runtime_target_path = NULL;
+ glnx_autofd int original_app_fd = -1;
+ g_autoptr(GFile) original_app_files = NULL;
+ g_autoptr(GFile) custom_app_files = NULL;
+ /* borrows from either original_app_fd or custom_app_fd */
+ int app_fd = -1;
+ /* borrows from either original_app_files or custom_app_files */
+ GFile *app_files = NULL;
+ const char *original_app_target_path = NULL;
g_return_val_if_fail (app_ref != NULL, FALSE);
+ g_return_val_if_fail (custom_app_fd == FLATPAK_RUN_APP_DEPLOY_APP_ORIGINAL ||
+ custom_app_fd == FLATPAK_RUN_APP_DEPLOY_APP_EMPTY ||
+ custom_app_fd >= 0,
+ FALSE);
+
+ g_return_val_if_fail (custom_runtime_fd == FLATPAK_RUN_APP_DEPLOY_USR_ORIGINAL ||
+ custom_runtime_fd >= 0,
+ FALSE);
+
if (!check_sudo (error))
return FALSE;
@@ -4231,38 +4325,53 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
flatpak_context_merge (app_context, extra_context);
original_runtime_files = flatpak_deploy_get_files (runtime_deploy);
+ original_runtime_fd = open (flatpak_file_get_path_cached (original_runtime_files),
+ O_PATH | O_CLOEXEC);
+ if (original_runtime_fd < 0)
+ return glnx_throw_errno_prefix (error, "Failed to open original runtime");
- if (custom_usr_path != NULL)
+ if (custom_runtime_fd >= 0)
{
- runtime_files = g_file_new_for_path (custom_usr_path);
- /* Mount the original runtime below here instead of /usr */
- runtime_target_path = "/run/parent/usr";
+ g_autofree char *path = NULL;
+
+ path = get_path_for_fd (custom_runtime_fd, &my_error);
+ if (path == NULL)
+ {
+ return flatpak_fail_error (error, FLATPAK_ERROR,
+ "Cannot convert custom usr fd to path: %s",
+ my_error->message);
+ }
+
+ custom_runtime_files = g_file_new_for_path (path);
+
+ original_runtime_target_path = "/run/parent/usr";
+ runtime_fd = custom_runtime_fd;
+ runtime_files = custom_runtime_files;
+ }
+ else if (custom_app_fd == FLATPAK_RUN_APP_DEPLOY_USR_ORIGINAL)
+ {
+ original_runtime_target_path = "/usr";
+ runtime_fd = original_runtime_fd;
+ runtime_files = original_runtime_files;
}
else
{
- runtime_files = g_object_ref (original_runtime_files);
+ g_assert_not_reached ();
}
- bin_ldconfig = g_file_resolve_relative_path (runtime_files, "bin/ldconfig");
- if (!g_file_query_exists (bin_ldconfig, NULL))
- use_ld_so_cache = FALSE;
-
- /* We can't use the ld.so cache if we are using a custom /usr or /app,
- * because we don't have a unique ID for the /usr or /app, so we can't
- * do cache-invalidation correctly. The caller can either build their
- * own ld.so.cache before supplying us with the runtime, or supply
- * their own LD_LIBRARY_PATH. */
- if (custom_usr_path != NULL || custom_app_path != NULL)
- use_ld_so_cache = FALSE;
-
if (app_deploy != NULL)
{
g_autofree const char **previous_ids = NULL;
gsize len = 0;
gboolean do_migrate;
- real_app_id_dir = flatpak_get_data_dir (app_id);
original_app_files = flatpak_deploy_get_files (app_deploy);
+ original_app_fd = open (flatpak_file_get_path_cached (original_app_files),
+ O_PATH | O_CLOEXEC | O_NOFOLLOW);
+ if (original_app_fd < 0)
+ return glnx_throw_errno_prefix (error, "Failed to open original runtime");
+
+ real_app_id_dir = flatpak_get_data_dir (app_id);
previous_app_id_dirs = g_ptr_array_new_with_free_func (g_object_unref);
previous_ids = flatpak_deploy_data_get_previous_ids (app_deploy_data, &len);
@@ -4343,19 +4452,60 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
app_id_dir = g_object_ref (real_app_id_dir);
}
- if (custom_app_path != NULL)
+ if (custom_app_fd >= 0)
{
- if (strcmp (custom_app_path, "") == 0)
- app_files = NULL;
- else
- app_files = g_file_new_for_path (custom_app_path);
+ g_autofree char *path = NULL;
- /* Mount the original app below here */
- app_target_path = "/run/parent/app";
+ path = get_path_for_fd (custom_app_fd, error);
+ if (path == NULL)
+ return glnx_prefix_error (error, "Cannot convert custom app fd to path");
+
+ custom_app_files = g_file_new_for_path (path);
+
+ original_app_target_path = "/run/parent/app";
+ app_fd = custom_app_fd;
+ app_files = custom_app_files;
+ }
+ else if (custom_app_fd == FLATPAK_RUN_APP_DEPLOY_APP_ORIGINAL)
+ {
+ original_app_target_path = "/app";
+ app_fd = original_app_fd;
+ app_files = original_app_files;
+ }
+ else if (custom_app_fd == FLATPAK_RUN_APP_DEPLOY_APP_EMPTY)
+ {
+ app_fd = -1;
+ app_files = NULL;
+ }
+ else
+ {
+ g_assert_not_reached ();
}
- else if (original_app_files != NULL)
+
+ /* We can't use the ld.so cache if we are using a custom /usr or /app,
+ * because we don't have a unique ID for the /usr or /app, so we can't
+ * do cache-invalidation correctly. The caller can either build their
+ * own ld.so.cache before supplying us with the runtime, or supply
+ * their own LD_LIBRARY_PATH. */
+ if (runtime_fd == custom_runtime_fd || app_fd == custom_app_fd)
{
- app_files = g_object_ref (original_app_files);
+ use_ld_so_cache = FALSE;
+ }
+ else
+ {
+ glnx_autofd int ldconfig_fd = -1;
+
+ ldconfig_fd = glnx_chaseat (runtime_fd, "bin/ldconfig",
+ GLNX_CHASE_RESOLVE_BENEATH |
+ GLNX_CHASE_MUST_BE_REGULAR,
+ &my_error);
+ if (ldconfig_fd < 0)
+ {
+ use_ld_so_cache = FALSE;
+ g_debug ("bin/ldconfig not found in runtime: %s", my_error->message);
+ }
+
+ g_clear_error (&my_error);
}
flatpak_run_apply_env_default (bwrap, use_ld_so_cache);
@@ -4368,75 +4518,86 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
flatpak_bwrap_set_env (bwrap, "FLATPAK_SANDBOX_DIR", flatpak_file_get_path_cached (sandbox_dir), TRUE);
}
- flatpak_bwrap_add_args (bwrap,
- "--ro-bind", flatpak_file_get_path_cached (runtime_files), "/usr",
- NULL);
-
- if (runtime_files == original_runtime_files)
- {
- /* All true Flatpak runtimes have files/.ref */
- flatpak_bwrap_add_args (bwrap,
- "--lock-file", "/usr/.ref",
- NULL);
- }
- else
- {
- g_autoptr(GFile) runtime_child = NULL;
+ if (!flatpak_bwrap_add_args_data_fd_dup (bwrap,
+ "--ro-bind-fd", runtime_fd, "/usr",
+ error))
+ return FALSE;
- runtime_child = g_file_get_child (runtime_files, ".ref");
+ {
+ glnx_autofd int runtime_ref_fd = -1;
- /* Lock ${usr}/.ref if it exists */
- if (g_file_query_exists (runtime_child, NULL))
+ runtime_ref_fd = glnx_chaseat (runtime_fd, ".ref",
+ GLNX_CHASE_RESOLVE_BENEATH |
+ GLNX_CHASE_MUST_BE_REGULAR,
+ NULL);
+ if (runtime_ref_fd >= 0)
+ {
flatpak_bwrap_add_args (bwrap,
"--lock-file", "/usr/.ref",
NULL);
+ }
+ }
+
+ if (runtime_fd == custom_runtime_fd)
+ {
+ glnx_autofd int original_runtime_ref_fd = -1;
+ glnx_autofd int original_runtime_etc_fd = -1;
/* Put the real Flatpak runtime in /run/parent, so that the
* replacement /usr can have symlinks into /run/parent in order
* to use the Flatpak runtime's graphics drivers etc. if desired */
- flatpak_bwrap_add_args (bwrap,
- "--ro-bind",
- flatpak_file_get_path_cached (original_runtime_files),
- "/run/parent/usr",
- "--lock-file", "/run/parent/usr/.ref",
- NULL);
- flatpak_run_setup_usr_links (bwrap, original_runtime_files,
- "/run/parent");
+ if (!flatpak_bwrap_add_args_data_fd_dup (bwrap,
+ "--ro-bind-fd",
+ original_runtime_fd,
+ "/run/parent/usr",
+ error))
+ return FALSE;
- g_clear_object (&runtime_child);
- runtime_child = g_file_get_child (original_runtime_files, "etc");
+ original_runtime_ref_fd = glnx_chaseat (original_runtime_fd, ".ref",
+ GLNX_CHASE_RESOLVE_BENEATH |
+ GLNX_CHASE_MUST_BE_REGULAR,
+ NULL);
+ if (original_runtime_ref_fd >= 0)
+ {
+ flatpak_bwrap_add_args (bwrap,
+ "--lock-file", "/run/parent/usr/.ref",
+ NULL);
+ }
- if (g_file_query_exists (runtime_child, NULL))
- flatpak_bwrap_add_args (bwrap,
- "--symlink", "usr/etc", "/run/parent/etc",
- NULL);
+ original_runtime_etc_fd = glnx_chaseat (original_runtime_fd, "etc",
+ GLNX_CHASE_RESOLVE_BENEATH |
+ GLNX_CHASE_MUST_BE_REGULAR,
+ NULL);
+ if (original_runtime_etc_fd >= 0)
+ {
+ flatpak_bwrap_add_args (bwrap,
+ "--symlink", "usr/etc", "/run/parent/etc",
+ NULL);
+ }
+
+ flatpak_run_setup_usr_links (bwrap, original_runtime_fd,
+ "/run/parent");
}
- if (app_files != NULL)
+ if (app_fd >= 0)
{
- flatpak_bwrap_add_args (bwrap,
- "--ro-bind", flatpak_file_get_path_cached (app_files), "/app",
- NULL);
+ glnx_autofd int app_ref_fd = -1;
- if (app_files == original_app_files)
+ if (!flatpak_bwrap_add_args_data_fd_dup (bwrap,
+ "--ro-bind-fd", app_fd, "/app",
+ error))
+ return FALSE;
+
+ app_ref_fd = glnx_chaseat (app_fd, ".ref",
+ GLNX_CHASE_RESOLVE_BENEATH |
+ GLNX_CHASE_MUST_BE_REGULAR,
+ NULL);
+ if (app_ref_fd >= 0)
{
- /* All true Flatpak apps have files/.ref */
flatpak_bwrap_add_args (bwrap,
"--lock-file", "/app/.ref",
NULL);
}
- else
- {
- g_autoptr(GFile) app_child = NULL;
-
- app_child = g_file_get_child (app_files, ".ref");
-
- /* Lock ${app}/.ref if it exists */
- if (g_file_query_exists (app_child, NULL))
- flatpak_bwrap_add_args (bwrap,
- "--lock-file", "/app/.ref",
- NULL);
- }
}
else
{
@@ -4445,7 +4606,7 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
NULL);
}
- if (original_app_files != NULL && app_files != original_app_files)
+ if (original_app_fd >= 0 && original_app_fd != app_fd)
{
/* Put the real Flatpak app in /run/parent/app */
flatpak_bwrap_add_args (bwrap,
@@ -4458,26 +4619,37 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
if (metakey != NULL &&
!flatpak_run_add_extension_args (bwrap, metakey, app_ref,
- use_ld_so_cache, app_target_path,
+ use_ld_so_cache, original_app_target_path,
&app_extensions, &app_ld_path,
cancellable, error))
return FALSE;
if (!flatpak_run_add_extension_args (bwrap, runtime_metakey, runtime_ref,
- use_ld_so_cache, runtime_target_path,
+ use_ld_so_cache, original_runtime_target_path,
&runtime_extensions, &runtime_ld_path,
cancellable, error))
return FALSE;
- if (custom_usr_path == NULL)
+ if (runtime_fd == original_runtime_fd)
flatpak_run_extend_ld_path (bwrap, NULL, runtime_ld_path);
- if (custom_app_path == NULL)
+ if (app_fd == original_app_fd)
flatpak_run_extend_ld_path (bwrap, app_ld_path, NULL);
- runtime_ld_so_conf = g_file_resolve_relative_path (runtime_files, "etc/ld.so.conf");
- if (lstat (flatpak_file_get_path_cached (runtime_ld_so_conf), &s) == 0)
- generate_ld_so_conf = S_ISREG (s.st_mode) && s.st_size == 0;
+ {
+ glnx_autofd int ld_so_conf_fd = -1;
+ struct glnx_statx stx;
+
+ ld_so_conf_fd = glnx_chase_and_statxat (runtime_fd, "etc/ld.so.conf",
+ GLNX_CHASE_RESOLVE_BENEATH |
+ GLNX_CHASE_MUST_BE_REGULAR,
+ GLNX_STATX_SIZE,
+ &stx, NULL);
+ if (ld_so_conf_fd < 0 ||
+ !(stx.stx_mask & GLNX_STATX_SIZE) ||
+ stx.stx_size != 0)
+ generate_ld_so_conf = FALSE;
+ }
/* At this point we have the minimal argv set up, with just the app, runtime and extensions.
We can reuse this to generate the ld.so.cache (if needed) */
@@ -4489,7 +4661,7 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
bwrap->fds,
app_id_dir,
checksum,
- runtime_files,
+ runtime_fd,
generate_ld_so_conf,
cancellable, error);
if (ld_so_fd == -1)
@@ -4499,7 +4671,7 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
flags |= flatpak_context_get_run_flags (app_context);
- if (!flatpak_run_setup_base_argv (bwrap, runtime_files, app_id_dir, app_arch, flags, error))
+ if (!flatpak_run_setup_base_argv (bwrap, runtime_fd, app_id_dir, app_arch, flags, error))
return FALSE;
if (generate_ld_so_conf)
--
2.54.0

78
SOURCES/CVE-2026-34078-5-run-add-usr-fd-and-app-fd-options.patch
View File

@ -1,78 +0,0 @@
From 7140fee959d82d1c5913167398e6d559f3a13ee3 Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Fri, 6 Feb 2026 20:55:46 +0100
Subject: [PATCH] run: Add --usr-fd and --app-fd options
Exposes options to pass in a fd for the runtime and app deploy. The
flatpak portal will make use of this in a following commit.
---
app/flatpak-builtins-run.c | 30 ++++++++++++++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/app/flatpak-builtins-run.c b/app/flatpak-builtins-run.c
index 9403d8ae..a2d71420 100644
--- a/app/flatpak-builtins-run.c
+++ b/app/flatpak-builtins-run.c
@@ -60,7 +60,9 @@ static gboolean opt_parent_expose_pids;
static gboolean opt_parent_share_pids;
static int opt_instance_id_fd = -1;
static char *opt_app_path;
+static int opt_app_fd = -1;
static char *opt_usr_path;
+static int opt_usr_fd = -1;
static GOptionEntry options[] = {
{ "arch", 0, 0, G_OPTION_ARG_STRING, &opt_arch, N_("Arch to use"), N_("ARCH") },
@@ -88,7 +90,9 @@ static GOptionEntry options[] = {
{ "parent-share-pids", 0, 0, G_OPTION_ARG_NONE, &opt_parent_share_pids, N_("Share process ID namespace with parent"), NULL },
{ "instance-id-fd", 0, 0, G_OPTION_ARG_INT, &opt_instance_id_fd, N_("Write the instance ID to the given file descriptor"), NULL },
{ "app-path", 0, 0, G_OPTION_ARG_FILENAME, &opt_app_path, N_("Use PATH instead of the app's /app"), N_("PATH") },
+ { "app-fd", 0, 0, G_OPTION_ARG_INT, &opt_app_fd, N_("Use FD instead of the app's /app"), N_("FD") },
{ "usr-path", 0, 0, G_OPTION_ARG_FILENAME, &opt_usr_path, N_("Use PATH instead of the runtime's /usr"), N_("PATH") },
+ { "usr-fd", 0, 0, G_OPTION_ARG_INT, &opt_usr_fd, N_("Use FD instead of the runtime's /usr"), N_("FD") },
{ NULL }
};
@@ -307,7 +311,18 @@ flatpak_builtin_run (int argc, char **argv, GCancellable *cancellable, GError **
if (!opt_session_bus)
flags |= FLATPAK_RUN_FLAG_NO_SESSION_BUS_PROXY;
- if (opt_app_path != NULL)
+ if (opt_app_fd >= 0 && opt_app_path != NULL)
+ {
+ flatpak_fail_error (error, FLATPAK_ERROR,
+ _("app-fd and app-path cannot both be used"));
+ return FALSE;
+ }
+
+ if (opt_app_fd >= 0)
+ {
+ app_fd = opt_app_fd;
+ }
+ else if (opt_app_path != NULL)
{
if (g_strcmp0 (opt_app_path, "") == 0)
{
@@ -326,7 +341,18 @@ flatpak_builtin_run (int argc, char **argv, GCancellable *cancellable, GError **
app_fd = FLATPAK_RUN_APP_DEPLOY_APP_ORIGINAL;
}
- if (opt_usr_path != NULL)
+ if (opt_usr_fd >= 0 && opt_usr_path != NULL)
+ {
+ flatpak_fail_error (error, FLATPAK_ERROR,
+ _("usr-fd and usr-path cannot both be used"));
+ return FALSE;
+ }
+
+ if (opt_usr_fd >= 0)
+ {
+ usr_fd = opt_usr_fd;
+ }
+ else if (opt_usr_path != NULL)
{
usr_fd = open (opt_usr_path, O_PATH | O_CLOEXEC | O_NOFOLLOW);
--
2.54.0

116
SOURCES/CVE-2026-34078-6-run-add-ro-bind-fds-to-flatpak-run-app.patch
View File

@ -1,116 +0,0 @@
From 3a55408e13066f39f78158d3026ea3581f0b28c6 Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Fri, 6 Feb 2026 21:02:47 +0100
Subject: [PATCH] run: Add (ro-)bind fds to flatpak_run_app
The flatpak portal allows apps to expose files and folders from within
the sandbox to a side-sandbox using flatpak-spawn. So far it has used
the --filesystem option to mount those files and folders, but it takes a
path. Paths are inherently racy and they allow the app to swap out any
component of the path with a symlink after handing it off. If they win
the race, flatpak will mount a completely different directory.
This adds a new way to mount files and directories based on O_PATH
file descriptor that needs to provided when execing the flatpak binary.
---
app/flatpak-builtins-run.c | 2 ++
common/flatpak-installation.c | 1 +
common/flatpak-run-private.h | 2 ++
common/flatpak-run.c | 36 +++++++++++++++++++++++++++++++++++
4 files changed, 41 insertions(+)
diff --git a/app/flatpak-builtins-run.c b/app/flatpak-builtins-run.c
index a2d71420..7190f1f7 100644
--- a/app/flatpak-builtins-run.c
+++ b/app/flatpak-builtins-run.c
@@ -380,6 +380,8 @@ flatpak_builtin_run (int argc, char **argv, GCancellable *cancellable, GError **
rest_argc - 1,
opt_instance_id_fd,
NULL,
+ NULL,
+ NULL,
cancellable,
error))
return FALSE;
diff --git a/common/flatpak-installation.c b/common/flatpak-installation.c
index 9254252d..6eb16459 100644
--- a/common/flatpak-installation.c
+++ b/common/flatpak-installation.c
@@ -710,6 +710,7 @@ flatpak_installation_launch_full (FlatpakInstallation *self,
NULL,
NULL, 0, -1,
&instance_dir,
+ NULL, NULL,
cancellable, error))
return FALSE;
diff --git a/common/flatpak-run-private.h b/common/flatpak-run-private.h
index 5fc1f296..23477bd8 100644
--- a/common/flatpak-run-private.h
+++ b/common/flatpak-run-private.h
@@ -200,6 +200,8 @@ gboolean flatpak_run_app (FlatpakDecomposed *app_ref,
int n_args,
int instance_id_fd,
char **instance_dir_out,
+ GArray *bind_fds,
+ GArray *ro_bind_fds,
GCancellable *cancellable,
GError **error);
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 0e1d16f9..9087be23 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -4143,6 +4143,8 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
int n_args,
int instance_id_fd,
char **instance_dir_out,
+ GArray *bind_fds,
+ GArray *ro_bind_fds,
GCancellable *cancellable,
GError **error)
{
@@ -4717,6 +4719,40 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
flatpak_bwrap_add_arg_printf (bwrap, "/run/user/%d", getuid ());
}
+ for (i = 0; bind_fds && i < bind_fds->len; i++)
+ {
+ int fd = g_array_index (bind_fds, int, i);
+ g_autofree char *path = NULL;
+
+ /* We get the path the fd refers to, to determine to mount point
+ * destination inside the sandbox */
+ path = get_path_for_fd (fd, error);
+ if (!path)
+ return FALSE;
+
+ if (!flatpak_bwrap_add_args_data_fd_dup (bwrap,
+ "--bind-fd", fd, path,
+ error))
+ return FALSE;
+ }
+
+ for (i = 0; ro_bind_fds && i < ro_bind_fds->len; i++)
+ {
+ int fd = g_array_index (ro_bind_fds, int, i);
+ g_autofree char *path = NULL;
+
+ /* We get the path the fd refers to, to determine to mount point
+ * destination inside the sandbox */
+ path = get_path_for_fd (fd, error);
+ if (!path)
+ return FALSE;
+
+ if (!flatpak_bwrap_add_args_data_fd_dup (bwrap,
+ "--ro-bind-fd", fd, path,
+ error))
+ return FALSE;
+ }
+
if (!flatpak_run_add_dconf_args (bwrap, app_id, metakey, error))
return FALSE;
--
2.54.0

95
SOURCES/CVE-2026-34078-7-run-add-ro-bind-fd-options.patch
View File

@ -1,95 +0,0 @@
From 9ca818511d96dadbdb7b8deee1f8ef99f10914e6 Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Fri, 6 Feb 2026 21:03:34 +0100
Subject: [PATCH] run: Add --(ro-)bind-fd options
Exposes the functionality added to flatpak_run_app in the previous
commit with two new options.
---
app/flatpak-builtins-run.c | 49 ++++++++++++++++++++++++++++++++++++--
1 file changed, 47 insertions(+), 2 deletions(-)
diff --git a/app/flatpak-builtins-run.c b/app/flatpak-builtins-run.c
index 7190f1f7..7edd7326 100644
--- a/app/flatpak-builtins-run.c
+++ b/app/flatpak-builtins-run.c
@@ -63,6 +63,46 @@ static char *opt_app_path;
static int opt_app_fd = -1;
static char *opt_usr_path;
static int opt_usr_fd = -1;
+static GArray *opt_bind_fds = NULL;
+static GArray *opt_ro_bind_fds = NULL;
+
+static gboolean
+option_bind_fd_cb (const char *option_name,
+ const char *value,
+ gpointer data,
+ GError **error)
+{
+ glnx_autofd int fd = -1;
+
+ fd = flatpak_parse_fd (value, error);
+ if (fd < 0)
+ return FALSE;
+
+ if (fd < 3)
+ return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+
+ g_array_append_val (opt_bind_fds, fd);
+ return TRUE;
+}
+
+static gboolean
+option_ro_bind_fd_cb (const char *option_name,
+ const char *value,
+ gpointer data,
+ GError **error)
+{
+ glnx_autofd int fd = -1;
+
+ fd = flatpak_parse_fd (value, error);
+ if (fd < 0)
+ return FALSE;
+
+ if (fd < 3)
+ return glnx_throw (error, "File descriptors 0, 1, 2 are reserved");
+
+ g_array_append_val (opt_ro_bind_fds, fd);
+ return TRUE;
+}
static GOptionEntry options[] = {
{ "arch", 0, 0, G_OPTION_ARG_STRING, &opt_arch, N_("Arch to use"), N_("ARCH") },
@@ -93,6 +133,8 @@ static GOptionEntry options[] = {
{ "app-fd", 0, 0, G_OPTION_ARG_INT, &opt_app_fd, N_("Use FD instead of the app's /app"), N_("FD") },
{ "usr-path", 0, 0, G_OPTION_ARG_FILENAME, &opt_usr_path, N_("Use PATH instead of the runtime's /usr"), N_("PATH") },
{ "usr-fd", 0, 0, G_OPTION_ARG_INT, &opt_usr_fd, N_("Use FD instead of the runtime's /usr"), N_("FD") },
+ { "bind-fd", 0, 0, G_OPTION_ARG_CALLBACK | G_OPTION_FLAG_HIDDEN, &option_bind_fd_cb, N_("Bind mount the file or directory referred to by FD to its canonicalized path"), N_("FD") },
+ { "ro-bind-fd", 0, 0, G_OPTION_ARG_CALLBACK | G_OPTION_FLAG_HIDDEN, &option_ro_bind_fd_cb, N_("Bind mount the file or directory referred to by FD read-only to its canonicalized path"), N_("FD") },
{ NULL }
};
@@ -117,6 +159,9 @@ flatpak_builtin_run (int argc, char **argv, GCancellable *cancellable, GError **
glnx_autofd int app_fd = -1;
glnx_autofd int usr_fd = -1;
+ opt_bind_fds = g_array_new (FALSE, FALSE, sizeof (int));
+ opt_ro_bind_fds = g_array_new (FALSE, FALSE, sizeof (int));
+
context = g_option_context_new (_("APP [ARGUMENT…] - Run an app"));
g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
@@ -380,8 +425,8 @@ flatpak_builtin_run (int argc, char **argv, GCancellable *cancellable, GError **
rest_argc - 1,
opt_instance_id_fd,
NULL,
- NULL,
- NULL,
+ opt_bind_fds,
+ opt_ro_bind_fds,
cancellable,
error))
return FALSE;
--
2.54.0

601
SOURCES/CVE-2026-34078-8-portal-use-bind-fd-app-fd-and-usr-fd-options-to-avoid-races.patch
View File

@ -1,601 +0,0 @@
From 9958b547bea1e9335cb91af61a239d1a7039387e Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Fri, 6 Feb 2026 21:03:58 +0100
Subject: [PATCH] portal: Use --bind-fd, --app-fd and --usr-fd options to avoid
races
Now that flatpak_run_app accepts fds for app and runtime deploy, as well
as bind and ro-bind fds, and flatpak-run exposes the functionality, we
can finally hook this all up to the flatpak portal!
---
portal/flatpak-portal.c | 438 +++++++++++++++-------------------------
1 file changed, 162 insertions(+), 276 deletions(-)
diff --git a/portal/flatpak-portal.c b/portal/flatpak-portal.c
index e5701895..a4378f77 100644
--- a/portal/flatpak-portal.c
+++ b/portal/flatpak-portal.c
@@ -550,195 +550,60 @@ child_setup_func (gpointer user_data)
}
static gboolean
-is_valid_expose (const char *expose,
- GError **error)
+validate_opath_fd (int fd,
+ gboolean needs_writable,
+ GError **error)
{
- /* No subdirs or absolute paths */
- if (expose[0] == '/')
- {
- g_set_error (error, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS,
- "Invalid sandbox expose: absolute paths not allowed");
- return FALSE;
- }
- else if (strchr (expose, '/'))
- {
- g_set_error (error, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS,
- "Invalid sandbox expose: subdirectories not allowed");
- return FALSE;
- }
-
- return TRUE;
-}
-
-static char *
-filesystem_arg (const char *path,
- gboolean readonly)
-{
- g_autoptr(GString) s = g_string_new ("--filesystem=");
- const char *p;
-
- for (p = path; *p != 0; p++)
- {
- if (*p == ':')
- g_string_append (s, "\\:");
- else
- g_string_append_c (s, *p);
- }
-
- if (readonly)
- g_string_append (s, ":ro");
-
- return g_string_free (g_steal_pointer (&s), FALSE);
-}
-
-
-static char *
-filesystem_sandbox_arg (const char *path,
- const char *sandbox,
- gboolean readonly)
-{
- g_autoptr(GString) s = g_string_new ("--filesystem=");
- const char *p;
-
- for (p = path; *p != 0; p++)
- {
- if (*p == ':')
- g_string_append (s, "\\:");
- else
- g_string_append_c (s, *p);
- }
-
- g_string_append (s, "/sandbox/");
-
- for (p = sandbox; *p != 0; p++)
- {
- if (*p == ':')
- g_string_append (s, "\\:");
- else
- g_string_append_c (s, *p);
- }
-
- if (readonly)
- g_string_append (s, ":ro");
-
- return g_string_free (g_steal_pointer (&s), FALSE);
-}
-
-static char *
-bubblewrap_remap_path (const char *path)
-{
- if (g_str_has_prefix (path, "/newroot/"))
- path = path + strlen ("/newroot");
- return g_strdup (path);
-}
-
-static char *
-verify_proc_self_fd (const char *proc_path,
- GError **error)
-{
- char path_buffer[PATH_MAX + 1];
- ssize_t symlink_size;
-
- symlink_size = readlink (proc_path, path_buffer, PATH_MAX);
- if (symlink_size < 0)
- return glnx_null_throw_errno_prefix (error, "readlink");
-
- path_buffer[symlink_size] = 0;
-
- /* All normal paths start with /, but some weird things
- don't, such as socket:[27345] or anon_inode:[eventfd].
- We don't support any of these */
- if (path_buffer[0] != '/')
- return glnx_null_throw (error, "%s resolves to non-absolute path %s",
- proc_path, path_buffer);
-
- /* File descriptors to actually deleted files have " (deleted)"
- appended to them. This also happens to some fake fd types
- like shmem which are "/<name> (deleted)". All such
- files are considered invalid. Unfortunatelly this also
- matches files with filenames that actually end in " (deleted)",
- but there is not much to do about this. */
- if (g_str_has_suffix (path_buffer, " (deleted)"))
- return glnx_null_throw (error, "%s resolves to deleted path %s",
- proc_path, path_buffer);
-
- /* remap from sandbox to host if needed */
- return bubblewrap_remap_path (path_buffer);
-}
-
-static char *
-get_path_for_fd (int fd,
- gboolean *writable_out,
- GError **error)
-{
- g_autofree char *proc_path = NULL;
int fd_flags;
struct stat st_buf;
- struct stat real_st_buf;
- g_autofree char *path = NULL;
- gboolean writable = FALSE;
- int read_access_mode;
+ int access_mode;
/* Must be able to get fd flags */
fd_flags = fcntl (fd, F_GETFL);
- if (fd_flags == -1)
- return glnx_null_throw_errno_prefix (error, "fcntl F_GETFL");
+ if (fd_flags < 0)
+ return glnx_throw_errno_prefix (error, "Failed to get fd flags");
/* Must be O_PATH */
if ((fd_flags & O_PATH) != O_PATH)
- return glnx_null_throw (error, "not opened with O_PATH");
-
- /* We don't want to allow exposing symlinks, because if they are
- * under the callers control they could be changed between now and
- * starting the child allowing it to point anywhere, so enforce NOFOLLOW.
- * and verify that stat is not a link.
- */
- if ((fd_flags & O_NOFOLLOW) != O_NOFOLLOW)
- return glnx_null_throw (error, "not opened with O_NOFOLLOW");
+ {
+ g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+ "File descriptor is not O_PATH");
+ return FALSE;
+ }
/* Must be able to fstat */
if (fstat (fd, &st_buf) < 0)
- return glnx_null_throw_errno_prefix (error, "fstat");
-
- /* As per above, no symlinks */
- if (S_ISLNK (st_buf.st_mode))
- return glnx_null_throw (error, "is a symbolic link");
+ return glnx_throw_errno_prefix (error, "Failed to fstat");
- proc_path = g_strdup_printf ("/proc/self/fd/%d", fd);
-
- /* Must be able to read valid path from /proc/self/fd */
- /* This is an absolute and (at least at open time) symlink-expanded path */
- path = verify_proc_self_fd (proc_path, error);
- if (path == NULL)
- return NULL;
+ access_mode = R_OK;
+ if (S_ISDIR (st_buf.st_mode))
+ access_mode |= X_OK;
- /* Verify that this is the same file as the app opened */
- if (stat (path, &real_st_buf) < 0 ||
- st_buf.st_dev != real_st_buf.st_dev ||
- st_buf.st_ino != real_st_buf.st_ino)
- {
- /* Different files on the inside and the outside, reject the request */
- return glnx_null_throw (error,
- "different file inside and outside sandbox");
- }
+ if (needs_writable)
+ access_mode |= W_OK;
- read_access_mode = R_OK;
- if (S_ISDIR (st_buf.st_mode))
- read_access_mode |= X_OK;
+ /* Must be able to access readable and potentially writable */
+ if (faccessat (fd, "", access_mode, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW) != 0)
+ return glnx_throw_errno_prefix (error, "Bad access mode");
- /* Must be able to access the path via the sandbox supplied O_PATH fd,
- which applies the sandbox side mount options (like readonly). */
- if (access (proc_path, read_access_mode) != 0)
- return glnx_null_throw (error, "not %s in sandbox",
- read_access_mode & X_OK ? "accessible" : "readable");
+ return TRUE;
+}
- if (access (proc_path, W_OK) == 0)
- writable = TRUE;
+static int
+fd_map_remap_fd (GArray *fd_map,
+ int *max_fd_in_out,
+ int fd)
+{
+ FdMapEntry fd_map_entry;
- if (writable_out != NULL)
- *writable_out = writable;
+ /* Use a fd that hasn't been used yet. We might have to reshuffle
+ * fd_map_entry.to, a bit later. */
+ fd_map_entry.from = fd;
+ fd_map_entry.to = ++(*max_fd_in_out);
+ fd_map_entry.final = fd_map_entry.to;
+ g_array_append_val (fd_map, fd_map_entry);
- return g_steal_pointer (&path);
+ return fd_map_entry.final;
}
static gboolean
@@ -793,9 +658,12 @@ handle_spawn (PortalFlatpak *object,
gboolean devel;
gboolean empty_app;
g_autoptr(GString) env_string = g_string_new ("");
- glnx_autofd int env_fd = -1;
const char *flatpak;
gboolean testing = FALSE;
+ g_autoptr(GArray) owned_fds = NULL;
+ g_autoptr(GArray) expose_fds = NULL;
+ g_autoptr(GArray) expose_fds_ro = NULL;
+ glnx_autofd int instance_sandbox_fd = -1;
child_setup_data.instance_id_fd = -1;
child_setup_data.env_fd = -1;
@@ -918,29 +786,6 @@ handle_spawn (PortalFlatpak *object,
return G_DBUS_METHOD_INVOCATION_HANDLED;
}
- for (i = 0; sandbox_expose != NULL && sandbox_expose[i] != NULL; i++)
- {
- const char *expose = sandbox_expose[i];
-
- g_debug ("exposing %s", expose);
- if (!is_valid_expose (expose, &error))
- {
- g_dbus_method_invocation_return_gerror (invocation, error);
- return G_DBUS_METHOD_INVOCATION_HANDLED;
- }
- }
-
- for (i = 0; sandbox_expose_ro != NULL && sandbox_expose_ro[i] != NULL; i++)
- {
- const char *expose = sandbox_expose_ro[i];
- g_debug ("exposing %s", expose);
- if (!is_valid_expose (expose, &error))
- {
- g_dbus_method_invocation_return_gerror (invocation, error);
- return G_DBUS_METHOD_INVOCATION_HANDLED;
- }
- }
-
g_debug ("Running spawn command %s", arg_argv[0]);
n_fds = 0;
@@ -1112,10 +957,14 @@ handle_spawn (PortalFlatpak *object,
g_string_append_c (env_string, '\0');
}
+ owned_fds = g_array_new (FALSE, FALSE, sizeof (int));
+ g_array_set_clear_func (owned_fds, (GDestroyNotify) glnx_close_fd);
+
if (env_string->len > 0)
{
- FdMapEntry fd_map_entry;
g_auto(GLnxTmpfile) env_tmpf = { 0, };
+ int env_fd = -1;
+ int remapped_fd;
if (!flatpak_buffer_to_sealed_memfd_or_tmpfile (&env_tmpf, "environ",
env_string->str,
@@ -1126,16 +975,12 @@ handle_spawn (PortalFlatpak *object,
}
env_fd = glnx_steal_fd (&env_tmpf.fd);
+ g_array_append_val (owned_fds, env_fd);
- /* Use a fd that hasn't been used yet. We might have to reshuffle
- * fd_map_entry.to, a bit later. */
- fd_map_entry.from = env_fd;
- fd_map_entry.to = ++max_fd;
- fd_map_entry.final = fd_map_entry.to;
- g_array_append_val (fd_map, fd_map_entry);
+ remapped_fd = fd_map_remap_fd (fd_map, &max_fd, env_fd);
g_ptr_array_add (flatpak_argv,
- g_strdup_printf ("--env-fd=%d", fd_map_entry.final));
+ g_strdup_printf ("--env-fd=%d", remapped_fd));
}
for (i = 0; unset_env != NULL && unset_env[i] != NULL; i++)
@@ -1243,54 +1088,100 @@ handle_spawn (PortalFlatpak *object,
else
g_ptr_array_add (flatpak_argv, g_strdup ("--unshare=network"));
+ expose_fds = g_array_new (FALSE, FALSE, sizeof (int));
+ expose_fds_ro = g_array_new (FALSE, FALSE, sizeof (int));
+
+ if (instance_path != NULL)
+ {
+ glnx_autofd int instance_fd = -1;
+
+ instance_fd = glnx_chaseat (AT_FDCWD, instance_path,
+ GLNX_CHASE_DEFAULT,
+ &error);
+ if (instance_fd < 0)
+ {
+ g_dbus_method_invocation_return_gerror (invocation, error);
+ return G_DBUS_METHOD_INVOCATION_HANDLED;
+ }
+
+ if (!glnx_ensure_dir (instance_fd, "sandbox", 0700, &error))
+ {
+ g_warning ("Unable to create %s/sandbox: %s", instance_path, error->message);
+ g_clear_error (&error);
+ }
+
+ instance_sandbox_fd = glnx_chaseat (instance_fd, "sandbox",
+ GLNX_CHASE_RESOLVE_NO_SYMLINKS,
+ &error);
+ if (instance_sandbox_fd < 0)
+ {
+ g_dbus_method_invocation_return_gerror (invocation, error);
+ return G_DBUS_METHOD_INVOCATION_HANDLED;
+ }
+ }
- if (instance_path)
+ for (i = 0; sandbox_expose != NULL && sandbox_expose[i] != NULL; i++)
{
- for (i = 0; sandbox_expose != NULL && sandbox_expose[i] != NULL; i++)
- g_ptr_array_add (flatpak_argv,
- filesystem_sandbox_arg (instance_path, sandbox_expose[i], FALSE));
- for (i = 0; sandbox_expose_ro != NULL && sandbox_expose_ro[i] != NULL; i++)
- g_ptr_array_add (flatpak_argv,
- filesystem_sandbox_arg (instance_path, sandbox_expose_ro[i], TRUE));
+ int expose_fd;
+
+ g_assert (instance_sandbox_fd >= 0);
+
+ expose_fd = glnx_chaseat (instance_sandbox_fd, sandbox_expose[i],
+ GLNX_CHASE_RESOLVE_NO_SYMLINKS |
+ GLNX_CHASE_RESOLVE_BENEATH,
+ &error);
+ if (expose_fd < 0)
+ {
+ g_dbus_method_invocation_return_gerror (invocation, error);
+ return G_DBUS_METHOD_INVOCATION_HANDLED;
+ }
+
+ g_array_append_val (expose_fds, expose_fd);
+ /* transfers ownership, can't g_steal_fd with g_array_append_val */
+ g_array_append_val (owned_fds, expose_fd);
}
for (i = 0; sandbox_expose_ro != NULL && sandbox_expose_ro[i] != NULL; i++)
{
- const char *expose = sandbox_expose_ro[i];
- g_debug ("exposing %s", expose);
+ int expose_fd;
+
+ g_assert (instance_sandbox_fd >= 0);
+
+ expose_fd = glnx_chaseat (instance_sandbox_fd, sandbox_expose_ro[i],
+ GLNX_CHASE_RESOLVE_NO_SYMLINKS |
+ GLNX_CHASE_RESOLVE_BENEATH,
+ &error);
+ if (expose_fd < 0)
+ {
+ g_dbus_method_invocation_return_gerror (invocation, error);
+ return G_DBUS_METHOD_INVOCATION_HANDLED;
+ }
+
+ g_array_append_val (expose_fds_ro, expose_fd);
+ /* transfers ownership, can't g_steal_fd with g_array_append_val */
+ g_array_append_val (owned_fds, expose_fd);
}
if (sandbox_expose_fd != NULL)
{
gsize len = g_variant_n_children (sandbox_expose_fd);
+
for (i = 0; i < len; i++)
{
gint32 handle;
+
g_variant_get_child (sandbox_expose_fd, i, "h", &handle);
- if (handle >= 0 && handle < fds_len)
+ if (handle >= 0 && handle < fds_len &&
+ validate_opath_fd (fds[handle], TRUE, &error))
{
- int handle_fd = fds[handle];
- g_autofree char *path = NULL;
- gboolean writable = FALSE;
-
- path = get_path_for_fd (handle_fd, &writable, &error);
-
- if (path)
- {
- g_ptr_array_add (flatpak_argv, filesystem_arg (path, !writable));
- }
- else
- {
- g_debug ("unable to get path for sandbox-exposed fd %d, ignoring: %s",
- handle_fd, error->message);
- g_clear_error (&error);
- }
+ g_array_append_val (expose_fds, fds[handle]);
}
else
{
+ g_debug ("Invalid sandbox expose fd: %s", error->message);
g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
G_DBUS_ERROR_INVALID_ARGS,
- "No file descriptor for handle %d",
+ "No valid file descriptor for handle %d",
handle);
return G_DBUS_METHOD_INVOCATION_HANDLED;
}
@@ -1300,31 +1191,20 @@ handle_spawn (PortalFlatpak *object,
if (sandbox_expose_fd_ro != NULL)
{
gsize len = g_variant_n_children (sandbox_expose_fd_ro);
+
for (i = 0; i < len; i++)
{
gint32 handle;
+
g_variant_get_child (sandbox_expose_fd_ro, i, "h", &handle);
- if (handle >= 0 && handle < fds_len)
+ if (handle >= 0 && handle < fds_len &&
+ validate_opath_fd (fds[handle], FALSE, &error))
{
- int handle_fd = fds[handle];
- g_autofree char *path = NULL;
- gboolean writable = FALSE;
-
- path = get_path_for_fd (handle_fd, &writable, &error);
-
- if (path)
- {
- g_ptr_array_add (flatpak_argv, filesystem_arg (path, TRUE));
- }
- else
- {
- g_debug ("unable to get path for sandbox-exposed fd %d, ignoring: %s",
- handle_fd, error->message);
- g_clear_error (&error);
- }
+ g_array_append_val (expose_fds_ro, fds[handle]);
}
else
{
+ g_debug ("Invalid sandbox expose ro fd: %s", error->message);
g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
G_DBUS_ERROR_INVALID_ARGS,
"No file descriptor for handle %d",
@@ -1334,20 +1214,40 @@ handle_spawn (PortalFlatpak *object,
}
}
+ for (i = 0; i < expose_fds->len; i++)
+ {
+ int remapped_fd;
+
+ remapped_fd = fd_map_remap_fd (fd_map, &max_fd, expose_fds->data[i]);
+
+ g_ptr_array_add (flatpak_argv, g_strdup_printf ("--bind-fd=%d",
+ remapped_fd));
+ }
+
+ for (i = 0; i < expose_fds_ro->len; i++)
+ {
+ int remapped_fd;
+
+ remapped_fd = fd_map_remap_fd (fd_map, &max_fd, expose_fds_ro->data[i]);
+
+ g_ptr_array_add (flatpak_argv, g_strdup_printf ("--ro-bind-fd=%d",
+ remapped_fd));
+ }
+
empty_app = (arg_flags & FLATPAK_SPAWN_FLAGS_EMPTY_APP) != 0;
+ if (empty_app && app_fd != NULL)
+ {
+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
+ G_DBUS_ERROR_INVALID_ARGS,
+ "app-fd and EMPTY_APP cannot both be used");
+ return G_DBUS_METHOD_INVOCATION_HANDLED;
+ }
+
if (app_fd != NULL)
{
+ int remapped_fd;
gint32 handle = g_variant_get_handle (app_fd);
- g_autofree char *path = NULL;
-
- if (empty_app)
- {
- g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
- G_DBUS_ERROR_INVALID_ARGS,
- "app-fd and EMPTY_APP cannot both be used");
- return G_DBUS_METHOD_INVOCATION_HANDLED;
- }
if (handle >= fds_len || handle < 0)
{
@@ -1359,18 +1259,11 @@ handle_spawn (PortalFlatpak *object,
}
g_assert (fds != NULL); /* otherwise fds_len would be 0 */
- path = get_path_for_fd (fds[handle], NULL, &error);
- if (path == NULL)
- {
- g_prefix_error (&error, "Unable to convert /app fd %d into path: ",
- fds[handle]);
- g_dbus_method_invocation_return_gerror (invocation, error);
- return G_DBUS_METHOD_INVOCATION_HANDLED;
- }
+ remapped_fd = fd_map_remap_fd (fd_map, &max_fd, fds[handle]);
- g_debug ("Using %s as /app instead of app", path);
- g_ptr_array_add (flatpak_argv, g_strdup_printf ("--app-path=%s", path));
+ g_ptr_array_add (flatpak_argv, g_strdup_printf ("--app-fd=%d",
+ remapped_fd));
}
else if (empty_app)
{
@@ -1379,8 +1272,8 @@ handle_spawn (PortalFlatpak *object,
if (usr_fd != NULL)
{
+ int remapped_fd;
gint32 handle = g_variant_get_handle (usr_fd);
- g_autofree char *path = NULL;
if (handle >= fds_len || handle < 0)
{
@@ -1392,18 +1285,11 @@ handle_spawn (PortalFlatpak *object,
}
g_assert (fds != NULL); /* otherwise fds_len would be 0 */
- path = get_path_for_fd (fds[handle], NULL, &error);
- if (path == NULL)
- {
- g_prefix_error (&error, "Unable to convert /usr fd %d into path: ",
- fds[handle]);
- g_dbus_method_invocation_return_gerror (invocation, error);
- return G_DBUS_METHOD_INVOCATION_HANDLED;
- }
+ remapped_fd = fd_map_remap_fd (fd_map, &max_fd, fds[handle]);
- g_debug ("Using %s as /usr instead of runtime", path);
- g_ptr_array_add (flatpak_argv, g_strdup_printf ("--usr-path=%s", path));
+ g_ptr_array_add (flatpak_argv, g_strdup_printf ("--usr-fd=%d",
+ remapped_fd));
}
g_ptr_array_add (flatpak_argv, g_strdup_printf ("--runtime=%s", runtime_parts[1]));
--
2.54.0

38
SOURCES/CVE-2026-34078-9-run-fix-checking-wrong-variable-in-runtime-fd-selection.patch
View File

@ -1,38 +0,0 @@
From 8d1e978c6a582b1603dccb7fe9340e15787f6297 Mon Sep 17 00:00:00 2001
From: Xiangzhe <xiangzhedev@gmail.com>
Date: Wed, 8 Apr 2026 12:27:28 +0800
Subject: [PATCH] run: Fix checking wrong variable in runtime fd selection
In flatpak_run_app(), the else-if branch that handles
FLATPAK_RUN_APP_DEPLOY_USR_ORIGINAL was checking custom_app_fd instead
of custom_runtime_fd. When custom_app_fd is APP_EMPTY (-3) and
custom_runtime_fd is USR_ORIGINAL (-2), the condition would not match
and fall through to g_assert_not_reached(), aborting the process.
This broke sub-sandbox spawning with --app-path="" (empty app), which
is used by steam-runtime-check-requirements to verify that Flatpak's
sub-sandbox mechanism works.
Fixes: ac62ebe3 "run: Use O_PATH fds for the runtime and app deploy directories"
Helps: https://github.com/flatpak/flatpak/issues/6568
(cherry picked from commit 066babba75d355d077ea11091e5f65d3b0e0d818)
---
common/flatpak-run.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 9087be23..4ffc5fa3 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -4350,7 +4350,7 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
runtime_fd = custom_runtime_fd;
runtime_files = custom_runtime_files;
}
- else if (custom_app_fd == FLATPAK_RUN_APP_DEPLOY_USR_ORIGINAL)
+ else if (custom_runtime_fd == FLATPAK_RUN_APP_DEPLOY_USR_ORIGINAL)
{
original_runtime_target_path = "/usr";
runtime_fd = original_runtime_fd;
--
2.54.0

90
SOURCES/CVE-2026-34079-1-utils-only-remove-cached-files-in-the-cache-directory.patch
View File

@ -1,90 +0,0 @@
From a13a7415517cbf1d5073bde05e5b9c3c95de6b16 Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Fri, 9 Jan 2026 19:24:44 +0100
Subject: [PATCH] utils: Only remove cached files in the cache directory
The function flatpak_switch_symlink_and_remove is used to implement a
cache for ld.so (regenerate_ld_cache). If the active symlink changes to
a new cache file, the old cache file is supposed to get removed.
The symlink still points to the old cache file, so we would remove the
file that it points to and then point at the new file.
Because the symlink is under the app's control, the symlink can point
anywhere, and the removal happens in the host context, which allows an
app to remove arbitrary files on the host.
The filename of the cache files are checksums, which means that we can
ensure that the link is a file in the same directory of the link by
checking that it only contains the chars a-zA-Z0-9.
(cherry picked from commit c97905c8188ddaad01ee146b57bba6c3fa294113):
---
common/flatpak-utils.c | 36 +++++++++++++++++++++++++++++++++---
1 file changed, 33 insertions(+), 3 deletions(-)
diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c
index 999d88fd..0ab84064 100644
--- a/common/flatpak-utils.c
+++ b/common/flatpak-utils.c
@@ -1344,6 +1344,22 @@ out:
return ret;
}
+static gboolean
+flatpak_str_is_alphanumeric (const char *arg)
+{
+ while (*arg != '\0')
+ {
+ char c = *arg;
+
+ if (!g_ascii_isalnum (c))
+ return FALSE;
+
+ arg++;
+ }
+
+ return TRUE;
+}
+
/* This atomically replaces a symlink with a new value, removing the
* existing symlink target, if it exstis and is different from
* @target. This is atomic in the sense that we're guaranteed to
@@ -1353,6 +1369,9 @@ out:
* symlink for some reason, ending up with neither the old or the new
* target. That is fine if the reason for the symlink is keeping a
* cache though.
+ * The target shall only be a file in the same directory as the symlink, and
+ * shall only contain the characters a-zA-Z0-9. This is so that the target of
+ * the symlink that gets removed is in the same directory as the link.
*/
gboolean
flatpak_switch_symlink_and_remove (const char *symlink_path,
@@ -1396,10 +1415,21 @@ flatpak_switch_symlink_and_remove (const char *symlink_path,
g_autofree char *old_target = flatpak_readlink (tmp_path, error);
if (old_target == NULL)
return FALSE;
- if (strcmp (old_target, target) != 0) /* Don't remove old file if its the same as the new one */
+
+ /* Don't remove old file if its the same as the new one */
+ if (strcmp (old_target, target) != 0)
{
- g_autofree char *old_target_path = g_build_filename (symlink_dir, old_target, NULL);
- unlink (old_target_path);
+ if (flatpak_str_is_alphanumeric (old_target))
+ {
+ g_autofree char *old_target_path = NULL;
+
+ old_target_path = g_build_filename (symlink_dir, old_target, NULL);
+ unlink (old_target_path);
+ }
+ else
+ {
+ g_warning ("Refusing to delete old link target %s", old_target);
+ }
}
}
else if (errno != ENOENT)
--
2.54.0

50
SOURCES/CVE-2026-34079-2-utils-do-not-follow-symlinks-in-local-open-file.patch
View File

@ -1,50 +0,0 @@
From 6a85e0591b6fbc01d9afe6d81bf6748ce2f3e8ac Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Mon, 12 Jan 2026 17:38:02 +0100
Subject: [PATCH] utils: Do not follow symlinks in local_open_file
We use local_open_file in the context of the system helper to open
files written by a user. This means that we want to prevent DOS and
exposing files which only the system helper has access to.
To prevent DOS and avoid side-effects, the file is opened with
O_NONBLOCK and O_NOCTTY.
To prevent leaking files, the file is supposed to not open symlinks.
This part, we failed at. We check if the opened file is a regular file,
but what we actually checked is, if the file a symlink might point at is
a regular file.
Fix this by also specifying O_NOFOLLOW in openat.
(cherry picked from commit 4a678f463b455c585d38ac4cf4d994e7ce710f8e):
---
common/flatpak-oci-registry.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c
index 2dbd46b5..56853142 100644
--- a/common/flatpak-oci-registry.c
+++ b/common/flatpak-oci-registry.c
@@ -251,6 +251,9 @@ flatpak_oci_registry_new (const char *uri,
return oci_registry;
}
+/* Carefully opens a file from a base directory and subpath,
+ * making sure that its not a symlink, pipe, etc.
+ */
static int
local_open_file (int dfd,
const char *subpath,
@@ -262,7 +265,7 @@ local_open_file (int dfd,
struct stat tmp_st_buf;
do
- fd = openat (dfd, subpath, O_RDONLY | O_NONBLOCK | O_CLOEXEC | O_NOCTTY);
+ fd = openat (dfd, subpath, O_NOFOLLOW | O_RDONLY | O_NONBLOCK | O_CLOEXEC | O_NOCTTY);
while (G_UNLIKELY (fd == -1 && errno == EINTR));
if (fd == -1)
{
--
2.54.0

152
SOURCES/CVE-2026-34079-3-system-helper-only-remove-an-ongoing-pull-if-users-match.patch
View File

@ -1,152 +0,0 @@
From 640c9c2725f67220dd25a5148d6f2bb6fc7ddcf5 Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Sat, 7 Feb 2026 21:57:30 +0100
Subject: [PATCH] system-helper: Only remove an ongoing pull if users match
The code would always remove a pull from the hashtable, and then check if the
users match and abort if they don't. Either way, the pull gets dropped.
Fix this by only removing the pull if the dir and the user match.
(cherry picked from commit a27ec46e8c0ab0ae162f2aa3142dccb6b79d9211):
---
system-helper/flatpak-system-helper.c | 85 ++++++++++++---------------
1 file changed, 36 insertions(+), 49 deletions(-)
diff --git a/system-helper/flatpak-system-helper.c b/system-helper/flatpak-system-helper.c
index 03410e84..5aa3e2ab 100644
--- a/system-helper/flatpak-system-helper.c
+++ b/system-helper/flatpak-system-helper.c
@@ -355,23 +355,31 @@ get_connection_uid (GDBusMethodInvocation *invocation, uid_t *out_uid, GError **
}
static OngoingPull *
-take_ongoing_pull_by_dir (const gchar *src_dir)
+take_ongoing_pull_by_dir (const char *src_dir,
+ uid_t uid)
{
OngoingPull *pull = NULL;
- gpointer key, value;
+ char *cache_dir_name = NULL;
G_LOCK (cache_dirs_in_use);
- /* Keep src_dir key inside hashtable but remove its OngoingPull
- * value and set it to NULL. This way src_dir is still marked
- * as in-use (as Deploy or CancelPull might be executing on it,
- * whereas OngoingPull ownership is transferred to respective
- * callers. */
- if (g_hash_table_steal_extended (cache_dirs_in_use, src_dir, &key, &value))
- {
- if (value)
+ if (g_hash_table_steal_extended (cache_dirs_in_use, src_dir,
+ (gpointer) &cache_dir_name,
+ (gpointer) &pull))
+ {
+ if (pull && pull->uid == uid)
{
- g_hash_table_insert (cache_dirs_in_use, key, NULL);
- pull = value;
+ /* Keep src_dir key inside hashtable but remove its OngoingPull
+ * value and set it to NULL. This way src_dir is still marked
+ * as in-use (as Deploy or CancelPull might be executing on it,
+ * whereas OngoingPull ownership is transferred to respective
+ * callers. */
+ g_hash_table_insert (cache_dirs_in_use, cache_dir_name, NULL);
+ }
+ else
+ {
+ /* Otherwise, re-insert what is currently there and return NULL */
+ g_hash_table_insert (cache_dirs_in_use, cache_dir_name, pull);
+ pull = NULL;
}
}
G_UNLOCK (cache_dirs_in_use);
@@ -423,6 +431,9 @@ handle_deploy (FlatpakSystemHelper *object,
if (strlen (arg_repo_path) > 0)
{
+ g_autoptr(GError) local_error = NULL;
+ uid_t uid;
+
if (!g_file_query_exists (repo_file, NULL))
{
g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS,
@@ -430,30 +441,17 @@ handle_deploy (FlatpakSystemHelper *object,
return G_DBUS_METHOD_INVOCATION_HANDLED;
}
+ /* Ensure that pull's uid is same as the caller's uid */
+ if (!get_connection_uid (invocation, &uid, &local_error))
+ {
+ g_dbus_method_invocation_return_gerror (invocation, local_error);
+ return G_DBUS_METHOD_INVOCATION_HANDLED;
+ }
+
src_dir = g_path_get_dirname (arg_repo_path);
- ongoing_pull = take_ongoing_pull_by_dir (src_dir);
+ ongoing_pull = take_ongoing_pull_by_dir (src_dir, uid);
if (ongoing_pull != NULL)
{
- g_autoptr(GError) local_error = NULL;
- uid_t uid;
-
- /* Ensure that pull's uid is same as the caller's uid */
- if (!get_connection_uid (invocation, &uid, &local_error))
- {
- g_dbus_method_invocation_return_gerror (invocation, local_error);
- return G_DBUS_METHOD_INVOCATION_HANDLED;
- }
- else
- {
- if (ongoing_pull->uid != uid)
- {
- g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
- "Ongoing pull's uid(%d) does not match with peer uid(%d)",
- ongoing_pull->uid, uid);
- return G_DBUS_METHOD_INVOCATION_HANDLED;
- }
- }
-
terminate_revokefs_backend (ongoing_pull);
if (!flatpak_canonicalize_permissions (AT_FDCWD,
@@ -735,31 +733,20 @@ handle_cancel_pull (FlatpakSystemHelper *object,
return G_DBUS_METHOD_INVOCATION_HANDLED;
}
- ongoing_pull = take_ongoing_pull_by_dir (arg_src_dir);
- if (ongoing_pull == NULL)
+ if (!get_connection_uid (invocation, &uid, &error))
{
- g_set_error (&error, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
- "Cannot find ongoing pull to cancel at %s", arg_src_dir);
g_dbus_method_invocation_return_gerror (invocation, error);
return G_DBUS_METHOD_INVOCATION_HANDLED;
}
- /* Ensure that pull's uid is same as the caller's uid */
- if (!get_connection_uid (invocation, &uid, &error))
+ ongoing_pull = take_ongoing_pull_by_dir (arg_src_dir, uid);
+ if (ongoing_pull == NULL)
{
+ g_set_error (&error, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
+ "Cannot find ongoing pull to cancel at %s", arg_src_dir);
g_dbus_method_invocation_return_gerror (invocation, error);
return G_DBUS_METHOD_INVOCATION_HANDLED;
}
- else
- {
- if (ongoing_pull->uid != uid)
- {
- g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
- "Ongoing pull's uid(%d) does not match with peer uid(%d)",
- ongoing_pull->uid, uid);
- return G_DBUS_METHOD_INVOCATION_HANDLED;
- }
- }
ongoing_pull->preserve_pull = (arg_flags & FLATPAK_HELPER_CANCEL_PULL_FLAGS_PRESERVE_PULL) != 0;
ongoing_pull_free (ongoing_pull);
--
2.54.0

330
SOURCES/flatpak-1.12.x-CVE-2024-42472.patch
View File

@ -1,330 +0,0 @@
From 8451fa0ae30397b83705a193aa0d3f7752486dda Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Mon, 3 Jun 2024 12:22:30 +0200
Subject: [PATCH 1/4] Don't follow symlinks when mounting persisted directories
These directories are in a location under application control, so we
can't trust them to not be a symlink outside of the files accessibe to
the application.
Continue to treat --persist=/foo as --persist=foo for backwards compat,
since this is how it (accidentally) worked before, but print a warning.
Don't allow ".." elements in persist paths: these would not be useful
anyway, and are unlikely to be in use, however they could potentially
be used to confuse the persist path handling.
This partially addresses CVE-2024-42472. If only one instance of the
malicious or compromised app is run at a time, the vulnerability
is avoided. If two instances can run concurrently, there is a
time-of-check/time-of-use issue remaining, which can only be resolved
with changes to bubblewrap; this will be resolved in a separate commit,
because the bubblewrap dependency might be more difficult to provide in
LTS distributions.
Helps: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Make whitespace consistent]
[smcv: Use g_warning() if unable to create --persist paths]
[smcv: Use stat() to detect symlinks and warn about them]
[smcv: Use glnx_steal_fd() for portability to older GLib]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-context.c | 108 +++++++++++++++++++++++++++++++++++++--
1 file changed, 105 insertions(+), 3 deletions(-)
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 53b79807..8c784acf 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -2686,6 +2686,90 @@ flatpak_context_get_exports_full (FlatpakContext *context,
return g_steal_pointer (&exports);
}
+/* This creates zero or more directories unders base_fd+basedir, each
+ * being guaranteed to either exist and be a directory (no symlinks)
+ * or be created as a directory. The last directory is opened
+ * and the fd is returned.
+ */
+static gboolean
+mkdir_p_open_nofollow_at (int base_fd,
+ const char *basedir,
+ int mode,
+ const char *subdir,
+ int *out_fd,
+ GError **error)
+{
+ glnx_autofd int parent_fd = -1;
+
+ if (g_path_is_absolute (subdir))
+ {
+ const char *skipped_prefix = subdir;
+
+ while (*skipped_prefix == '/')
+ skipped_prefix++;
+
+ g_warning ("--persist=\"%s\" is deprecated, treating it as --persist=\"%s\"", subdir, skipped_prefix);
+ subdir = skipped_prefix;
+ }
+
+ g_autofree char *subdir_dirname = g_path_get_dirname (subdir);
+
+ if (strcmp (subdir_dirname, ".") == 0)
+ {
+ /* It is ok to open basedir with follow=true */
+ if (!glnx_opendirat (base_fd, basedir, TRUE, &parent_fd, error))
+ return FALSE;
+ }
+ else if (strcmp (subdir_dirname, "..") == 0)
+ {
+ return glnx_throw (error, "'..' not supported in --persist paths");
+ }
+ else
+ {
+ if (!mkdir_p_open_nofollow_at (base_fd, basedir, mode,
+ subdir_dirname, &parent_fd, error))
+ return FALSE;
+ }
+
+ g_autofree char *subdir_basename = g_path_get_basename (subdir);
+
+ if (strcmp (subdir_basename, ".") == 0)
+ {
+ *out_fd = glnx_steal_fd (&parent_fd);
+ return TRUE;
+ }
+ else if (strcmp (subdir_basename, "..") == 0)
+ {
+ return glnx_throw (error, "'..' not supported in --persist paths");
+ }
+
+ if (!glnx_shutil_mkdir_p_at (parent_fd, subdir_basename, mode, NULL, error))
+ return FALSE;
+
+ int fd = openat (parent_fd, subdir_basename, O_PATH | O_NONBLOCK | O_DIRECTORY | O_CLOEXEC | O_NOCTTY | O_NOFOLLOW);
+ if (fd == -1)
+ {
+ int saved_errno = errno;
+ struct stat stat_buf;
+
+ /* If it's a symbolic link, that could be a user trying to offload
+ * large data to another filesystem, but it could equally well be
+ * a malicious or compromised app trying to exploit GHSA-7hgv-f2j8-xw87.
+ * Produce a clearer error message in this case.
+ * Unfortunately the errno we get in this case is ENOTDIR, so we have
+ * to ask again to find out whether it's really a symlink. */
+ if (saved_errno == ENOTDIR &&
+ fstatat (parent_fd, subdir_basename, &stat_buf, AT_SYMLINK_NOFOLLOW) == 0 &&
+ S_ISLNK (stat_buf.st_mode))
+ return glnx_throw (error, "Symbolic link \"%s\" not allowed to avoid sandbox escape", subdir_basename);
+
+ return glnx_throw_errno_prefix (error, "openat(%s)", subdir_basename);
+ }
+
+ *out_fd = fd;
+ return TRUE;
+}
+
void
flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
FlatpakBwrap *bwrap,
@@ -2709,12 +2793,30 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
while (g_hash_table_iter_next (&iter, &key, NULL))
{
const char *persist = key;
- g_autofree char *src = g_build_filename (g_get_home_dir (), ".var/app", app_id, persist, NULL);
+ g_autofree char *appdir = g_build_filename (g_get_home_dir (), ".var/app", app_id, NULL);
g_autofree char *dest = g_build_filename (g_get_home_dir (), persist, NULL);
+ g_autoptr(GError) local_error = NULL;
+
+ if (g_mkdir_with_parents (appdir, 0755) != 0)
+ {
+ g_warning ("Unable to create directory %s", appdir);
+ continue;
+ }
+
+ /* Don't follow symlinks from the persist directory, as it is under user control */
+ glnx_autofd int src_fd = -1;
+ if (!mkdir_p_open_nofollow_at (AT_FDCWD, appdir, 0755,
+ persist, &src_fd,
+ &local_error))
+ {
+ g_warning ("Failed to create persist path %s: %s", persist, local_error->message);
+ continue;
+ }
- g_mkdir_with_parents (src, 0755);
+ g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd);
- flatpak_bwrap_add_bind_arg (bwrap, "--bind", src, dest);
+ flatpak_bwrap_add_fd (bwrap, glnx_steal_fd (&src_fd));
+ flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest);
}
}
--
2.46.0
From 5462c9b1e1a34b1104c8a0843a10382e90c9bb6b Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Mon, 3 Jun 2024 12:59:05 +0200
Subject: [PATCH 2/4] Add test coverage for --persist
This adds three "positive" tests: the common case --persist=.persist, the
deprecated spelling --persist=/.persist, and the less common special case
--persist=. as used by Steam.
It also adds "negative" tests for CVE-2024-42472: if the --persist
directory is a symbolic link or contains path segment "..", we want that
to be rejected.
Reproduces: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Add "positive" tests]
[smcv: Exercise --persist=..]
[smcv: Assert that --persist with a symlink produces expected message]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
tests/test-run.sh | 41 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/tests/test-run.sh b/tests/test-run.sh
index dd371df3..bca0845d 100644
--- a/tests/test-run.sh
+++ b/tests/test-run.sh
@@ -24,7 +24,7 @@ set -euo pipefail
skip_without_bwrap
skip_revokefs_without_fuse
-echo "1..20"
+echo "1..21"
# Use stable rather than master as the branch so we can test that the run
# command automatically finds the branch correctly
@@ -512,3 +512,42 @@ ${FLATPAK} ${U} info -m org.test.App > out
assert_file_has_content out "^sdk=org\.test\.Sdk/$(flatpak --default-arch)/stable$"
ok "--sdk option"
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+run --command=sh --persist=.persist org.test.Hello -c 'echo can-persist > .persist/rc'
+sed -e 's,^,#--persist=.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
+
+ok "--persist=.persist persists a directory"
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+# G_DEBUG= to avoid the deprecation warning being fatal
+G_DEBUG= run --command=sh --persist=/.persist org.test.Hello -c 'echo can-persist > .persist/rc'
+sed -e 's,^,#--persist=/.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
+
+ok "--persist=/.persist is a deprecated form of --persist=.persist"
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+run --command=sh --persist=. org.test.Hello -c 'echo can-persist > .persistrc'
+sed -e 's,^,#--persist=.# ,g' < "$HOME/.var/app/org.test.Hello/.persistrc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persistrc" "can-persist"
+
+ok "--persist=. persists all files"
+
+mkdir "${TEST_DATA_DIR}/inaccessible"
+echo FOO > ${TEST_DATA_DIR}/inaccessible/secret-file
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+ln -fns "${TEST_DATA_DIR}/inaccessible" "$HOME/.var/app/org.test.Hello/persist"
+# G_DEBUG= to avoid the warnings being fatal when we reject a --persist option.
+# LC_ALL=C so we get the expected non-localized string.
+LC_ALL=C G_DEBUG= run --command=ls --persist=persist --persist=relative/../escape org.test.Hello -la ~/persist &> hello_out || true
+sed -e 's,^,#--persist=symlink# ,g' < hello_out >&2
+assert_file_has_content hello_out "not allowed to avoid sandbox escape"
+assert_not_file_has_content hello_out "secret-file"
+
+ok "--persist doesn't allow sandbox escape via a symlink (CVE-2024-42472)"
--
2.46.0
From 04d8ad3009cd8a4350fba6cf7cc6c7819ccdfd34 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 12 Aug 2024 19:48:18 +0100
Subject: [PATCH 3/4] build: Require a version of bubblewrap with the --bind-fd
option
We need this for the --bind-fd option, which will close a race
condition in our solution to CVE-2024-42472.
For this stable branch, check the --help output for a --bind-fd option
instead of requiring a specific version number, to accommodate possible
backports in LTS distributions.
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
configure.ac | 3 +++
1 file changed, 3 insertions(+)
diff --git a/configure.ac b/configure.ac
index 0a44e11a..0c8e2d0e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -175,6 +175,9 @@ if test "x$BWRAP" != xfalse; then
BWRAP_VERSION=`$BWRAP --version | sed 's,.*\ \([0-9]*\.[0-9]*\.[0-9]*\)$,\1,'`
AX_COMPARE_VERSION([$SYSTEM_BWRAP_REQS],[gt],[$BWRAP_VERSION],
[AC_MSG_ERROR([You need at least version $SYSTEM_BWRAP_REQS of bubblewrap to use the system installed version])])
+ AS_IF([$BWRAP --help | grep '@<:@-@:>@-bind-fd' >/dev/null],
+ [:],
+ [AC_MSG_ERROR([$BWRAP does not list required option --bind-fd in its --help])])
AM_CONDITIONAL([WITH_SYSTEM_BWRAP], [true])
else
AC_CHECK_LIB(cap, cap_from_text, CAP_LIB=-lcap)
--
2.46.0
From 2772f19e50c0e809dde8cf3c105d90ee8baf4fa8 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 14 Aug 2024 13:44:30 +0100
Subject: [PATCH 4/4] persist directories: Pass using new bwrap --bind-fd
option
Instead of passing a /proc/self/fd bind mount we use --bind-fd, which
has two advantages:
* bwrap closes the fd when used, so it doesn't leak into the started app
* bwrap ensures that what was mounted was the passed in fd (same dev/ino),
as there is a small (required) gap between symlink resolve and mount
where the target path could be replaced.
Please note that this change requires an updated version of bubblewrap.
Resolves: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Make whitespace consistent]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-context.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 8c784acf..baa62728 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -2813,10 +2813,10 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
continue;
}
- g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd);
+ g_autofree char *src_via_proc = g_strdup_printf ("%d", src_fd);
flatpak_bwrap_add_fd (bwrap, glnx_steal_fd (&src_fd));
- flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest);
+ flatpak_bwrap_add_bind_arg (bwrap, "--bind-fd", src_via_proc, dest);
}
}
--
2.46.0

6134
SOURCES/flatpak-1.12.x-update-libglnx-for-glnx-chaseseat.patch
View File

File diff suppressed because it is too large Load Diff

28
SOURCES/flatpak-Revert-selinux-Permit-using-systemd-userdbd.patch
View File

@ -1,28 +0,0 @@
From 1c73110795b865246ce3595042dcd2d5e7891359 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Mon, 6 Nov 2023 20:27:16 +0100
Subject: [PATCH] Revert "selinux: Permit using systemd-userdbd"
This reverts commit 399710ada185c1ee232bc3e6266a71688eb152b7.
---
selinux/flatpak.te | 4 ----
1 file changed, 4 deletions(-)
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
index bb3d80e316eb..4cf895c44abe 100644
--- a/selinux/flatpak.te
+++ b/selinux/flatpak.te
@@ -33,10 +33,6 @@ optional_policy(`
policykit_dbus_chat(flatpak_helper_t)
')
-optional_policy(`
- systemd_userdbd_stream_connect(flatpak_helper_t)
-')
-
optional_policy(`
unconfined_domain(flatpak_helper_t)
')
--
2.41.0

632
SPECS/flatpak.spec
View File

@ -1,632 +0,0 @@
%global bubblewrap_version 0.4.0-2
%global ostree_version 2020.8
Name: flatpak
Version: 1.12.9
Release: 4%{?dist}
Summary: Application deployment framework for desktop apps
License: LGPLv2+
URL: http://flatpak.org/
Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
%if 0%{?fedora}
# Add Fedora flatpak repositories
Source1: flatpak-add-fedora-repos.service
%endif
# https://issues.redhat.com/browse/RHEL-4220
Patch0: flatpak-Revert-selinux-Permit-using-systemd-userdbd.patch
# Backported upstream patch for CVE-2024-42472
Patch1: flatpak-1.12.x-CVE-2024-42472.patch
# CVE-2026-34078
Patch100: flatpak-1.12.x-update-libglnx-for-glnx-chaseseat.patch
Patch101: CVE-2026-34078-1-flatpak-bwrap-add-dup-ing-variant-flatpak-bwrap-add-args-data-fd-dup.patch
Patch102: CVE-2026-34078-2-utils-add-flatpak-parse-fd.patch
Patch103: CVE-2026-34078-3-flatpak-bwrap-use-glnx-close-fd-as-clear-func.patch
Patch104: CVE-2026-34078-4-run-use-o-path-fds-for-the-runtime-and-app-deploy-directories.patch
Patch105: CVE-2026-34078-5-run-add-usr-fd-and-app-fd-options.patch
Patch106: CVE-2026-34078-6-run-add-ro-bind-fds-to-flatpak-run-app.patch
Patch107: CVE-2026-34078-7-run-add-ro-bind-fd-options.patch
Patch108: CVE-2026-34078-8-portal-use-bind-fd-app-fd-and-usr-fd-options-to-avoid-races.patch
Patch109: CVE-2026-34078-9-run-fix-checking-wrong-variable-in-runtime-fd-selection.patch
Patch110: CVE-2026-34078-10-run-mount-original-app-on-run-parent-app-when-using-app-path.patch
Patch111: CVE-2026-34078-11-portal-update-max-fd-after-creating-the-instance-id-pipe.patch
Patch112: CVE-2026-34078-12-run-fix-fd-tracking-in-flatpak-run-add-app-info-args.patch
Patch113: CVE-2026-34078-13-utils-improve-error-message-when-passing-an-fd-numer-which-is-not-a-fd.patch
Patch114: CVE-2026-34078-14-run-do-not-close-bind-ro-bind.patch
Patch115: CVE-2026-34078-15-run-use-the-same-fd-validation-for-all-fd-options.patch
Patch116: CVE-2026-34078-16-run-add-bind-fd-and-ro-bind-fd-binds-after-all-other-binds.patch
Patch117: CVE-2026-34078-17-portal-use-g-array-index-to-read-from-expose-fds-expose-fds-ro.patch
Patch118: CVE-2026-34078-18-run-fix-backport-mistake.patch
Patch119: CVE-2026-34078-19-run-cope-with-an-empty-runtime.patch
Patch120: CVE-2026-34078-20-dir-in-apply-extra-data-don-t-assume-there-is-always-a-runtime.patch
Patch121: CVE-2026-34078-21-utils-add-flatpak-set-cloexec.patch
Patch122: CVE-2026-34078-22-run-context-mark-fd-arguments-as-close-on-exec.patch
Patch123: CVE-2026-34078-23-utils-move-flatpak-get-path-for-fd-to-here.patch
Patch124: CVE-2026-34078-24-portal-avoid-crash-if-sandbox-expose-ro-fd-is-out-of-range.patch
Patch125: CVE-2026-34078-25-portal-log-and-ignore-unusable-sandbox-expose-fds-instead-of-erroring.patch
Patch126: CVE-2026-34078-26-portal-reinstate-flatpak-get-path-for-fd-checks.patch
Patch127: CVE-2026-34078-27-libtest-allow-adding-a-new-ref-to-an-existing-temporary-ostree-repo.patch
Patch128: CVE-2026-34078-28-app-context-never-close-fds-0-1-or-2.patch
Patch129: CVE-2026-34078-29-app-context-factor-out-flatpak-accept-fd-argument.patch
# CVE-2026-34079
Patch130: CVE-2026-34079-1-utils-only-remove-cached-files-in-the-cache-directory.patch
Patch131: CVE-2026-34079-2-utils-do-not-follow-symlinks-in-local-open-file.patch
Patch132: CVE-2026-34079-3-system-helper-only-remove-an-ongoing-pull-if-users-match.patch
BuildRequires: pkgconfig(appstream-glib)
BuildRequires: pkgconfig(dconf)
BuildRequires: pkgconfig(fuse)
BuildRequires: pkgconfig(gdk-pixbuf-2.0)
BuildRequires: pkgconfig(gio-unix-2.0)
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0
BuildRequires: pkgconfig(gpgme)
BuildRequires: pkgconfig(json-glib-1.0)
BuildRequires: pkgconfig(libarchive) >= 2.8.0
BuildRequires: pkgconfig(libseccomp)
BuildRequires: pkgconfig(libsoup-2.4)
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(libxml-2.0) >= 2.4
BuildRequires: pkgconfig(libzstd) >= 0.8.1
BuildRequires: pkgconfig(ostree-1) >= %{ostree_version}
BuildRequires: pkgconfig(polkit-gobject-1)
BuildRequires: pkgconfig(xau)
BuildRequires: bison
BuildRequires: bubblewrap >= %{bubblewrap_version}
BuildRequires: docbook-dtds
BuildRequires: docbook-style-xsl
BuildRequires: gettext
BuildRequires: libassuan-devel
BuildRequires: libcap-devel
BuildRequires: python3-devel
BuildRequires: python3-pyparsing
BuildRequires: systemd
BuildRequires: /usr/bin/xmlto
BuildRequires: /usr/bin/xsltproc
Requires: bubblewrap >= %{bubblewrap_version}
Requires: librsvg2%{?_isa}
Requires: ostree-libs%{?_isa} >= %{ostree_version}
# https://fedoraproject.org/wiki/SELinux/IndependentPolicy
Requires: (flatpak-selinux = %{?epoch:%{epoch}:}%{version}-%{release} if selinux-policy-targeted)
Requires: %{name}-session-helper%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
Recommends: p11-kit-server
# Make sure the document portal is installed
%if 0%{?fedora} || 0%{?rhel} > 7
Recommends: xdg-desktop-portal > 0.10
# Remove in F30.
Conflicts: xdg-desktop-portal < 0.10
%else
Requires: xdg-desktop-portal > 0.10
%endif
%description
flatpak is a system for building, distributing and running sandboxed desktop
applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for
more information.
%package devel
Summary: Development files for %{name}
License: LGPLv2+
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description devel
This package contains the pkg-config file and development headers for %{name}.
%package libs
Summary: Libraries for %{name}
License: LGPLv2+
Requires: bubblewrap >= %{bubblewrap_version}
Requires: ostree%{?_isa} >= %{ostree_version}
Requires(pre): /usr/sbin/useradd
%description libs
This package contains libflatpak.
%package selinux
Summary: SELinux policy module for %{name}
License: LGPLv2+
BuildRequires: selinux-policy
BuildRequires: selinux-policy-devel
BuildArch: noarch
%{?selinux_requires}
%description selinux
This package contains the SELinux policy module for %{name}.
%package session-helper
Summary: User D-Bus service used by %{name} and others
License: LGPLv2+
Conflicts: flatpak < 1.4.1-2
Requires: systemd
%description session-helper
This package contains the org.freedesktop.Flatpak user D-Bus service
that's used by %{name} and other packages.
%package tests
Summary: Tests for %{name}
License: LGPLv2+
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-session-helper%{?_isa} = %{version}-%{release}
Requires: bubblewrap >= %{bubblewrap_version}
Requires: ostree%{?_isa} >= %{ostree_version}
%description tests
This package contains installed tests for %{name}.
%prep
%autosetup -p1
# Make sure to use the RHEL-lifetime supported Python and no other
%py3_shebang_fix scripts/* subprojects/variant-schema-compiler/* tests/*
%build
(if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi;
# Generate consistent IDs between runs to avoid multilib problems.
export XMLTO_FLAGS="--stringparam generate.consistent.ids=1"
%configure \
--enable-docbook-docs \
--enable-installed-tests \
--enable-selinux-module \
--with-priv-mode=none \
--with-system-bubblewrap \
$CONFIGFLAGS)
%make_build V=1
%install
%make_install
install -pm 644 NEWS README.md %{buildroot}/%{_pkgdocdir}
# The system repo is not installed by the flatpak build system.
install -d %{buildroot}%{_localstatedir}/lib/flatpak
install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d
rm -f %{buildroot}%{_libdir}/libflatpak.la
%if 0%{?fedora}
install -D -t %{buildroot}%{_unitdir} %{SOURCE1}
%endif
%find_lang %{name}
# Work around selinux denials, see
# https://github.com/flatpak/flatpak/issues/4128 for details. Note that we are
# going to need the system env generator if we should enable malcontent support
# in the future.
rm %{buildroot}%{_systemd_system_env_generator_dir}/60-flatpak-system-only
%pre
getent group flatpak >/dev/null || groupadd -r flatpak
getent passwd flatpak >/dev/null || \
useradd -r -g flatpak -d / -s /sbin/nologin \
-c "User for flatpak system helper" flatpak
exit 0
%if 0%{?fedora}
%post
%systemd_post flatpak-add-fedora-repos.service
%endif
%post selinux
%selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2
%if 0%{?fedora}
%preun
%systemd_preun flatpak-add-fedora-repos.service
%endif
%if 0%{?fedora}
%postun
%systemd_postun_with_restart flatpak-add-fedora-repos.service
%endif
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2
fi
%ldconfig_scriptlets libs
%files -f %{name}.lang
%license COPYING
# Comply with the packaging guidelines about not mixing relative and absolute
# paths in doc.
%doc %{_pkgdocdir}
%{_bindir}/flatpak
%{_bindir}/flatpak-bisect
%{_bindir}/flatpak-coredumpctl
%{_datadir}/bash-completion
%{_datadir}/dbus-1/interfaces/org.freedesktop.portal.Flatpak.xml
%{_datadir}/dbus-1/interfaces/org.freedesktop.Flatpak.Authenticator.xml
%{_datadir}/dbus-1/services/org.flatpak.Authenticator.Oci.service
%{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service
%{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service
%{_datadir}/fish
%{_datadir}/%{name}
%{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy
%{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules
%{_datadir}/zsh/site-functions
%{_libexecdir}/flatpak-dbus-proxy
%{_libexecdir}/flatpak-oci-authenticator
%{_libexecdir}/flatpak-portal
%{_libexecdir}/flatpak-system-helper
%{_libexecdir}/flatpak-validate-icon
%{_libexecdir}/revokefs-fuse
%dir %{_localstatedir}/lib/flatpak
%{_mandir}/man1/%{name}*.1*
%{_mandir}/man5/%{name}-metadata.5*
%{_mandir}/man5/flatpak-flatpakref.5*
%{_mandir}/man5/flatpak-flatpakrepo.5*
%{_mandir}/man5/flatpak-installation.5*
%{_mandir}/man5/flatpak-remote.5*
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf
%dir %{_sysconfdir}/flatpak
%{_sysconfdir}/flatpak/remotes.d
%{_sysconfdir}/profile.d/flatpak.sh
%{_sysusersdir}/flatpak.conf
%{_unitdir}/flatpak-system-helper.service
%{_userunitdir}/flatpak-oci-authenticator.service
%{_userunitdir}/flatpak-portal.service
%{_systemd_user_env_generator_dir}/60-flatpak
%if 0%{?fedora}
%{_unitdir}/flatpak-add-fedora-repos.service
%endif
%files devel
%{_datadir}/gir-1.0/Flatpak-1.0.gir
%{_datadir}/gtk-doc/
%{_includedir}/%{name}/
%{_libdir}/libflatpak.so
%{_libdir}/pkgconfig/%{name}.pc
%files libs
%license COPYING
%{_libdir}/girepository-1.0/Flatpak-1.0.typelib
%{_libdir}/libflatpak.so.*
%files selinux
%{_datadir}/selinux/packages/flatpak.pp.bz2
%{_datadir}/selinux/devel/include/contrib/flatpak.if
%files session-helper
%license COPYING
%{_datadir}/dbus-1/interfaces/org.freedesktop.Flatpak.xml
%{_datadir}/dbus-1/services/org.freedesktop.Flatpak.service
%{_libexecdir}/flatpak-session-helper
%{_userunitdir}/flatpak-session-helper.service
%files tests
%{_datadir}/installed-tests
%{_libexecdir}/installed-tests
%changelog
* Wed May 20 2026 Jan Grulich <jgrulich@redhat.com> - 1.12.9-4
- Fix arbitrary code execution via crafted symlinks in sandbox-expose options
Resolves: RHEL-165633
- Fix arbitrary file deletion on host via improper cache file path validation
Resolves: RHEL-170160
* Wed Sep 04 2024 Kalev Lember <klember@redhat.com> - 1.12.9-3
- Fix previous changelog entry
* Mon Sep 02 2024 Kalev Lember <klember@redhat.com> - 1.12.9-2
- Backport upstream patches for CVE-2024-42472
- Require bubblewrap version that has new --bind-fd option backported for
addressing CVE-2024-42472
* Tue Apr 30 2024 Kalev Lember <klember@redhat.com> - 1.12.9-1
- Update to 1.12.9 (CVE-2024-32462)
* Mon Nov 06 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.12.8-1
- Rebase to 1.12.8 (RHEL-4220)
* Mon Nov 06 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-3
- Let flatpak own %%{_sysconfdir}/flatpak (RHEL-15822)
* Mon Sep 04 2023 Miro Hrončok <mhroncok@redhat.com> - 1.10.8-2
- Make sure to use the RHEL-lifetime supported Python and no other (RHEL-2225)
* Tue Jul 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-1
- Rebase to 1.10.8 (#2222103)
- Fix CVE-2023-28100 and CVE-2023-28101 (#2180311)
* Wed Mar 09 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1
- Rebase to 1.10.7 (#2062417)
* Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.7-1
- Rebase to 1.8.7 (#2041972)
* Tue Jan 25 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.6-1
- Rebase to 1.8.6 (#2010533)
* Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-6
- Fix CVE-2021-41133 (#2012869)
* Tue Oct 05 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-5
- Disable gvfs plugins when listing flatpak installations (#1980438)
* Wed Jul 28 2021 Tomas Popela <tpopela@redhat.com> - 1.8.5-4
- Ship flatpak-devel in CRB (#1938064)
* Mon Mar 22 2021 David King <dking@redhat.com> - 1.8.5-3
- Fix CVE-2021-21381 (#1938064)
* Mon Jan 25 2021 David King <dking@redhat.com> - 1.8.5-2
- Apply post-release CVE fixes (#1918776)
* Thu Jan 14 2021 David King <dking@redhat.com> - 1.8.5-1
- Rebase to 1.8.5 (#1851958)
* Tue Nov 17 2020 David King <dking@redhat.com> - 1.8.3-1
- Rebase to 1.8.3 (#1851958)
* Mon Oct 05 2020 David King <dking@redhat.com> - 1.8.2-1
- Rebase to 1.8.2 (#1851958)
* Mon Sep 14 2020 Kalev Lember <klember@redhat.com> - 1.6.2-4
- OCI: extract appstream data for runtimes (#1878231)
* Wed Jun 17 2020 David King <dking@redhat.com> - 1.6.2-3
- Further fixes for OCI authenticator (#1847201)
* Fri Mar 20 2020 David King <dking@redhat.com> - 1.6.2-2
- Fixes for OCI authenticator (#1814045)
* Thu Feb 13 2020 David King <dking@redhat.com> - 1.6.2-1
- Rebase to 1.6.2 (#1775339)
* Thu Jan 23 2020 David King <dking@redhat.com> - 1.6.1-1
- Rebase to 1.6.1 (#1775339)
* Fri Jan 17 2020 David King <dking@redhat.com> - 1.6.0-2
- Remove broken python3 sed hack (#1775339)
* Sat Dec 21 2019 David King <dking@redhat.com> - 1.6.0-1
- Rebase to 1.6.0 (#1775339)
* Fri Nov 08 2019 David King <dking@redhat.com> - 1.4.3-2
- Use %%{?selinux_requires} for proper install ordering
* Tue Oct 08 2019 David King <dking@redhat.com> - 1.4.3-1
- Rebase to 1.4.3 (#1748276)
* Fri Sep 20 2019 Kalev Lember <klember@redhat.com> - 1.0.9-1
- Update to 1.0.9 (#1753613)
* Tue May 14 2019 David King <dking@redhat.com> - 1.0.6-4
- Bump release (#1700654)
* Mon Apr 29 2019 David King <dking@redhat.com> - 1.0.6-3
- Fix IOCSTI sandbox bypass (#1700654)
* Wed Feb 13 2019 David King <dking@redhat.com> - 1.0.6-2
- Do not mount /proc in root sandbox (#1675776)
* Tue Dec 18 2018 Kalev Lember <klember@redhat.com> - 1.0.6-1
- Update to 1.0.6 (#1630249)
- Recommend p11-kit-server instead of just p11-kit (#1649049)
* Mon Dec 10 2018 David King <dking@redhat.com> - 1.0.4-2
- Backport patches to improve OCI support (#1657306)
* Fri Oct 12 2018 Kalev Lember <klember@redhat.com> - 1.0.4-1
- Update to 1.0.4 (#1630249)
* Thu Sep 13 2018 Kalev Lember <klember@redhat.com> - 1.0.2-1
- Update to 1.0.2 (#1630249)
* Tue Aug 28 2018 David King <dking@redhat.com> - 1.0.1-1
- Update to 1.0.1 (#1621401)
* Wed Aug 01 2018 David King <dking@redhat.com> - 0.99.3-1
- Update to 0.99.3
* Wed May 23 2018 Adam Jackson <ajax@redhat.com> - 0.11.7-2
- Remove Requires: kernel >= 4.0.4-202, which corresponds to rawhide
somewhere before Fedora 22 which this spec file certainly no longer
supports.
* Thu May 03 2018 Kalev Lember <klember@redhat.com> - 0.11.7-1
- Update to 0.11.7
* Wed May 02 2018 Kalev Lember <klember@redhat.com> - 0.11.6-1
- Update to 0.11.6
* Wed May 02 2018 Kalev Lember <klember@redhat.com> - 0.11.5-2
- Backport a fix for a gnome-software crash installing .flatpakref files
* Mon Apr 30 2018 David King <amigadave@amigadave.com> - 0.11.5-1
- Update to 0.11.5
* Thu Apr 26 2018 Kalev Lember <klember@redhat.com> - 0.11.4-1
- Update to 0.11.4
* Mon Feb 19 2018 David King <amigadave@amigadave.com> - 0.11.3-1
- Update to 0.11.3
* Mon Feb 19 2018 David King <amigadave@amigadave.com> - 0.11.2-1
- Update to 0.11.2
* Wed Feb 14 2018 David King <amigadave@amigadave.com> - 0.11.1-1
- Update to 0.11.1 (#1545224)
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Fri Feb 02 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.10.3-2
- Switch to %%ldconfig_scriptlets
* Tue Jan 30 2018 Kalev Lember <klember@redhat.com> - 0.10.3-1
- Update to 0.10.3
* Thu Dec 21 2017 David King <amigadave@amigadave.com> - 0.10.2.1-1
- Update to 0.10.2.1
* Fri Dec 15 2017 Kalev Lember <klember@redhat.com> - 0.10.2-1
- Update to 0.10.2
* Fri Nov 24 2017 David King <amigadave@amigadave.com> - 0.10.1-1
- Update to 0.10.1
* Thu Oct 26 2017 Kalev Lember <klember@redhat.com> - 0.10.0-1
- Update to 0.10.0
* Mon Oct 09 2017 Kalev Lember <klember@redhat.com> - 0.9.99-1
- Update to 0.9.99
* Tue Sep 26 2017 Kalev Lember <klember@redhat.com> - 0.9.98.2-1
- Update to 0.9.98.2
* Tue Sep 26 2017 Kalev Lember <klember@redhat.com> - 0.9.98.1-1
- Update to 0.9.98.1
* Mon Sep 25 2017 Kalev Lember <klember@redhat.com> - 0.9.98-1
- Update to 0.9.98
* Thu Sep 14 2017 Kalev Lember <klember@redhat.com> - 0.9.12-1
- Update to 0.9.12
* Wed Sep 13 2017 Kalev Lember <klember@redhat.com> - 0.9.11-1
- Update to 0.9.11
* Mon Sep 04 2017 Kalev Lember <klember@redhat.com> - 0.9.10-1
- Update to 0.9.10
- Split out flatpak-builder to a separate source package
* Fri Aug 25 2017 Kalev Lember <klember@redhat.com> - 0.9.8-2
- Backport a patch to fix regression in --devel
* Mon Aug 21 2017 David King <amigadave@amigadave.com> - 0.9.8-1
- Update to 0.9.8
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.7-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Sun Jul 30 2017 Florian Weimer <fweimer@redhat.com> - 0.9.7-4
- Rebuild with binutils fix for ppc64le (#1475636)
* Thu Jul 27 2017 Owen Taylor <otaylor@redhat.com> - 0.9.7-3
- Add a patch to fix OCI refname annotation
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Jul 01 2017 David King <amigadave@amigadave.com> - 0.9.7-1
- Update to 0.9.7 (#1466970)
* Tue Jun 20 2017 David King <amigadave@amigadave.com> - 0.9.6-1
- Update to 0.9.6
* Sat Jun 10 2017 David King <amigadave@amigadave.com> - 0.9.5-1
- Update to 0.9.5 (#1460437)
* Tue May 23 2017 David King <amigadave@amigadave.com> - 0.9.4-1
- Update to 0.9.4 (#1454750)
* Mon Apr 24 2017 David King <amigadave@amigadave.com> - 0.9.3-1
- Update to 0.9.3
* Fri Apr 07 2017 David King <amigadave@amigadave.com> - 0.9.2-2
- Add eu-strip dependency for flatpak-builder
* Wed Apr 05 2017 Kalev Lember <klember@redhat.com> - 0.9.2-1
- Update to 0.9.2
* Wed Mar 15 2017 Kalev Lember <klember@redhat.com> - 0.9.1-1
- Update to 0.9.1
* Fri Mar 10 2017 Kalev Lember <klember@redhat.com> - 0.8.4-1
- Update to 0.8.4
* Sun Feb 19 2017 David King <amigadave@amigadave.com> - 0.8.3-3
- Make flatpak-builder require bzip2 (#1424857)
* Wed Feb 15 2017 Kalev Lember <klember@redhat.com> - 0.8.3-2
- Avoid pulling in all of ostree and only depend on ostree-libs subpackage
* Tue Feb 14 2017 Kalev Lember <klember@redhat.com> - 0.8.3-1
- Update to 0.8.3
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Jan 27 2017 Kalev Lember <klember@redhat.com> - 0.8.2-1
- Update to 0.8.2
* Wed Jan 18 2017 David King <amigadave@amigadave.com> - 0.8.1-1
- Update to 0.8.1
* Tue Dec 20 2016 Kalev Lember <klember@redhat.com> - 0.8.0-1
- Update to 0.8.0
* Tue Nov 29 2016 David King <amigadave@amigadave.com> - 0.6.14-2
- Add a patch to fix a GNOME Software crash
- Silence repository listing during post
* Tue Nov 29 2016 Kalev Lember <klember@redhat.com> - 0.6.14-1
- Update to 0.6.14
* Wed Oct 26 2016 David King <amigadave@amigadave.com> - 0.6.13-2
- Add empty /etc/flatpak/remotes.d
* Tue Oct 25 2016 David King <amigadave@amigadave.com> - 0.6.13-1
- Update to 0.6.13
* Thu Oct 06 2016 David King <amigadave@amigadave.com> - 0.6.12-1
- Update to 0.6.12
* Tue Sep 20 2016 Kalev Lember <klember@redhat.com> - 0.6.11-1
- Update to 0.6.11
- Set minimum ostree and bubblewrap versions
* Mon Sep 12 2016 David King <amigadave@amigadave.com> - 0.6.10-1
- Update to 0.6.10
* Tue Sep 06 2016 David King <amigadave@amigadave.com> - 0.6.9-2
- Look for bwrap in PATH
* Thu Aug 25 2016 David King <amigadave@amigadave.com> - 0.6.9-1
- Update to 0.6.9
* Mon Aug 01 2016 David King <amigadave@amigadave.com> - 0.6.8-1
- Update to 0.6.8 (#1361823)
* Thu Jul 21 2016 David King <amigadave@amigadave.com> - 0.6.7-2
- Use system bubblewrap
* Fri Jul 01 2016 David King <amigadave@amigadave.com> - 0.6.7-1
- Update to 0.6.7
* Thu Jun 23 2016 David King <amigadave@amigadave.com> - 0.6.6-1
- Update to 0.6.6
* Fri Jun 10 2016 David King <amigadave@amigadave.com> - 0.6.5-1
- Update to 0.6.5
* Wed Jun 01 2016 David King <amigadave@amigadave.com> - 0.6.4-1
- Update to 0.6.4
* Tue May 31 2016 David King <amigadave@amigadave.com> - 0.6.3-1
- Update to 0.6.3
- Move bwrap to main package
* Tue May 24 2016 David King <amigadave@amigadave.com> - 0.6.2-1
- Rename from xdg-app to flatpak (#1337434)

881
flatpak.spec Normal file
View File

@ -0,0 +1,881 @@
%global appstream_version 1.0.0~
%global bubblewrap_version 0.8.0
%global glib_version 2.46.0
%global gpgme_version 1.8.0
%global libcurl_version 7.29.0
%global ostree_version 2020.8
%global wayland_protocols_version 1.32
%global wayland_scanner_version 1.15
# Disable parental control for RHEL builds
%bcond malcontent %[!0%{?rhel}]
Name: flatpak
Version: 1.15.8
Release: 2%{?dist}
Summary: Application deployment framework for desktop apps
License: LGPL-2.1-or-later
URL: https://flatpak.org/
Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
%if 0%{?fedora}
# Add Fedora flatpak repositories
Source1: flatpak-add-fedora-repos.service
%endif
# systemd-sysusers config. Only used for the %%pre macro. Must be kept in sync
# with the config from upstream sources.
Source2: flatpak.sysusers.conf
# ostree not on i686 for RHEL 10
# https://github.com/containers/composefs/pull/229#issuecomment-1838735764
%if 0%{?rhel} >= 10
ExcludeArch: %{ix86}
%endif
BuildRequires: pkgconfig(appstream) >= %{appstream_version}
BuildRequires: pkgconfig(dconf)
BuildRequires: pkgconfig(fuse3)
BuildRequires: pkgconfig(gdk-pixbuf-2.0)
BuildRequires: pkgconfig(gio-unix-2.0) >= %{glib_version}
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0
BuildRequires: pkgconfig(gpgme) >= %{gpgme_version}
BuildRequires: pkgconfig(json-glib-1.0)
BuildRequires: pkgconfig(libarchive) >= 2.8.0
BuildRequires: pkgconfig(libseccomp)
BuildRequires: pkgconfig(libcurl) >= %{libcurl_version}
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(libxml-2.0) >= 2.4
BuildRequires: pkgconfig(libzstd) >= 0.8.1
%if %{with malcontent}
BuildRequires: pkgconfig(malcontent-0)
%endif
BuildRequires: pkgconfig(ostree-1) >= %{ostree_version}
BuildRequires: pkgconfig(polkit-gobject-1)
BuildRequires: pkgconfig(wayland-client)
BuildRequires: pkgconfig(wayland-protocols) >= %{wayland_protocols_version}
BuildRequires: pkgconfig(wayland-scanner) >= %{wayland_scanner_version}
BuildRequires: pkgconfig(xau)
BuildRequires: bison
BuildRequires: bubblewrap >= %{bubblewrap_version}
BuildRequires: docbook-dtds
BuildRequires: docbook-style-xsl
BuildRequires: gettext-devel
BuildRequires: gtk-doc
BuildRequires: libcap-devel
BuildRequires: meson
BuildRequires: python3-pyparsing
BuildRequires: systemd
BuildRequires: systemd-rpm-macros
BuildRequires: /usr/bin/fusermount3
BuildRequires: /usr/bin/pkcheck
BuildRequires: /usr/bin/socat
BuildRequires: /usr/bin/xdg-dbus-proxy
BuildRequires: /usr/bin/xmlto
BuildRequires: /usr/bin/xsltproc
%{?sysusers_requires_compat}
Requires: appstream%{?_isa} >= %{appstream_version}
Requires: bubblewrap >= %{bubblewrap_version}
Requires: glib2%{?_isa} >= %{glib_version}
Requires: libcurl%{?_isa} >= %{libcurl_version}
Requires: librsvg2%{?_isa}
Requires: ostree-libs%{?_isa} >= %{ostree_version}
Requires: /usr/bin/fusermount3
Requires: /usr/bin/xdg-dbus-proxy
# https://fedoraproject.org/wiki/SELinux/IndependentPolicy
Requires: (flatpak-selinux = %{?epoch:%{epoch}:}%{version}-%{release} if selinux-policy-targeted)
Requires: %{name}-session-helper%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
Recommends: p11-kit-server
# Make sure the document portal is installed
%if 0%{?fedora} || 0%{?rhel} > 7
Recommends: xdg-desktop-portal > 0.10
%else
Requires: xdg-desktop-portal > 0.10
%endif
%description
flatpak is a system for building, distributing and running sandboxed desktop
applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for
more information.
%package devel
Summary: Development files for %{name}
Requires: %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
%description devel
This package contains the pkg-config file and development headers for %{name}.
%package libs
Summary: Libraries for %{name}
Requires: bubblewrap >= %{bubblewrap_version}
# We can assume ostree is installed on ostree systems
# So do not enforce it on non-ostree ones
Requires: ostree-libs%{?_isa} >= %{ostree_version}
%description libs
This package contains libflatpak.
%package selinux
Summary: SELinux policy module for %{name}
BuildRequires: selinux-policy
BuildRequires: selinux-policy-devel
BuildRequires: make
BuildArch: noarch
%{?selinux_requires}
%description selinux
This package contains the SELinux policy module for %{name}.
%package session-helper
Summary: User D-Bus service used by %{name} and others
Conflicts: flatpak < 1.4.1-2
Requires: systemd
%description session-helper
This package contains the org.freedesktop.Flatpak user D-Bus service
that's used by %{name} and other packages.
%package tests
Summary: Tests for %{name}
Requires: %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
Requires: %{name}-session-helper%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
Requires: bubblewrap >= %{bubblewrap_version}
Requires: ostree%{?_isa} >= %{ostree_version}
%description tests
This package contains installed tests for %{name}.
%prep
%autosetup -p1
%build
%meson \
-Dinstalled_tests=true \
-Dsystem_bubblewrap=/usr/bin/bwrap \
-Dsystem_dbus_proxy=/usr/bin/xdg-dbus-proxy \
-Dtmpfilesdir=%{_tmpfilesdir} \
%if %{with malcontent}
-Dmalcontent=enabled \
%else
-Dmalcontent=disabled \
%endif
-Dwayland_security_context=enabled \
%{nil}
%meson_build
%install
%meson_install
install -pm 644 NEWS README.md %{buildroot}/%{_pkgdocdir}
# The system repo is not installed by the flatpak build system.
install -d %{buildroot}%{_localstatedir}/lib/flatpak
install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d
%if 0%{?fedora}
install -D -t %{buildroot}%{_unitdir} %{SOURCE1}
%endif
%find_lang %{name}
%pre
%sysusers_create_compat %{SOURCE2}
%if 0%{?fedora}
%post
%systemd_post flatpak-add-fedora-repos.service
%endif
%post selinux
%selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2
%if 0%{?fedora}
%preun
%systemd_preun flatpak-add-fedora-repos.service
%endif
%if 0%{?fedora}
%postun
%systemd_postun_with_restart flatpak-add-fedora-repos.service
%endif
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2
fi
%files -f %{name}.lang
%license COPYING
# Comply with the packaging guidelines about not mixing relative and absolute
# paths in doc.
%doc %{_pkgdocdir}
%{_bindir}/flatpak
%{_bindir}/flatpak-bisect
%{_bindir}/flatpak-coredumpctl
%{_datadir}/bash-completion
%{_datadir}/dbus-1/interfaces/org.freedesktop.portal.Flatpak.xml
%{_datadir}/dbus-1/interfaces/org.freedesktop.Flatpak.Authenticator.xml
%{_datadir}/dbus-1/services/org.flatpak.Authenticator.Oci.service
%{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service
%{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service
%{_datadir}/fish/
%{_datadir}/%{name}
%{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy
%{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules
%{_datadir}/zsh/site-functions
%{_libexecdir}/flatpak-oci-authenticator
%{_libexecdir}/flatpak-portal
%{_libexecdir}/flatpak-system-helper
%{_libexecdir}/flatpak-validate-icon
%{_libexecdir}/revokefs-fuse
%dir %{_localstatedir}/lib/flatpak
%{_mandir}/man1/%{name}*.1*
%{_mandir}/man5/%{name}-metadata.5*
%{_mandir}/man5/flatpak-flatpakref.5*
%{_mandir}/man5/flatpak-flatpakrepo.5*
%{_mandir}/man5/flatpak-installation.5*
%{_mandir}/man5/flatpak-remote.5*
%{_mandir}/man5/flatpakref.5*
%{_mandir}/man5/flatpakrepo.5*
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf
%dir %{_sysconfdir}/flatpak
%{_sysconfdir}/flatpak/remotes.d
%{_sysconfdir}/profile.d/flatpak.sh
%{_sysusersdir}/%{name}.conf
%{_unitdir}/flatpak-system-helper.service
%{_userunitdir}/flatpak-oci-authenticator.service
%{_userunitdir}/flatpak-portal.service
%{_systemd_system_env_generator_dir}/60-flatpak-system-only
%{_systemd_user_env_generator_dir}/60-flatpak
%{_tmpfilesdir}/%{name}.conf
%if 0%{?fedora}
%{_unitdir}/flatpak-add-fedora-repos.service
%endif
%files devel
%{_datadir}/gir-1.0/Flatpak-1.0.gir
%{_datadir}/gtk-doc/
%{_includedir}/%{name}/
%{_libdir}/libflatpak.so
%{_libdir}/pkgconfig/%{name}.pc
%files libs
%license COPYING
%{_libdir}/girepository-1.0/Flatpak-1.0.typelib
%{_libdir}/libflatpak.so.*
%files selinux
%{_datadir}/selinux/packages/flatpak.pp.bz2
%{_datadir}/selinux/devel/include/contrib/flatpak.if
%files session-helper
%license COPYING
%{_datadir}/dbus-1/interfaces/org.freedesktop.Flatpak.xml
%{_datadir}/dbus-1/services/org.freedesktop.Flatpak.service
%{_libexecdir}/flatpak-session-helper
%{_userunitdir}/flatpak-session-helper.service
%files tests
%{_datadir}/installed-tests
%{_libexecdir}/installed-tests
%changelog
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.15.8-2
- Bump release for June 2024 mass rebuild
* Fri Jun 07 2024 Kalev Lember <klember@redhat.com> - 1.15.8-1
- Update to 1.15.8 (CVE-2024-32462)
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.15.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.15.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Nov 16 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.15.6-1
- Update to 1.15.6 (#2249763)
* Tue Nov 07 2023 Neal Gompa <ngompa@fedoraproject.org> - 1.15.4-5
- Fix appstream_version macro for prerelease appstream 1.0 package
* Tue Nov 07 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.15.4-4
- Adjust to Appstream 1.0 API changes
- Fix Appstream regression in 'remote-info'
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.15.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jun 22 2023 Tomas Popela <tpopela@redhat.com> - 1.15.4-2
- Disable parental control support (through malcontent) on RHEL
* Fri Mar 17 2023 David King <amigadave@amigadave.com> - 1.15.4-1
- Update to 1.15.4
* Thu Feb 23 2023 David King <amigadave@amigadave.com> - 1.15.3-1
- Update to 1.15.3 (#2120890)
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.15.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Jan 06 2023 David King <amigadave@amigadave.com> - 1.15.1-2
- Require fusermount (#2158474)
* Tue Dec 13 2022 David King <amigadave@amigadave.com> - 1.15.1-1
- Update to 1.15.1
* Thu Dec 08 2022 David King <amigadave@amigadave.com> - 1.14.1-1
- Update to 1.14.1 (#2151850)
* Thu Sep 15 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 1.14.0-2
- Refresh gssproxy patch to use new socket path
* Wed Sep 07 2022 Kalev Lember <klember@redhat.com> - 1.14.0-1
- Update to 1.14.0
* Fri Aug 19 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.3-6
- Use %%sysusers_requires_compat to match %%sysusers_create_compat
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jul 14 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.3-4
- Avoid SELinux denials caused by reading symbolic links in /var/lib/flatpak
* Sun Jun 26 2022 Ralf Corsépius <corsepiu@fedoraproject.org> - 1.13.3-3
- Let flatpak own %%{_sysconfdir}/flatpak (RHBZ#2101073).
* Fri Jun 17 2022 David King <amigadave@amigadave.com> - 1.13.3-2
- Add gssproxy support
* Fri Jun 17 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.3-1
- Update to 1.13.3
- Remove downstream patch for gssproxy support until it gets rebased
* Tue Jun 07 2022 David King <amigadave@amigadave.com> - 1.13.2-4
- Add gssproxy support
* Tue May 17 2022 Timothée Ravier <tim@siosm.fr> - 1.13.2-3
- Use sysusers_create_compat macro to create user & group.
* Tue Apr 12 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.2-2
- Avoid SELinux denials caused by read access to /etc/passwd, watching files
inside /usr/libexec and read access to /var/lib/flatpak
* Thu Mar 17 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.2-1
- Update to 1.13.2 (#2064038)
* Sat Mar 12 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.1-1
- Update to 1.13.1 (#2059784)
* Wed Mar 02 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.6-2
- Specify the %%{epoch} consistently
* Fri Feb 25 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.6-1
- Update to 1.12.6 (#2053655)
* Mon Feb 14 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.5-1
- Update to 1.12.5 (#2032528)
* Tue Feb 08 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.4-2
- Don't try to add Fedora's OCI Flatpak repository on RHEL
- Remove an obsolete Fedora-specific update path
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.12.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Tue Jan 18 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.4-1
- Update to 1.12.4 (#2042071)
* Fri Jan 14 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.3-1
- Update to 1.12.3 (#2040094)
* Wed Oct 13 2021 David King <amigadave@amigadave.com> - 1.12.2-1
- Update to 1.12.2 (#2013492)
* Fri Oct 08 2021 David King <amigadave@amigadave.com> - 1.12.1-1
- Update to 1.12.1 (#2012273)
* Fri Oct 08 2021 David King <amigadave@amigadave.com> - 1.12.0-1
- Update to 1.12.0 (#2012246)
* Thu Sep 09 2021 Kalev Lember <klember@redhat.com> - 1.11.3-2
- Enable malcontent support
* Wed Aug 25 2021 Kalev Lember <klember@redhat.com> - 1.11.3-1
- Update to 1.11.3
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.11.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jul 14 2021 David King <amigadave@amigadave.com> - 1.11.2-1
- Update to 1.11.2 (#1973591)
* Thu May 13 2021 Jeff Law <jlaw@tachyum.com> - 1.11.1-2
- Re-enable LTO
* Tue Apr 27 2021 David King <amigadave@amigadave.com> - 1.11.1-1
- Update to 1.11.1 (#1953833)
* Wed Apr 14 2021 Kalev Lember <klember@redhat.com> - 1.10.2-3
- Disable system env generator to work around selinux denials (#1947214)
* Mon Apr 05 2021 Kalev Lember <klember@redhat.com> - 1.10.2-2
- OCI: Switch to pax format for tar archives
* Wed Mar 10 2021 Kalev Lember <klember@redhat.com> - 1.10.2-1
- Update to 1.10.2
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.10.1-4
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Fri Feb 12 2021 Kalev Lember <klember@redhat.com> - 1.10.1-3
- Add G_BEGIN_DECLS/G_END_DECLS to public headers (#1927439)
- Drop unneeded ldconfig_scriptlets macro call
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Jan 21 2021 Kalev Lember <klember@redhat.com> - 1.10.1-1
- Update to 1.10.1
* Thu Jan 14 2021 Kalev Lember <klember@redhat.com> - 1.10.0-1
- Update to 1.10.0
* Mon Jan 11 2021 Kalev Lember <klember@redhat.com> - 1.9.3-2
- Use "Fedora Flatpaks" as the visible repo name
* Tue Dec 22 2020 David King <amigadave@amigadave.com> - 1.9.3-1
- Update to 1.9.3 (#1910054)
* Fri Nov 20 2020 Kalev Lember <klember@redhat.com> - 1.9.2-1
- Update to 1.9.2
* Thu Nov 19 2020 Kalev Lember <klember@redhat.com> - 1.9.1-1
- Update to 1.9.1
* Wed Nov 18 2020 David King <amigadave@amigadave.com> - 1.8.3-2
- Drop obsolete Requires on system-release
* Tue Nov 17 2020 Kalev Lember <klember@redhat.com> - 1.8.3-1
- Update to 1.8.3
* Sat Oct 31 2020 Jeff Law <law@redhat.com> - 1.8.2-3
- Fix bogus volatiles caught by gcc-11
* Fri Sep 11 2020 Kalev Lember <klember@redhat.com> - 1.8.2-2
- Backport various OCI fixes from upstream
* Fri Aug 21 2020 Kalev Lember <klember@redhat.com> - 1.8.2-1
- Update to 1.8.2
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Jul 03 2020 David King <amigadave@amigadave.com> - 1.8.1-1
- Update to 1.8.1 (#1853667)
* Tue Jun 30 2020 Jeff Law <law@redhat.com> - 1.8.0-2
- Disable LTO
* Wed Jun 24 2020 David King <amigadave@amigadave.com> - 1.8.0-1
- Update to 1.8.0 (#1850676)
* Wed Jun 10 2020 David King <amigadave@amigadave.com> - 1.7.3-1
- Update to 1.7.3 (#1820762)
* Fri Apr 03 2020 Kalev Lember <klember@redhat.com> - 1.7.2-1
- Update to 1.7.2
* Mon Mar 30 2020 David King <amigadave@amigadave.com> - 1.7.1-1
- Update to 1.7.1 (#1818882)
* Mon Mar 30 2020 Kalev Lember <klember@redhat.com> - 1.6.3-1
- Update to 1.6.3
* Thu Feb 13 2020 David King <amigadave@amigadave.com> - 1.6.2-1
- Update to 1.6.2 (#1802609)
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jan 23 2020 David King <amigadave@amigadave.com> - 1.6.1-1
- Update to 1.6.1
* Fri Jan 17 2020 David King <amigadave@amigadave.com> - 1.6.0-2
- Remove broken python3 sed hack
* Fri Dec 20 2019 David King <amigadave@amigadave.com> - 1.6.0-1
- Update to 1.6.0
* Mon Dec 16 2019 David King <amigadave@amigadave.com> - 1.5.2-1
- Update to 1.5.2
* Thu Nov 28 2019 David King <amigadave@amigadave.com> - 1.5.1-1
- Update to 1.5.1
* Fri Nov 01 2019 Orion Poplawski <orion@nwra.com> - 1.5.0-2
- Use %%{?selinux_requires} for proper install ordering
* Thu Oct 03 2019 David King <amigadave@amigadave.com> - 1.5.0-1
- Update to 1.5.0
* Thu Sep 19 2019 Kalev Lember <klember@redhat.com> - 1.4.3-1
- Update to 1.4.3
* Wed Sep 18 2019 Debarshi Ray <rishi@fedoraproject.org> - 1.4.2-6
- Trim unused shared library linkages from the session helper
* Wed Aug 7 2019 Owen Taylor <otaylor@redhat.com> - 1.4.2-5
- Add patch fixing problem with downloading icons for OCI remotes (#1683375)
* Thu Jul 25 2019 Tim Zabel <tjzabel21@gmail.com> - 1.4.2-4
- SELinux needs additional Requires (#1732132)
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue Jul 09 2019 Kalev Lember <klember@redhat.com> - 1.4.2-2
- Backport a patch that fixes a fairly large memory leak in gnome-software
* Fri Jun 28 2019 David King <amigadave@amigadave.com> - 1.4.2-1
- Update to 1.4.2 (#1725071)
* Tue Jun 25 2019 David King <amigadave@amigadave.com> - 1.4.1-3
- Use Requires(post) for selinux-policy (#1723118)
* Tue Jun 25 2019 Debarshi Ray <rishi@fedoraproject.org> - 1.4.1-2
- Split the session helper into a separate sub-package
* Thu Jun 13 2019 Kalev Lember <klember@redhat.com> - 1.4.1-1
- Update to 1.4.1
* Wed Jun 12 2019 Kalev Lember <klember@redhat.com> - 1.4.0-2
- Backport an upstream patch to fix gnome-software CI
* Tue May 28 2019 Kalev Lember <klember@redhat.com> - 1.4.0-1
- Update to 1.4.0
* Fri May 10 2019 Kalev Lember <klember@redhat.com> - 1.3.4-1
- Update to 1.3.4
* Tue Apr 30 2019 David King <amigadave@amigadave.com> - 1.3.3-2
- Generate consistent anchor IDs
* Fri Apr 26 2019 David King <amigadave@amigadave.com> - 1.3.3-1
- Update to 1.3.3 (#1699338)
* Wed Apr 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.3.2-2
- Fixup selinux requires
* Fri Apr 12 2019 David King <amigadave@amigadave.com> - 1.3.2-1
- Update to 1.3.2 (#1699338)
* Wed Apr 03 2019 Kalev Lember <klember@redhat.com> - 1.3.1-2
- Add a oneshot systemd service to add Fedora flatpak repos
- Remove the post script to create system repo now that we have the service
* Wed Mar 27 2019 David King <amigadave@amigadave.com> - 1.3.1-1
- Update to 1.3.1 (#1693207)
* Tue Mar 12 2019 David King <amigadave@amigadave.com> - 1.3.0-1
- Update to 1.3.0
* Thu Feb 14 2019 David King <amigadave@amigadave.com> - 1.2.3-2
- Remove an obsolete Conflicts
- Use xdg-dbus-proxy
* Mon Feb 11 2019 David King <amigadave@amigadave.com> - 1.2.3-1
- Update to 1.2.3
* Wed Feb 06 2019 David King <amigadave@amigadave.com> - 1.2.2-1
- Update to 1.2.2
* Tue Feb 05 2019 Kalev Lember <klember@redhat.com> - 1.2.1-1
- Update to 1.2.1
* Mon Feb 4 2019 fedora-toolbox <otaylor@redhat.com> - 1.2.0-4
- Add an upstream patch to add flatpak build-export --disable-sandbox
* Thu Jan 31 2019 Bastien Nocera <bnocera@redhat.com> - 1.2.0-3
- Require librsvg2 so SVG icons can be exported
* Tue Jan 29 2019 Kalev Lember <klember@redhat.com> - 1.2.0-2
- Enable libsystemd support
* Mon Jan 28 2019 David King <amigadave@amigadave.com> - 1.2.0-1
- Update to 1.2.0
* Tue Jan 15 2019 Kalev Lember <klember@redhat.com> - 1.1.3-1
- Update to 1.1.3
* Fri Dec 21 2018 David King <amigadave@amigadave.com> - 1.1.2-1
- Update to 1.1.2
* Mon Dec 17 2018 David King <amigadave@amigadave.com> - 1.1.1-2
- Enable installed tests and add to tests subpackage
* Mon Dec 10 2018 Kalev Lember <klember@redhat.com> - 1.1.1-1
- Update to 1.1.1
* Fri Nov 30 2018 fedora-toolbox <otaylor@redhat.com> - 1.0.6-3
- Add a patch to fix OCI system remotes
- Add patch fixing permissions on icons downloaded from an OCI registry
* Fri Nov 16 2018 Kalev Lember <klember@redhat.com> - 1.0.6-1
- Update to 1.0.6
* Mon Nov 12 2018 Kalev Lember <klember@redhat.com> - 1.0.5-2
- Recommend p11-kit-server instead of just p11-kit (#1649049)
* Mon Nov 12 2018 Kalev Lember <klember@redhat.com> - 1.0.5-1
- Update to 1.0.5
* Fri Oct 12 2018 Kalev Lember <klember@redhat.com> - 1.0.4-1
- Update to 1.0.4
* Thu Oct 04 2018 Kalev Lember <klember@redhat.com> - 1.0.3-1
- Update to 1.0.3
* Thu Sep 13 2018 Kalev Lember <klember@redhat.com> - 1.0.2-1
- Update to 1.0.2
* Tue Aug 28 2018 David King <amigadave@amigadave.com> - 1.0.1-1
- Update to 1.0.1
* Mon Aug 20 2018 David King <amigadave@amigadave.com> - 1.0.0-2
- Fix double dash in XML documentation
* Mon Aug 20 2018 David King <amigadave@amigadave.com> - 1.0.0-1
- Update to 1.0.0
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.99.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jul 10 2018 Kalev Lember <klember@redhat.com> - 0.99.3-1
- Update to 0.99.3
* Wed Jun 27 2018 Kalev Lember <klember@redhat.com> - 0.99.2-1
- Update to 0.99.2
* Thu Jun 21 2018 David King <amigadave@amigadave.com> - 0.99.1-1
- Update to 0.99.1
* Wed Jun 13 2018 David King <amigadave@amigadave.com> - 0.11.8.3-1
- Update to 0.11.8.3 (#1590808)
* Mon Jun 11 2018 David King <amigadave@amigadave.com> - 0.11.8.2-1
- Update to 0.11.8.2 (#1589810)
* Fri Jun 08 2018 David King <amigadave@amigadave.com> - 0.11.8.1-1
- Update to 0.11.8.1 (#1588868)
* Fri Jun 08 2018 David King <amigadave@amigadave.com> - 0.11.8-1
- Update to 0.11.8 (#1588868)
* Wed May 23 2018 Adam Jackson <ajax@redhat.com> - 0.11.7-2
- Remove Requires: kernel >= 4.0.4-202, which corresponds to rawhide
somewhere before Fedora 22 which this spec file certainly no longer
supports.
* Thu May 03 2018 Kalev Lember <klember@redhat.com> - 0.11.7-1
- Update to 0.11.7
* Wed May 02 2018 Kalev Lember <klember@redhat.com> - 0.11.6-1
- Update to 0.11.6
* Wed May 02 2018 Kalev Lember <klember@redhat.com> - 0.11.5-2
- Backport a fix for a gnome-software crash installing .flatpakref files
* Mon Apr 30 2018 David King <amigadave@amigadave.com> - 0.11.5-1
- Update to 0.11.5
* Thu Apr 26 2018 Kalev Lember <klember@redhat.com> - 0.11.4-1
- Update to 0.11.4
* Mon Feb 19 2018 David King <amigadave@amigadave.com> - 0.11.3-1
- Update to 0.11.3
* Mon Feb 19 2018 David King <amigadave@amigadave.com> - 0.11.2-1
- Update to 0.11.2
* Wed Feb 14 2018 David King <amigadave@amigadave.com> - 0.11.1-1
- Update to 0.11.1 (#1545224)
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Fri Feb 02 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.10.3-2
- Switch to %%ldconfig_scriptlets
* Tue Jan 30 2018 Kalev Lember <klember@redhat.com> - 0.10.3-1
- Update to 0.10.3
* Thu Dec 21 2017 David King <amigadave@amigadave.com> - 0.10.2.1-1
- Update to 0.10.2.1
* Fri Dec 15 2017 Kalev Lember <klember@redhat.com> - 0.10.2-1
- Update to 0.10.2
* Fri Nov 24 2017 David King <amigadave@amigadave.com> - 0.10.1-1
- Update to 0.10.1
* Thu Oct 26 2017 Kalev Lember <klember@redhat.com> - 0.10.0-1
- Update to 0.10.0
* Mon Oct 09 2017 Kalev Lember <klember@redhat.com> - 0.9.99-1
- Update to 0.9.99
* Tue Sep 26 2017 Kalev Lember <klember@redhat.com> - 0.9.98.2-1
- Update to 0.9.98.2
* Tue Sep 26 2017 Kalev Lember <klember@redhat.com> - 0.9.98.1-1
- Update to 0.9.98.1
* Mon Sep 25 2017 Kalev Lember <klember@redhat.com> - 0.9.98-1
- Update to 0.9.98
* Thu Sep 14 2017 Kalev Lember <klember@redhat.com> - 0.9.12-1
- Update to 0.9.12
* Wed Sep 13 2017 Kalev Lember <klember@redhat.com> - 0.9.11-1
- Update to 0.9.11
* Mon Sep 04 2017 Kalev Lember <klember@redhat.com> - 0.9.10-1
- Update to 0.9.10
- Split out flatpak-builder to a separate source package
* Fri Aug 25 2017 Kalev Lember <klember@redhat.com> - 0.9.8-2
- Backport a patch to fix regression in --devel
* Mon Aug 21 2017 David King <amigadave@amigadave.com> - 0.9.8-1
- Update to 0.9.8
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.7-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Sun Jul 30 2017 Florian Weimer <fweimer@redhat.com> - 0.9.7-4
- Rebuild with binutils fix for ppc64le (#1475636)
* Thu Jul 27 2017 Owen Taylor <otaylor@redhat.com> - 0.9.7-3
- Add a patch to fix OCI refname annotation
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Jul 01 2017 David King <amigadave@amigadave.com> - 0.9.7-1
- Update to 0.9.7 (#1466970)
* Tue Jun 20 2017 David King <amigadave@amigadave.com> - 0.9.6-1
- Update to 0.9.6
* Sat Jun 10 2017 David King <amigadave@amigadave.com> - 0.9.5-1
- Update to 0.9.5 (#1460437)
* Tue May 23 2017 David King <amigadave@amigadave.com> - 0.9.4-1
- Update to 0.9.4 (#1454750)
* Mon Apr 24 2017 David King <amigadave@amigadave.com> - 0.9.3-1
- Update to 0.9.3
* Fri Apr 07 2017 David King <amigadave@amigadave.com> - 0.9.2-2
- Add eu-strip dependency for flatpak-builder
* Wed Apr 05 2017 Kalev Lember <klember@redhat.com> - 0.9.2-1
- Update to 0.9.2
* Wed Mar 15 2017 Kalev Lember <klember@redhat.com> - 0.9.1-1
- Update to 0.9.1
* Fri Mar 10 2017 Kalev Lember <klember@redhat.com> - 0.8.4-1
- Update to 0.8.4
* Sun Feb 19 2017 David King <amigadave@amigadave.com> - 0.8.3-3
- Make flatpak-builder require bzip2 (#1424857)
* Wed Feb 15 2017 Kalev Lember <klember@redhat.com> - 0.8.3-2
- Avoid pulling in all of ostree and only depend on ostree-libs subpackage
* Tue Feb 14 2017 Kalev Lember <klember@redhat.com> - 0.8.3-1
- Update to 0.8.3
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Jan 27 2017 Kalev Lember <klember@redhat.com> - 0.8.2-1
- Update to 0.8.2
* Wed Jan 18 2017 David King <amigadave@amigadave.com> - 0.8.1-1
- Update to 0.8.1
* Tue Dec 20 2016 Kalev Lember <klember@redhat.com> - 0.8.0-1
- Update to 0.8.0
* Tue Nov 29 2016 David King <amigadave@amigadave.com> - 0.6.14-2
- Add a patch to fix a GNOME Software crash
- Silence repository listing during post
* Tue Nov 29 2016 Kalev Lember <klember@redhat.com> - 0.6.14-1
- Update to 0.6.14
* Wed Oct 26 2016 David King <amigadave@amigadave.com> - 0.6.13-2
- Add empty /etc/flatpak/remotes.d
* Tue Oct 25 2016 David King <amigadave@amigadave.com> - 0.6.13-1
- Update to 0.6.13
* Thu Oct 06 2016 David King <amigadave@amigadave.com> - 0.6.12-1
- Update to 0.6.12
* Tue Sep 20 2016 Kalev Lember <klember@redhat.com> - 0.6.11-1
- Update to 0.6.11
- Set minimum ostree and bubblewrap versions
* Mon Sep 12 2016 David King <amigadave@amigadave.com> - 0.6.10-1
- Update to 0.6.10
* Tue Sep 06 2016 David King <amigadave@amigadave.com> - 0.6.9-2
- Look for bwrap in PATH
* Thu Aug 25 2016 David King <amigadave@amigadave.com> - 0.6.9-1
- Update to 0.6.9
* Mon Aug 01 2016 David King <amigadave@amigadave.com> - 0.6.8-1
- Update to 0.6.8 (#1361823)
* Thu Jul 21 2016 David King <amigadave@amigadave.com> - 0.6.7-2
- Use system bubblewrap
* Fri Jul 01 2016 David King <amigadave@amigadave.com> - 0.6.7-1
- Update to 0.6.7
* Thu Jun 23 2016 David King <amigadave@amigadave.com> - 0.6.6-1
- Update to 0.6.6
* Fri Jun 10 2016 David King <amigadave@amigadave.com> - 0.6.5-1
- Update to 0.6.5
* Wed Jun 01 2016 David King <amigadave@amigadave.com> - 0.6.4-1
- Update to 0.6.4
* Tue May 31 2016 David King <amigadave@amigadave.com> - 0.6.3-1
- Update to 0.6.3
- Move bwrap to main package
* Tue May 24 2016 David King <amigadave@amigadave.com> - 0.6.2-1
- Rename from xdg-app to flatpak (#1337434)

1
flatpak.sysusers.conf Normal file
View File

@ -0,0 +1 @@
u flatpak - "Flatpak system helper" -

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (flatpak-1.15.8.tar.xz) = 76374fa1334d1ffca05a4309975c4f19ac15c23585d0a90772195ee850d4da54a232bd557a5ec4d579c50204c8d1d651e58372312013668dc6d79c2376391606