6 changed files with 455 additions and 87 deletions
--- a/.flatpak.metadata
+++ b/.flatpak.metadata
@ -1 +1 @@
-a3dcd13e85090e9d8156f1db2a375074e459aa79 SOURCES/flatpak-1.8.5.tar.xz
+41429400eab33868b6c6045fe235e86e1086a056 SOURCES/flatpak-1.12.9.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/flatpak-1.8.5.tar.xz
+SOURCES/flatpak-1.12.9.tar.xz
--- a/SOURCES/flatpak-1.12.x-CVE-2024-42472.patch
+++ b/SOURCES/flatpak-1.12.x-CVE-2024-42472.patch
@ -0,0 +1,330 @@
+From 8451fa0ae30397b83705a193aa0d3f7752486dda Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Mon, 3 Jun 2024 12:22:30 +0200
+Subject: [PATCH 1/4] Don't follow symlinks when mounting persisted directories
+
+These directories are in a location under application control, so we
+can't trust them to not be a symlink outside of the files accessibe to
+the application.
+
+Continue to treat --persist=/foo as --persist=foo for backwards compat,
+since this is how it (accidentally) worked before, but print a warning.
+
+Don't allow ".." elements in persist paths: these would not be useful
+anyway, and are unlikely to be in use, however they could potentially
+be used to confuse the persist path handling.
+
+This partially addresses CVE-2024-42472. If only one instance of the
+malicious or compromised app is run at a time, the vulnerability
+is avoided. If two instances can run concurrently, there is a
+time-of-check/time-of-use issue remaining, which can only be resolved
+with changes to bubblewrap; this will be resolved in a separate commit,
+because the bubblewrap dependency might be more difficult to provide in
+LTS distributions.
+
+Helps: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
+[smcv: Make whitespace consistent]
+[smcv: Use g_warning() if unable to create --persist paths]
+[smcv: Use stat() to detect symlinks and warn about them]
+[smcv: Use glnx_steal_fd() for portability to older GLib]
+Co-authored-by: Simon McVittie <smcv@collabora.com>
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ common/flatpak-context.c | 108 +++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 105 insertions(+), 3 deletions(-)
+
+diff --git a/common/flatpak-context.c b/common/flatpak-context.c
+index 53b79807..8c784acf 100644
+--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
+@@ -2686,6 +2686,90 @@ flatpak_context_get_exports_full (FlatpakContext *context,
+   return g_steal_pointer (&exports);
+ }
+ 
+/* This creates zero or more directories unders base_fd+basedir, each
+ * being guaranteed to either exist and be a directory (no symlinks)
+ * or be created as a directory. The last directory is opened
+ * and the fd is returned.
+ */
+static gboolean
+mkdir_p_open_nofollow_at (int          base_fd,
+                          const char  *basedir,
+                          int          mode,
+                          const char  *subdir,
+                          int         *out_fd,
+                          GError     **error)
+{
+  glnx_autofd int parent_fd = -1;
+
+  if (g_path_is_absolute (subdir))
+    {
+      const char *skipped_prefix = subdir;
+
+      while (*skipped_prefix == '/')
+        skipped_prefix++;
+
+      g_warning ("--persist=\"%s\" is deprecated, treating it as --persist=\"%s\"", subdir, skipped_prefix);
+      subdir = skipped_prefix;
+    }
+
+  g_autofree char *subdir_dirname = g_path_get_dirname (subdir);
+
+  if (strcmp (subdir_dirname, ".") == 0)
+    {
+      /* It is ok to open basedir with follow=true */
+      if (!glnx_opendirat (base_fd, basedir, TRUE, &parent_fd, error))
+        return FALSE;
+    }
+  else if (strcmp (subdir_dirname, "..") == 0)
+    {
+      return glnx_throw (error, "'..' not supported in --persist paths");
+    }
+  else
+    {
+      if (!mkdir_p_open_nofollow_at (base_fd, basedir, mode,
+                                     subdir_dirname, &parent_fd, error))
+        return FALSE;
+    }
+
+  g_autofree char *subdir_basename = g_path_get_basename (subdir);
+
+  if (strcmp (subdir_basename, ".") == 0)
+    {
+      *out_fd = glnx_steal_fd (&parent_fd);
+      return TRUE;
+    }
+  else if (strcmp (subdir_basename, "..") == 0)
+    {
+      return glnx_throw (error, "'..' not supported in --persist paths");
+    }
+
+  if (!glnx_shutil_mkdir_p_at (parent_fd, subdir_basename, mode, NULL, error))
+    return FALSE;
+
+  int fd = openat (parent_fd, subdir_basename, O_PATH | O_NONBLOCK | O_DIRECTORY | O_CLOEXEC | O_NOCTTY | O_NOFOLLOW);
+  if (fd == -1)
+    {
+      int saved_errno = errno;
+      struct stat stat_buf;
+
+      /* If it's a symbolic link, that could be a user trying to offload
+       * large data to another filesystem, but it could equally well be
+       * a malicious or compromised app trying to exploit GHSA-7hgv-f2j8-xw87.
+       * Produce a clearer error message in this case.
+       * Unfortunately the errno we get in this case is ENOTDIR, so we have
+       * to ask again to find out whether it's really a symlink. */
+      if (saved_errno == ENOTDIR &&
+          fstatat (parent_fd, subdir_basename, &stat_buf, AT_SYMLINK_NOFOLLOW) == 0 &&
+          S_ISLNK (stat_buf.st_mode))
+        return glnx_throw (error, "Symbolic link \"%s\" not allowed to avoid sandbox escape", subdir_basename);
+
+      return glnx_throw_errno_prefix (error, "openat(%s)", subdir_basename);
+    }
+
+  *out_fd = fd;
+  return TRUE;
+}
+
+ void
+ flatpak_context_append_bwrap_filesystem (FlatpakContext  *context,
+                                          FlatpakBwrap    *bwrap,
+@@ -2709,12 +2793,30 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext  *context,
+       while (g_hash_table_iter_next (&iter, &key, NULL))
+         {
+           const char *persist = key;
+-          g_autofree char *src = g_build_filename (g_get_home_dir (), ".var/app", app_id, persist, NULL);
+          g_autofree char *appdir = g_build_filename (g_get_home_dir (), ".var/app", app_id, NULL);
+           g_autofree char *dest = g_build_filename (g_get_home_dir (), persist, NULL);
+          g_autoptr(GError) local_error = NULL;
+
+          if (g_mkdir_with_parents (appdir, 0755) != 0)
+            {
+              g_warning ("Unable to create directory %s", appdir);
+              continue;
+            }
+
+          /* Don't follow symlinks from the persist directory, as it is under user control */
+          glnx_autofd int src_fd = -1;
+          if (!mkdir_p_open_nofollow_at (AT_FDCWD, appdir, 0755,
+                                         persist, &src_fd,
+                                         &local_error))
+            {
+              g_warning ("Failed to create persist path %s: %s", persist, local_error->message);
+              continue;
+            }
+ 
+-          g_mkdir_with_parents (src, 0755);
+          g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd);
+ 
+-          flatpak_bwrap_add_bind_arg (bwrap, "--bind", src, dest);
+          flatpak_bwrap_add_fd (bwrap, glnx_steal_fd (&src_fd));
+          flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest);
+         }
+     }
+ 
+-- 
+2.46.0
+
+
+From 5462c9b1e1a34b1104c8a0843a10382e90c9bb6b Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Mon, 3 Jun 2024 12:59:05 +0200
+Subject: [PATCH 2/4] Add test coverage for --persist
+
+This adds three "positive" tests: the common case --persist=.persist, the
+deprecated spelling --persist=/.persist, and the less common special case
+--persist=. as used by Steam.
+
+It also adds "negative" tests for CVE-2024-42472: if the --persist
+directory is a symbolic link or contains path segment "..", we want that
+to be rejected.
+
+Reproduces: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
+[smcv: Add "positive" tests]
+[smcv: Exercise --persist=..]
+[smcv: Assert that --persist with a symlink produces expected message]
+Co-authored-by: Simon McVittie <smcv@collabora.com>
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ tests/test-run.sh | 41 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/tests/test-run.sh b/tests/test-run.sh
+index dd371df3..bca0845d 100644
+--- a/tests/test-run.sh
+++ b/tests/test-run.sh
+@@ -24,7 +24,7 @@ set -euo pipefail
+ skip_without_bwrap
+ skip_revokefs_without_fuse
+ 
+-echo "1..20"
+echo "1..21"
+ 
+ # Use stable rather than master as the branch so we can test that the run
+ # command automatically finds the branch correctly
+@@ -512,3 +512,42 @@ ${FLATPAK} ${U} info -m org.test.App > out
+ assert_file_has_content out "^sdk=org\.test\.Sdk/$(flatpak --default-arch)/stable$"
+ 
+ ok "--sdk option"
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+run --command=sh --persist=.persist org.test.Hello -c 'echo can-persist > .persist/rc'
+sed -e 's,^,#--persist=.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
+
+ok "--persist=.persist persists a directory"
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+# G_DEBUG= to avoid the deprecation warning being fatal
+G_DEBUG= run --command=sh --persist=/.persist org.test.Hello -c 'echo can-persist > .persist/rc'
+sed -e 's,^,#--persist=/.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
+
+ok "--persist=/.persist is a deprecated form of --persist=.persist"
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+run --command=sh --persist=. org.test.Hello -c 'echo can-persist > .persistrc'
+sed -e 's,^,#--persist=.# ,g' < "$HOME/.var/app/org.test.Hello/.persistrc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persistrc" "can-persist"
+
+ok "--persist=. persists all files"
+
+mkdir "${TEST_DATA_DIR}/inaccessible"
+echo FOO > ${TEST_DATA_DIR}/inaccessible/secret-file
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+ln -fns "${TEST_DATA_DIR}/inaccessible" "$HOME/.var/app/org.test.Hello/persist"
+# G_DEBUG= to avoid the warnings being fatal when we reject a --persist option.
+# LC_ALL=C so we get the expected non-localized string.
+LC_ALL=C G_DEBUG= run --command=ls --persist=persist --persist=relative/../escape org.test.Hello -la ~/persist &> hello_out || true
+sed -e 's,^,#--persist=symlink# ,g' < hello_out >&2
+assert_file_has_content hello_out "not allowed to avoid sandbox escape"
+assert_not_file_has_content hello_out "secret-file"
+
+ok "--persist doesn't allow sandbox escape via a symlink (CVE-2024-42472)"
+-- 
+2.46.0
+
+
+From 04d8ad3009cd8a4350fba6cf7cc6c7819ccdfd34 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Mon, 12 Aug 2024 19:48:18 +0100
+Subject: [PATCH 3/4] build: Require a version of bubblewrap with the --bind-fd
+ option
+
+We need this for the --bind-fd option, which will close a race
+condition in our solution to CVE-2024-42472.
+
+For this stable branch, check the --help output for a --bind-fd option
+instead of requiring a specific version number, to accommodate possible
+backports in LTS distributions.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ configure.ac | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 0a44e11a..0c8e2d0e 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -175,6 +175,9 @@ if test "x$BWRAP" != xfalse; then
+    BWRAP_VERSION=`$BWRAP --version | sed 's,.*\ \([0-9]*\.[0-9]*\.[0-9]*\)$,\1,'`
+    AX_COMPARE_VERSION([$SYSTEM_BWRAP_REQS],[gt],[$BWRAP_VERSION],
+                       [AC_MSG_ERROR([You need at least version $SYSTEM_BWRAP_REQS of bubblewrap to use the system installed version])])
+   AS_IF([$BWRAP --help | grep '@<:@-@:>@-bind-fd' >/dev/null],
+         [:],
+         [AC_MSG_ERROR([$BWRAP does not list required option --bind-fd in its --help])])
+    AM_CONDITIONAL([WITH_SYSTEM_BWRAP], [true])
+ else
+    AC_CHECK_LIB(cap, cap_from_text, CAP_LIB=-lcap)
+-- 
+2.46.0
+
+
+From 2772f19e50c0e809dde8cf3c105d90ee8baf4fa8 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Wed, 14 Aug 2024 13:44:30 +0100
+Subject: [PATCH 4/4] persist directories: Pass using new bwrap --bind-fd
+ option
+
+Instead of passing a /proc/self/fd bind mount we use --bind-fd, which
+has two advantages:
+ * bwrap closes the fd when used, so it doesn't leak into the started app
+ * bwrap ensures that what was mounted was the passed in fd (same dev/ino),
+   as there is a small (required) gap between symlink resolve and mount
+   where the target path could be replaced.
+
+Please note that this change requires an updated version of bubblewrap.
+
+Resolves: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
+[smcv: Make whitespace consistent]
+Co-authored-by: Simon McVittie <smcv@collabora.com>
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ common/flatpak-context.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/common/flatpak-context.c b/common/flatpak-context.c
+index 8c784acf..baa62728 100644
+--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
+@@ -2813,10 +2813,10 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext  *context,
+               continue;
+             }
+ 
+-          g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd);
+          g_autofree char *src_via_proc = g_strdup_printf ("%d", src_fd);
+ 
+           flatpak_bwrap_add_fd (bwrap, glnx_steal_fd (&src_fd));
+-          flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest);
+          flatpak_bwrap_add_bind_arg (bwrap, "--bind-fd", src_via_proc, dest);
+         }
+     }
+ 
+-- 
+2.46.0
+
--- a/SOURCES/flatpak-1.8.5-post-cve-fixes.patch
+++ b/SOURCES/flatpak-1.8.5-post-cve-fixes.patch
@ -1,73 +0,0 @@
-From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Mon, 18 Jan 2021 17:52:13 +0000
-Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments
-
-This means we can systematically pass the environment variables
-through bwrap(1), even if it is setuid and thus is filtering out
-security-sensitive environment variables. bwrap itself ends up being
-run with an empty environment instead.
-
-This fixes a regression when CVE-2021-21261 was fixed: before the
-CVE fixes, LD_LIBRARY_PATH would have been passed through like this
-and appeared in the `flatpak build` shell, but during the CVE fixes,
-the special case that protected LD_LIBRARY_PATH was removed in favour
-of the more general flatpak_bwrap_envp_to_args(). That reasoning only
-works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
-that we run the potentially-setuid bwrap.
-
-Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
-Resolves: https://github.com/flatpak/flatpak/issues/4080
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0)
---
- app/flatpak-builtins-build.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
-index 8da0de814..07ef6fc07 100644
--- a/app/flatpak-builtins-build.c
-+++ b/app/flatpak-builtins-build.c
-@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
-                               NULL);
-     }
- 
-+  flatpak_bwrap_envp_to_args (bwrap);
-+
-   if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
-     return FALSE;
- 
-From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Mon, 18 Jan 2021 18:07:38 +0000
-Subject: [PATCH] dir: Pass environment via bwrap --setenv when running
- apply_extra
-
-This means we can systematically pass the environment variables
-through bwrap(1), even if it is setuid and thus is filtering out
-security-sensitive environment variables. bwrap ends up being
-run with an empty environment instead.
-
-As with the previous commit, this regressed while fixing CVE-2021-21261.
-
-Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit fb473cad801c6b61706353256cab32330557374a)
---
- common/flatpak-dir.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
-index ed1248e74..40767fa77 100644
--- a/common/flatpak-dir.c
-+++ b/common/flatpak-dir.c
-@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir   *self,
-                                          app_context, NULL, NULL, NULL, cancellable, error))
-     return FALSE;
- 
-+  flatpak_bwrap_envp_to_args (bwrap);
-+
-   flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra");
- 
-   flatpak_bwrap_finish (bwrap);
--- a/SOURCES/flatpak-Revert-selinux-Permit-using-systemd-userdbd.patch
+++ b/SOURCES/flatpak-Revert-selinux-Permit-using-systemd-userdbd.patch
@ -0,0 +1,28 @@
+From 1c73110795b865246ce3595042dcd2d5e7891359 Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <debarshir@gnome.org>
+Date: Mon, 6 Nov 2023 20:27:16 +0100
+Subject: [PATCH] Revert "selinux: Permit using systemd-userdbd"
+
+This reverts commit 399710ada185c1ee232bc3e6266a71688eb152b7.
+---
+ selinux/flatpak.te | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/selinux/flatpak.te b/selinux/flatpak.te
+index bb3d80e316eb..4cf895c44abe 100644
+--- a/selinux/flatpak.te
+++ b/selinux/flatpak.te
+@@ -33,10 +33,6 @@ optional_policy(`
+    policykit_dbus_chat(flatpak_helper_t)
+ ')
+ 
+-optional_policy(`
+-   systemd_userdbd_stream_connect(flatpak_helper_t)
+-')
+-
+ optional_policy(`                   
+     unconfined_domain(flatpak_helper_t)
+ ')
+-- 
+2.41.0
+
--- a/SPECS/flatpak.spec
+++ b/SPECS/flatpak.spec
@ -1,16 +1,25 @@
-%global bubblewrap_version 0.4.0
-%global ostree_version 2018.9
+%global bubblewrap_version 0.4.0-2
+%global ostree_version 2020.8

 Name:           flatpak
-Version:        1.8.5
-Release:        2%{?dist}
+Version:        1.12.9
+Release:        3%{?dist}
 Summary:        Application deployment framework for desktop apps

 License:        LGPLv2+
 URL:            http://flatpak.org/
 Source0:        https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
-# https://bugzilla.redhat.com/show_bug.cgi?id=1918776
-Patch0:         flatpak-1.8.5-post-cve-fixes.patch
+
+%if 0%{?fedora}
+# Add Fedora flatpak repositories
+Source1:        flatpak-add-fedora-repos.service
+%endif
+
+# https://issues.redhat.com/browse/RHEL-4220
+Patch0:         flatpak-Revert-selinux-Permit-using-systemd-userdbd.patch
+
+# Backported upstream patch for CVE-2024-42472
+Patch1:         flatpak-1.12.x-CVE-2024-42472.patch

 BuildRequires:  pkgconfig(appstream-glib)
 BuildRequires:  pkgconfig(dconf)
@ -18,6 +27,7 @@ BuildRequires:  pkgconfig(fuse)
 BuildRequires:  pkgconfig(gdk-pixbuf-2.0)
 BuildRequires:  pkgconfig(gio-unix-2.0)
 BuildRequires:  pkgconfig(gobject-introspection-1.0) >= 1.40.0
+BuildRequires:  pkgconfig(gpgme)
 BuildRequires:  pkgconfig(json-glib-1.0)
 BuildRequires:  pkgconfig(libarchive) >= 2.8.0
 BuildRequires:  pkgconfig(libseccomp)
@ -33,16 +43,14 @@ BuildRequires:  bubblewrap >= %{bubblewrap_version}
 BuildRequires:  docbook-dtds
 BuildRequires:  docbook-style-xsl
 BuildRequires:  gettext
-BuildRequires:  gpgme-devel
+BuildRequires:  libassuan-devel
 BuildRequires:  libcap-devel
+BuildRequires:  python3-devel
 BuildRequires:  python3-pyparsing
 BuildRequires:  systemd
-BuildRequires:  /usr/bin/python3
 BuildRequires:  /usr/bin/xmlto
 BuildRequires:  /usr/bin/xsltproc

-%{?systemd_requires}
-
 Requires:       bubblewrap >= %{bubblewrap_version}
 Requires:       librsvg2%{?_isa}
 Requires:       ostree-libs%{?_isa} >= %{ostree_version}
@ -120,6 +128,8 @@ This package contains installed tests for %{name}.

 %prep
 %autosetup -p1
+# Make sure to use the RHEL-lifetime supported Python and no other
+%py3_shebang_fix scripts/* subprojects/variant-schema-compiler/* tests/*


 %build
@ -143,8 +153,18 @@ install -pm 644 NEWS README.md %{buildroot}/%{_pkgdocdir}
 install -d %{buildroot}%{_localstatedir}/lib/flatpak
 install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d
 rm -f %{buildroot}%{_libdir}/libflatpak.la
+
+%if 0%{?fedora}
+install -D -t %{buildroot}%{_unitdir} %{SOURCE1}
+%endif
+
 %find_lang %{name}

+# Work around selinux denials, see
+# https://github.com/flatpak/flatpak/issues/4128 for details. Note that we are
+# going to need the system env generator if we should enable malcontent support
+# in the future.
+rm %{buildroot}%{_systemd_system_env_generator_dir}/60-flatpak-system-only

 %pre
 getent group flatpak >/dev/null || groupadd -r flatpak
@ -154,15 +174,28 @@ getent passwd flatpak >/dev/null || \
 exit 0


+%if 0%{?fedora}
 %post
-# Create an (empty) system-wide repo.
-flatpak remote-list --system &> /dev/null || :
+%systemd_post flatpak-add-fedora-repos.service
+%endif


 %post selinux
 %selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2


+%if 0%{?fedora}
+%preun
+%systemd_preun flatpak-add-fedora-repos.service
+%endif
+
+
+%if 0%{?fedora}
+%postun
+%systemd_postun_with_restart flatpak-add-fedora-repos.service
+%endif
+
+
 %postun selinux
 if [ $1 -eq 0 ]; then
    %selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2
@ -205,6 +238,7 @@ fi
 %{_mandir}/man5/flatpak-installation.5*
 %{_mandir}/man5/flatpak-remote.5*
 %{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf
+%dir %{_sysconfdir}/flatpak
 %{_sysconfdir}/flatpak/remotes.d
 %{_sysconfdir}/profile.d/flatpak.sh
 %{_sysusersdir}/flatpak.conf
@ -213,6 +247,10 @@ fi
 %{_userunitdir}/flatpak-portal.service
 %{_systemd_user_env_generator_dir}/60-flatpak

+%if 0%{?fedora}
+%{_unitdir}/flatpak-add-fedora-repos.service
+%endif
+
 %files devel
 %{_datadir}/gir-1.0/Flatpak-1.0.gir
 %{_datadir}/gtk-doc/
@ -242,6 +280,51 @@ fi


 %changelog
+* Wed Sep 04 2024 Kalev Lember <klember@redhat.com> - 1.12.9-3
+- Fix previous changelog entry
+
+* Mon Sep 02 2024 Kalev Lember <klember@redhat.com> - 1.12.9-2
+- Backport upstream patches for CVE-2024-42472
+- Require bubblewrap version that has new --bind-fd option backported for
+  addressing CVE-2024-42472
+
+* Tue Apr 30 2024 Kalev Lember <klember@redhat.com> - 1.12.9-1
+- Update to 1.12.9 (CVE-2024-32462)
+
+* Mon Nov 06 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.12.8-1
+- Rebase to 1.12.8 (RHEL-4220)
+
+* Mon Nov 06 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-3
+- Let flatpak own %%{_sysconfdir}/flatpak (RHEL-15822)
+
+* Mon Sep 04 2023 Miro Hrončok <mhroncok@redhat.com> - 1.10.8-2
+- Make sure to use the RHEL-lifetime supported Python and no other (RHEL-2225)
+
+* Tue Jul 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-1
+- Rebase to 1.10.8 (#2222103)
+- Fix CVE-2023-28100 and CVE-2023-28101 (#2180311)
+
+* Wed Mar 09 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1
+- Rebase to 1.10.7 (#2062417)
+
+* Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.7-1
+- Rebase to 1.8.7 (#2041972)
+
+* Tue Jan 25 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.6-1
+- Rebase to 1.8.6 (#2010533)
+
+* Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-6
+- Fix CVE-2021-41133 (#2012869)
+
+* Tue Oct 05 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-5
+- Disable gvfs plugins when listing flatpak installations (#1980438)
+
+* Wed Jul 28 2021 Tomas Popela <tpopela@redhat.com> - 1.8.5-4
+- Ship flatpak-devel in CRB (#1938064)
+
+* Mon Mar 22 2021 David King <dking@redhat.com> - 1.8.5-3
+- Fix CVE-2021-21381 (#1938064)
+
 * Mon Jan 25 2021 David King <dking@redhat.com> - 1.8.5-2
 - Apply post-release CVE fixes (#1918776)