Allow restricting extension installation
Resolves: RHEL-25017
This commit is contained in:
Florian Müllner
parent
4bc20b36cb
commit
300358e159
@ -0,0 +1,92 @@
|
||||
From 91449e6a19af63eebaf5f97f85ba44f69259075a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Florian=20M=C3=BCllner?= <fmuellner@gnome.org>
|
||||
Date: Sat, 10 Feb 2024 00:58:27 +0100
|
||||
Subject: [PATCH] extensionSystem: Support locking down extension installation
|
||||
|
||||
Currently extensions can only be locked down completely by
|
||||
restricting the `enabled-extensions` key via dconf.
|
||||
|
||||
This is too restrictive for environments that want to allow users
|
||||
to customize their system with extensions, while still limiting
|
||||
the set of possible extensions.
|
||||
|
||||
To fill that gap, add a new `allow-extension-installation` setting,
|
||||
which restricts extensions to system extensions when disabled.
|
||||
|
||||
As the setting is mainly intended for locking down by system
|
||||
administrators, there is no attempt to load/unload extensions
|
||||
on settings changes.
|
||||
---
|
||||
data/org.gnome.shell.gschema.xml.in | 11 +++++++++++
|
||||
js/ui/extensionDownloader.js | 6 ++++++
|
||||
js/ui/extensionSystem.js | 8 ++++++--
|
||||
3 files changed, 23 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/data/org.gnome.shell.gschema.xml.in b/data/org.gnome.shell.gschema.xml.in
|
||||
index 6f1c424bad..b5921983cd 100644
|
||||
--- a/data/org.gnome.shell.gschema.xml.in
|
||||
+++ b/data/org.gnome.shell.gschema.xml.in
|
||||
@@ -40,6 +40,17 @@
|
||||
the “enabled-extension” setting.
|
||||
</description>
|
||||
</key>
|
||||
+ <key name="allow-extension-installation" type="b">
|
||||
+ <default>true</default>
|
||||
+ <summary>Allow extension installation</summary>
|
||||
+ <description>
|
||||
+ Allow users to install extensions in their home folder. If disabled,
|
||||
+ the InstallRemoteExtension D-Bus method will fail, and extensions
|
||||
+ are only loaded from system directories on startup.
|
||||
+ It does not affect extensions that are already loaded, so a change
|
||||
+ only takes full effect on the next login.
|
||||
+ </description>
|
||||
+ </key>
|
||||
<key name="disable-extension-version-validation" type="b">
|
||||
<default>false</default>
|
||||
<summary>Disables the validation of extension version compatibility</summary>
|
||||
diff --git a/js/ui/extensionDownloader.js b/js/ui/extensionDownloader.js
|
||||
index 471ddab147..01ed165c01 100644
|
||||
--- a/js/ui/extensionDownloader.js
|
||||
+++ b/js/ui/extensionDownloader.js
|
||||
@@ -17,6 +17,12 @@ var REPOSITORY_URL_UPDATE = 'https://extensions.gnome.org/update-info/';
|
||||
let _httpSession;
|
||||
|
||||
function installExtension(uuid, invocation) {
|
||||
+ if (!global.settings.get_boolean('allow-extension-installation')) {
|
||||
+ invocation.return_dbus_error('org.gnome.Shell.InstallError',
|
||||
+ 'Extension installation is not allowed');
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
const oldExt = Main.extensionManager.lookup(uuid);
|
||||
if (oldExt && oldExt.type === ExtensionUtils.ExtensionType.SYSTEM) {
|
||||
log('extensionDownloader: Trying to replace system extension %s'.format(uuid));
|
||||
diff --git a/js/ui/extensionSystem.js b/js/ui/extensionSystem.js
|
||||
index 937f861994..528d9ea450 100644
|
||||
--- a/js/ui/extensionSystem.js
|
||||
+++ b/js/ui/extensionSystem.js
|
||||
@@ -64,7 +64,10 @@ var ExtensionManager = class {
|
||||
|
||||
get updatesSupported() {
|
||||
const appSys = Shell.AppSystem.get_default();
|
||||
- return appSys.lookup_app('org.gnome.Extensions.desktop') !== null;
|
||||
+ const hasUpdatesApp =
|
||||
+ appSys.lookup_app('org.gnome.Extensions.desktop') !== null;
|
||||
+ const allowed = global.settings.get_boolean('allow-extension-installation');
|
||||
+ return allowed && hasUpdatesApp;
|
||||
}
|
||||
|
||||
lookup(uuid) {
|
||||
@@ -595,7 +598,8 @@ var ExtensionManager = class {
|
||||
this._enabledExtensions = this._getEnabledExtensions();
|
||||
|
||||
let perUserDir = Gio.File.new_for_path(global.userdatadir);
|
||||
- FileUtils.collectFromDatadirs('extensions', true, (dir, info) => {
|
||||
+ const includeUserDir = global.settings.get_boolean('allow-extension-installation');
|
||||
+ FileUtils.collectFromDatadirs('extensions', includeUserDir, (dir, info) => {
|
||||
let fileType = info.get_file_type();
|
||||
if (fileType != Gio.FileType.DIRECTORY)
|
||||
return;
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
Name: gnome-shell
|
||||
Version: 40.10
|
||||
Release: 16%{?dist}
|
||||
Release: 17%{?dist}
|
||||
Summary: Window management and application launching for GNOME
|
||||
|
||||
License: GPLv2+
|
||||
@ -59,6 +59,7 @@ Patch55: 0001-window-tracker-Only-emit-tracked-windows-changed-on-.patch
|
||||
Patch56: owe-support.patch
|
||||
Patch57: 0001-windowMenu-Ignore-release.patch
|
||||
Patch58: optional-portal-helper.patch
|
||||
Patch59: 0001-extensionSystem-Support-locking-down-extension-insta.patch
|
||||
|
||||
%define eds_version 3.33.1
|
||||
%define gnome_desktop_version 3.35.91
|
||||
@ -278,6 +279,10 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/evolution-calendar.de
|
||||
%{_mandir}/man1/gnome-shell.1*
|
||||
|
||||
%changelog
|
||||
* Sat Feb 10 2024 Florian Müllner <fmuellner@redhat.com> - 40.10-17
|
||||
- Allow restricting extension installation
|
||||
Resolves: RHEL-25017
|
||||
|
||||
* Wed Nov 01 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 40.10-16
|
||||
- Disable captive portal helper if WebKitGTK is not installed
|
||||
Resolves: RHEL-10487
|
||||
|
||||
Loading…
Reference in New Issue
Block a user