diff --git a/SOURCES/0001-authPrompt-Disregard-smartcard-status-changes-events.patch b/SOURCES/0001-authPrompt-Disregard-smartcard-status-changes-events.patch new file mode 100644 index 0000000..35dd9e0 --- /dev/null +++ b/SOURCES/0001-authPrompt-Disregard-smartcard-status-changes-events.patch @@ -0,0 +1,100 @@ +From ec802e39a5dfb252e2d18b8cb95f713724180565 Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Mon, 15 May 2023 10:48:15 -0400 +Subject: [PATCH] authPrompt: Disregard smartcard status changes events if + VERIFICATION_IN_PROGRESS + +commit c8bb45b41c3a13ef161103f649aa18938e028a70 introduced a new +verification state, VERIFICATION_IN_PROGRESS, to detect when the user +has already interacted with the authentication service, so the auth +prompt can rate limit the number of times the user can cancel +authentication attempts with the escape key (without also rate limiting +the number of times they hit escape to go back to the clock without +interacting with the authentication service). + +That means there are now two states that represent the +user actively undergoing verification: VERIFYING and +VERIFICATION_IN_PROGRESS. + +It's inappropriate to reset the smartcard service if the user is +actively conversing with it. We try to check for that by looking at the +original verification state, VERIFYING, but we unfortunately, neglected +to account for the new VERIFICATION_IN_PROGRESS state. + +This commit fixes that oversight, and allows users to again pre-type +their smartcard pin at the clock before inserting their smartcard. +--- + js/gdm/authPrompt.js | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/js/gdm/authPrompt.js b/js/gdm/authPrompt.js +index 4da91e096..e961f396e 100644 +--- a/js/gdm/authPrompt.js ++++ b/js/gdm/authPrompt.js +@@ -327,61 +327,62 @@ var AuthPrompt = GObject.registerClass({ + _onShowChoiceList(userVerifier, serviceName, promptMessage, choiceList) { + if (this._queryingService) + this.clear(); + + this._queryingService = serviceName; + + if (this._preemptiveAnswer) + this._preemptiveAnswer = null; + + this.setChoiceList(promptMessage, choiceList); + this.updateSensitivity(true); + this.emit('prompted'); + } + + _onCredentialManagerAuthenticated() { + if (this.verificationStatus != AuthPromptStatus.VERIFICATION_SUCCEEDED) + this.reset(); + } + + _onSmartcardStatusChanged() { + this.smartcardDetected = this._userVerifier.smartcardDetected; + + // Most of the time we want to reset if the user inserts or removes + // a smartcard. Smartcard insertion "preempts" what the user was + // doing, and smartcard removal aborts the preemption. + // The exceptions are: 1) Don't reset on smartcard insertion if we're already verifying + // with a smartcard + // 2) Don't reset if we've already succeeded at verification and + // the user is getting logged in. + if (this._userVerifier.serviceIsDefault(GdmUtil.SMARTCARD_SERVICE_NAME) && +- this.verificationStatus == AuthPromptStatus.VERIFYING && ++ (this.verificationStatus === AuthPromptStatus.VERIFYING || ++ this.verificationStatus === AuthPromptStatus.VERIFICATION_IN_PROGRESS) && + this.smartcardDetected) + return; + + if (this.verificationStatus != AuthPromptStatus.VERIFICATION_SUCCEEDED) + this.reset(); + } + + _onShowMessage(_userVerifier, serviceName, message, type) { + this.setMessage(serviceName, message, type); + this.emit('prompted'); + } + + _onVerificationFailed(userVerifier, serviceName, canRetry) { + const wasQueryingService = this._queryingService === serviceName; + + if (wasQueryingService) { + this._queryingService = null; + this.clear(); + } + + this.updateSensitivity(canRetry); + this.setActorInDefaultButtonWell(null); + + if (!canRetry) + this.verificationStatus = AuthPromptStatus.VERIFICATION_FAILED; + + if (wasQueryingService) + Util.wiggle(this._entry); + } + +-- +2.39.1 + diff --git a/SOURCES/0001-extensionSystem-Support-locking-down-extension-insta.patch b/SOURCES/0001-extensionSystem-Support-locking-down-extension-insta.patch new file mode 100644 index 0000000..9993f7a --- /dev/null +++ b/SOURCES/0001-extensionSystem-Support-locking-down-extension-insta.patch @@ -0,0 +1,92 @@ +From 91449e6a19af63eebaf5f97f85ba44f69259075a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Florian=20M=C3=BCllner?= +Date: Sat, 10 Feb 2024 00:58:27 +0100 +Subject: [PATCH] extensionSystem: Support locking down extension installation + +Currently extensions can only be locked down completely by +restricting the `enabled-extensions` key via dconf. + +This is too restrictive for environments that want to allow users +to customize their system with extensions, while still limiting +the set of possible extensions. + +To fill that gap, add a new `allow-extension-installation` setting, +which restricts extensions to system extensions when disabled. + +As the setting is mainly intended for locking down by system +administrators, there is no attempt to load/unload extensions +on settings changes. +--- + data/org.gnome.shell.gschema.xml.in | 11 +++++++++++ + js/ui/extensionDownloader.js | 6 ++++++ + js/ui/extensionSystem.js | 8 ++++++-- + 3 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/data/org.gnome.shell.gschema.xml.in b/data/org.gnome.shell.gschema.xml.in +index 6f1c424bad..b5921983cd 100644 +--- a/data/org.gnome.shell.gschema.xml.in ++++ b/data/org.gnome.shell.gschema.xml.in +@@ -40,6 +40,17 @@ + the “enabled-extension” setting. + + ++ ++ true ++ Allow extension installation ++ ++ Allow users to install extensions in their home folder. If disabled, ++ the InstallRemoteExtension D-Bus method will fail, and extensions ++ are only loaded from system directories on startup. ++ It does not affect extensions that are already loaded, so a change ++ only takes full effect on the next login. ++ ++ + + false + Disables the validation of extension version compatibility +diff --git a/js/ui/extensionDownloader.js b/js/ui/extensionDownloader.js +index 471ddab147..01ed165c01 100644 +--- a/js/ui/extensionDownloader.js ++++ b/js/ui/extensionDownloader.js +@@ -17,6 +17,12 @@ var REPOSITORY_URL_UPDATE = 'https://extensions.gnome.org/update-info/'; + let _httpSession; + + function installExtension(uuid, invocation) { ++ if (!global.settings.get_boolean('allow-extension-installation')) { ++ invocation.return_dbus_error('org.gnome.Shell.InstallError', ++ 'Extension installation is not allowed'); ++ return; ++ } ++ + const oldExt = Main.extensionManager.lookup(uuid); + if (oldExt && oldExt.type === ExtensionUtils.ExtensionType.SYSTEM) { + log('extensionDownloader: Trying to replace system extension %s'.format(uuid)); +diff --git a/js/ui/extensionSystem.js b/js/ui/extensionSystem.js +index 937f861994..528d9ea450 100644 +--- a/js/ui/extensionSystem.js ++++ b/js/ui/extensionSystem.js +@@ -64,7 +64,10 @@ var ExtensionManager = class { + + get updatesSupported() { + const appSys = Shell.AppSystem.get_default(); +- return appSys.lookup_app('org.gnome.Extensions.desktop') !== null; ++ const hasUpdatesApp = ++ appSys.lookup_app('org.gnome.Extensions.desktop') !== null; ++ const allowed = global.settings.get_boolean('allow-extension-installation'); ++ return allowed && hasUpdatesApp; + } + + lookup(uuid) { +@@ -595,7 +598,8 @@ var ExtensionManager = class { + this._enabledExtensions = this._getEnabledExtensions(); + + let perUserDir = Gio.File.new_for_path(global.userdatadir); +- FileUtils.collectFromDatadirs('extensions', true, (dir, info) => { ++ const includeUserDir = global.settings.get_boolean('allow-extension-installation'); ++ FileUtils.collectFromDatadirs('extensions', includeUserDir, (dir, info) => { + let fileType = info.get_file_type(); + if (fileType != Gio.FileType.DIRECTORY) + return; +-- +2.43.0 + diff --git a/SPECS/gnome-shell.spec b/SPECS/gnome-shell.spec index a56714f..df35483 100644 --- a/SPECS/gnome-shell.spec +++ b/SPECS/gnome-shell.spec @@ -2,7 +2,7 @@ Name: gnome-shell Version: 40.10 -Release: 12%{?dist} +Release: 14%{?dist} Summary: Window management and application launching for GNOME License: GPLv2+ @@ -27,6 +27,7 @@ Patch14: support-choicelist-extension.patch Patch15: gdm-networking.patch Patch16: login-screen-extensions.patch Patch17: fix-resetting-auth-prompt.patch +Patch18: 0001-authPrompt-Disregard-smartcard-status-changes-events.patch # Misc. Patch30: 0001-panel-add-an-icon-to-the-ActivitiesButton.patch @@ -55,6 +56,7 @@ Patch52: 0001-osk-layouts-Replace-SS-extra-key-with.patch Patch53: 0001-po-Update-translations.patch Patch54: 0001-st-icon-Only-get-resource-scale-after-peeking-theme-.patch Patch55: 0001-window-tracker-Only-emit-tracked-windows-changed-on-.patch +Patch59: 0001-extensionSystem-Support-locking-down-extension-insta.patch %define eds_version 3.33.1 %define gnome_desktop_version 3.35.91 @@ -274,6 +276,14 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/evolution-calendar.de %{_mandir}/man1/gnome-shell.1* %changelog +* Thu Mar 07 2024 Craig Guiller - 40.10-14 +- Allow restricting extension installation + Resolves: RHEL-25017 + +* Mon May 15 2023 Ray Strode - 40.10-13 +- Don't reset smartcard conversation twice when smartcard is inserted. + Resolves: #2140898 + * Wed Feb 22 2023 Florian Müllner - 40.10-12 - Require xdg-desktop-portal-gnome Resolves: #2172524