import OL gnome-shell-40.10-14.el9_3

SOURCES/0001-authPrompt-Disregard-smartcard-status-changes-events.patch

@@ -0,0 +1,100 @@
+From ec802e39a5dfb252e2d18b8cb95f713724180565 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Mon, 15 May 2023 10:48:15 -0400
+Subject: [PATCH] authPrompt: Disregard smartcard status changes events if
+ VERIFICATION_IN_PROGRESS
+
+commit c8bb45b41c3a13ef161103f649aa18938e028a70 introduced a new
+verification state, VERIFICATION_IN_PROGRESS, to detect when the user
+has already interacted with the authentication service, so the auth
+prompt can rate limit the number of times the user can cancel
+authentication attempts with the escape key (without also rate limiting
+the number of times they hit escape to go back to the clock without
+interacting with the authentication service).
+
+That means there are now two states that represent the
+user actively undergoing verification: VERIFYING and
+VERIFICATION_IN_PROGRESS.
+
+It's inappropriate to reset the smartcard service if the user is
+actively conversing with it. We try to check for that by looking at the
+original verification state, VERIFYING, but we unfortunately, neglected
+to account for the new VERIFICATION_IN_PROGRESS state.
+
+This commit fixes that oversight, and allows users to again pre-type
+their smartcard pin at the clock before inserting their smartcard.
+---
+ js/gdm/authPrompt.js | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/js/gdm/authPrompt.js b/js/gdm/authPrompt.js
+index 4da91e096..e961f396e 100644
+--- a/js/gdm/authPrompt.js
++++ b/js/gdm/authPrompt.js
+@@ -327,61 +327,62 @@ var AuthPrompt = GObject.registerClass({
+     _onShowChoiceList(userVerifier, serviceName, promptMessage, choiceList) {
+         if (this._queryingService)
+             this.clear();
+ 
+         this._queryingService = serviceName;
+ 
+         if (this._preemptiveAnswer)
+             this._preemptiveAnswer = null;
+ 
+         this.setChoiceList(promptMessage, choiceList);
+         this.updateSensitivity(true);
+         this.emit('prompted');
+     }
+ 
+     _onCredentialManagerAuthenticated() {
+         if (this.verificationStatus != AuthPromptStatus.VERIFICATION_SUCCEEDED)
+             this.reset();
+     }
+ 
+     _onSmartcardStatusChanged() {
+         this.smartcardDetected = this._userVerifier.smartcardDetected;
+ 
+         // Most of the time we want to reset if the user inserts or removes
+         // a smartcard. Smartcard insertion "preempts" what the user was
+         // doing, and smartcard removal aborts the preemption.
+         // The exceptions are: 1) Don't reset on smartcard insertion if we're already verifying
+         //                        with a smartcard
+         //                     2) Don't reset if we've already succeeded at verification and
+         //                        the user is getting logged in.
+         if (this._userVerifier.serviceIsDefault(GdmUtil.SMARTCARD_SERVICE_NAME) &&
+-            this.verificationStatus == AuthPromptStatus.VERIFYING &&
++            (this.verificationStatus === AuthPromptStatus.VERIFYING ||
++             this.verificationStatus === AuthPromptStatus.VERIFICATION_IN_PROGRESS) &&
+             this.smartcardDetected)
+             return;
+ 
+         if (this.verificationStatus != AuthPromptStatus.VERIFICATION_SUCCEEDED)
+             this.reset();
+     }
+ 
+     _onShowMessage(_userVerifier, serviceName, message, type) {
+         this.setMessage(serviceName, message, type);
+         this.emit('prompted');
+     }
+ 
+     _onVerificationFailed(userVerifier, serviceName, canRetry) {
+         const wasQueryingService = this._queryingService === serviceName;
+ 
+         if (wasQueryingService) {
+             this._queryingService = null;
+             this.clear();
+         }
+ 
+         this.updateSensitivity(canRetry);
+         this.setActorInDefaultButtonWell(null);
+ 
+         if (!canRetry)
+             this.verificationStatus = AuthPromptStatus.VERIFICATION_FAILED;
+ 
+         if (wasQueryingService)
+             Util.wiggle(this._entry);
+     }
+ 
+-- 
+2.39.1
+

SOURCES/0001-extensionSystem-Support-locking-down-extension-insta.patch

@@ -0,0 +1,92 @@
+From 91449e6a19af63eebaf5f97f85ba44f69259075a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Florian=20M=C3=BCllner?= <fmuellner@gnome.org>
+Date: Sat, 10 Feb 2024 00:58:27 +0100
+Subject: [PATCH] extensionSystem: Support locking down extension installation
+
+Currently extensions can only be locked down completely by
+restricting the `enabled-extensions` key via dconf.
+
+This is too restrictive for environments that want to allow users
+to customize their system with extensions, while still limiting
+the set of possible extensions.
+
+To fill that gap, add a new `allow-extension-installation` setting,
+which restricts extensions to system extensions when disabled.
+
+As the setting is mainly intended for locking down by system
+administrators, there is no attempt to load/unload extensions
+on settings changes.
+---
+ data/org.gnome.shell.gschema.xml.in | 11 +++++++++++
+ js/ui/extensionDownloader.js        |  6 ++++++
+ js/ui/extensionSystem.js            |  8 ++++++--
+ 3 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/data/org.gnome.shell.gschema.xml.in b/data/org.gnome.shell.gschema.xml.in
+index 6f1c424bad..b5921983cd 100644
+--- a/data/org.gnome.shell.gschema.xml.in
++++ b/data/org.gnome.shell.gschema.xml.in
+@@ -40,6 +40,17 @@
+         the “enabled-extension” setting.
+       </description>
+     </key>
++    <key name="allow-extension-installation" type="b">
++      <default>true</default>
++      <summary>Allow extension installation</summary>
++      <description>
++        Allow users to install extensions in their home folder. If disabled,
++        the InstallRemoteExtension D-Bus method will fail, and extensions
++        are only loaded from system directories on startup.
++        It does not affect extensions that are already loaded, so a change
++        only takes full effect on the next login.
++      </description>
++    </key>
+     <key name="disable-extension-version-validation" type="b">
+       <default>false</default>
+       <summary>Disables the validation of extension version compatibility</summary>
+diff --git a/js/ui/extensionDownloader.js b/js/ui/extensionDownloader.js
+index 471ddab147..01ed165c01 100644
+--- a/js/ui/extensionDownloader.js
++++ b/js/ui/extensionDownloader.js
+@@ -17,6 +17,12 @@ var REPOSITORY_URL_UPDATE   = 'https://extensions.gnome.org/update-info/';
+ let _httpSession;
+ 
+ function installExtension(uuid, invocation) {
++    if (!global.settings.get_boolean('allow-extension-installation')) {
++        invocation.return_dbus_error('org.gnome.Shell.InstallError',
++            'Extension installation is not allowed');
++        return;
++    }
++
+     const oldExt = Main.extensionManager.lookup(uuid);
+     if (oldExt && oldExt.type === ExtensionUtils.ExtensionType.SYSTEM) {
+         log('extensionDownloader: Trying to replace system extension %s'.format(uuid));
+diff --git a/js/ui/extensionSystem.js b/js/ui/extensionSystem.js
+index 937f861994..528d9ea450 100644
+--- a/js/ui/extensionSystem.js
++++ b/js/ui/extensionSystem.js
+@@ -64,7 +64,10 @@ var ExtensionManager = class {
+ 
+     get updatesSupported() {
+         const appSys = Shell.AppSystem.get_default();
+-        return appSys.lookup_app('org.gnome.Extensions.desktop') !== null;
++        const hasUpdatesApp =
++            appSys.lookup_app('org.gnome.Extensions.desktop') !== null;
++        const allowed = global.settings.get_boolean('allow-extension-installation');
++        return allowed && hasUpdatesApp;
+     }
+ 
+     lookup(uuid) {
+@@ -595,7 +598,8 @@ var ExtensionManager = class {
+         this._enabledExtensions = this._getEnabledExtensions();
+ 
+         let perUserDir = Gio.File.new_for_path(global.userdatadir);
+-        FileUtils.collectFromDatadirs('extensions', true, (dir, info) => {
++        const includeUserDir = global.settings.get_boolean('allow-extension-installation');
++        FileUtils.collectFromDatadirs('extensions', includeUserDir, (dir, info) => {
+             let fileType = info.get_file_type();
+             if (fileType != Gio.FileType.DIRECTORY)
+                 return;
+-- 
+2.43.0
+

SPECS/gnome-shell.spec

@@ -2,7 +2,7 @@
 
 Name:           gnome-shell
 Version:        40.10
-Release:        12%{?dist}
+Release:        14%{?dist}
 Summary:        Window management and application launching for GNOME
 
 License:        GPLv2+
@@ -27,6 +27,7 @@ Patch14: support-choicelist-extension.patch
 Patch15: gdm-networking.patch
 Patch16: login-screen-extensions.patch
 Patch17: fix-resetting-auth-prompt.patch
+Patch18: 0001-authPrompt-Disregard-smartcard-status-changes-events.patch
 
 # Misc.
 Patch30: 0001-panel-add-an-icon-to-the-ActivitiesButton.patch
@@ -55,6 +56,7 @@ Patch52: 0001-osk-layouts-Replace-SS-extra-key-with.patch
 Patch53: 0001-po-Update-translations.patch
 Patch54: 0001-st-icon-Only-get-resource-scale-after-peeking-theme-.patch
 Patch55: 0001-window-tracker-Only-emit-tracked-windows-changed-on-.patch
+Patch59: 0001-extensionSystem-Support-locking-down-extension-insta.patch
 
 %define eds_version 3.33.1
 %define gnome_desktop_version 3.35.91
@@ -274,6 +276,14 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/evolution-calendar.de
 %{_mandir}/man1/gnome-shell.1*
 
 %changelog
+* Thu Mar 07 2024 Craig Guiller <craig.guiller@oracle.com> - 40.10-14
+- Allow restricting extension installation
+  Resolves: RHEL-25017
+
+* Mon May 15 2023 Ray Strode <rstrode@redhat.com> - 40.10-13
+- Don't reset smartcard conversation twice when smartcard is inserted.
+  Resolves: #2140898
+
 * Wed Feb 22 2023 Florian Müllner <fmuellner@redhat.com> - 40.10-12
 - Require xdg-desktop-portal-gnome
   Resolves: #2172524