diff --git a/SOURCES/0001-extensionSystem-Support-locking-down-extension-insta.patch b/SOURCES/0001-extensionSystem-Support-locking-down-extension-insta.patch new file mode 100644 index 0000000..9993f7a --- /dev/null +++ b/SOURCES/0001-extensionSystem-Support-locking-down-extension-insta.patch @@ -0,0 +1,92 @@ +From 91449e6a19af63eebaf5f97f85ba44f69259075a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Florian=20M=C3=BCllner?= +Date: Sat, 10 Feb 2024 00:58:27 +0100 +Subject: [PATCH] extensionSystem: Support locking down extension installation + +Currently extensions can only be locked down completely by +restricting the `enabled-extensions` key via dconf. + +This is too restrictive for environments that want to allow users +to customize their system with extensions, while still limiting +the set of possible extensions. + +To fill that gap, add a new `allow-extension-installation` setting, +which restricts extensions to system extensions when disabled. + +As the setting is mainly intended for locking down by system +administrators, there is no attempt to load/unload extensions +on settings changes. +--- + data/org.gnome.shell.gschema.xml.in | 11 +++++++++++ + js/ui/extensionDownloader.js | 6 ++++++ + js/ui/extensionSystem.js | 8 ++++++-- + 3 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/data/org.gnome.shell.gschema.xml.in b/data/org.gnome.shell.gschema.xml.in +index 6f1c424bad..b5921983cd 100644 +--- a/data/org.gnome.shell.gschema.xml.in ++++ b/data/org.gnome.shell.gschema.xml.in +@@ -40,6 +40,17 @@ + the “enabled-extension” setting. + + ++ ++ true ++ Allow extension installation ++ ++ Allow users to install extensions in their home folder. If disabled, ++ the InstallRemoteExtension D-Bus method will fail, and extensions ++ are only loaded from system directories on startup. ++ It does not affect extensions that are already loaded, so a change ++ only takes full effect on the next login. ++ ++ + + false + Disables the validation of extension version compatibility +diff --git a/js/ui/extensionDownloader.js b/js/ui/extensionDownloader.js +index 471ddab147..01ed165c01 100644 +--- a/js/ui/extensionDownloader.js ++++ b/js/ui/extensionDownloader.js +@@ -17,6 +17,12 @@ var REPOSITORY_URL_UPDATE = 'https://extensions.gnome.org/update-info/'; + let _httpSession; + + function installExtension(uuid, invocation) { ++ if (!global.settings.get_boolean('allow-extension-installation')) { ++ invocation.return_dbus_error('org.gnome.Shell.InstallError', ++ 'Extension installation is not allowed'); ++ return; ++ } ++ + const oldExt = Main.extensionManager.lookup(uuid); + if (oldExt && oldExt.type === ExtensionUtils.ExtensionType.SYSTEM) { + log('extensionDownloader: Trying to replace system extension %s'.format(uuid)); +diff --git a/js/ui/extensionSystem.js b/js/ui/extensionSystem.js +index 937f861994..528d9ea450 100644 +--- a/js/ui/extensionSystem.js ++++ b/js/ui/extensionSystem.js +@@ -64,7 +64,10 @@ var ExtensionManager = class { + + get updatesSupported() { + const appSys = Shell.AppSystem.get_default(); +- return appSys.lookup_app('org.gnome.Extensions.desktop') !== null; ++ const hasUpdatesApp = ++ appSys.lookup_app('org.gnome.Extensions.desktop') !== null; ++ const allowed = global.settings.get_boolean('allow-extension-installation'); ++ return allowed && hasUpdatesApp; + } + + lookup(uuid) { +@@ -595,7 +598,8 @@ var ExtensionManager = class { + this._enabledExtensions = this._getEnabledExtensions(); + + let perUserDir = Gio.File.new_for_path(global.userdatadir); +- FileUtils.collectFromDatadirs('extensions', true, (dir, info) => { ++ const includeUserDir = global.settings.get_boolean('allow-extension-installation'); ++ FileUtils.collectFromDatadirs('extensions', includeUserDir, (dir, info) => { + let fileType = info.get_file_type(); + if (fileType != Gio.FileType.DIRECTORY) + return; +-- +2.43.0 + diff --git a/SOURCES/0001-windowMenu-Ignore-release.patch b/SOURCES/0001-windowMenu-Ignore-release.patch new file mode 100644 index 0000000..bb55ef9 --- /dev/null +++ b/SOURCES/0001-windowMenu-Ignore-release.patch @@ -0,0 +1,26 @@ +From b3cac57511575e1265ab0ebd9c7465a6ade913e8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Florian=20M=C3=BCllner?= +Date: Thu, 28 Sep 2023 14:34:24 +0200 +Subject: [PATCH] windowMenu: Ignore release + +If the menu was open on button-press, make sure it is kept open +until explicitly dismissed, regardless of the pointer position. +--- + js/ui/windowMenu.js | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/js/ui/windowMenu.js b/js/ui/windowMenu.js +index 3449f759da..ad5c2a74cc 100644 +--- a/js/ui/windowMenu.js ++++ b/js/ui/windowMenu.js +@@ -229,6 +229,7 @@ var WindowMenuManager = class { + let menu = new WindowMenu(window, this._sourceActor); + + this._manager.addMenu(menu); ++ this._manager.ignoreRelease(); + + menu.connect('activate', () => { + window.check_alive(global.get_current_time()); +-- +2.41.0 + diff --git a/SOURCES/optional-portal-helper.patch b/SOURCES/optional-portal-helper.patch new file mode 100644 index 0000000..956562b --- /dev/null +++ b/SOURCES/optional-portal-helper.patch @@ -0,0 +1,51 @@ +diff --git a/js/portalHelper/main.js b/js/portalHelper/main.js +index 25f866281..a221c3b88 100644 +--- a/js/portalHelper/main.js ++++ b/js/portalHelper/main.js +@@ -4,10 +4,17 @@ imports.gi.versions.Soup = '2.4'; + + const Format = imports.format; + const Gettext = imports.gettext; +-const { Gio, GLib, GObject, Gtk, Pango, Soup, WebKit2: WebKit } = imports.gi; ++const { Gio, GLib, GObject, Gtk, Pango, Soup } = imports.gi; + + const _ = Gettext.gettext; + ++let WebKit; ++try { ++ WebKit = imports.gi.WebKit2; ++} catch { ++ WebKit = null; ++} ++ + const Config = imports.misc.config; + const { loadInterfaceXML } = imports.misc.fileUtils; + +@@ -346,6 +353,11 @@ function initEnvironment() { + function main(argv) { + initEnvironment(); + ++ if (!WebKit) { ++ log('WebKit2 typelib is not installed, captive portal helper will be disabled'); ++ return 1; ++ } ++ + if (!WebKit.WebContext.new_ephemeral) { + log('WebKitGTK 2.16 is required for the portal-helper, see https://bugzilla.gnome.org/show_bug.cgi?id=780453'); + return 1; +diff --git a/js/ui/status/network.js b/js/ui/status/network.js +index 01c83c86b..8c5bd8dcb 100644 +--- a/js/ui/status/network.js ++++ b/js/ui/status/network.js +@@ -2070,7 +2070,9 @@ class Indicator extends PanelMenu.SystemIndicator { + new PortalHelperProxy(Gio.DBus.session, 'org.gnome.Shell.PortalHelper', + '/org/gnome/Shell/PortalHelper', (proxy, error) => { + if (error) { +- log('Error launching the portal helper: %s'.format(error)); ++ // Timeout is expected if WebKit is unavailable ++ if (!error.matches(Gio.IOErrorEnum, Gio.IOErrorEnum.TIMED_OUT)) ++ log('Error launching the portal helper: ' + error); + return; + } + + diff --git a/SOURCES/owe-support.patch b/SOURCES/owe-support.patch new file mode 100644 index 0000000..4dcb66f --- /dev/null +++ b/SOURCES/owe-support.patch @@ -0,0 +1,107 @@ +From ad431c28788ac1a4ec815cc4985cdb09a1a82226 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Florian=20M=C3=BCllner?= +Date: Mon, 11 Sep 2023 19:20:14 +0200 +Subject: [PATCH 1/2] status/network: Fix fallback SSID label + +We currently only return the fallback label if the string returned +from the ssid was invalid or couldn't be transformed to UTF-8. + +If the ssid parameter itself is empty, we throw an error. + +Handle this case as well, as callers otherwise would need to duplicate +the existing error path themselves. +--- + js/ui/status/network.js | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/js/ui/status/network.js b/js/ui/status/network.js +index 1f17ca8f97..99a8d51f82 100644 +--- a/js/ui/status/network.js ++++ b/js/ui/status/network.js +@@ -67,7 +67,9 @@ function signalToIcon(value) { + } + + function ssidToLabel(ssid) { +- let label = NM.utils_ssid_to_utf8(ssid.get_data()); ++ let label; ++ if (ssid) ++ label = NM.utils_ssid_to_utf8(ssid.get_data()); + if (!label) + label = _(""); + return label; +-- +2.41.0 + + +From 0409f18446cb55a45187e00feadb12e4389381dd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Florian=20M=C3=BCllner?= +Date: Wed, 30 Aug 2023 01:47:00 +0200 +Subject: [PATCH 2/2] status/network: Use connection name with hidden AP + +When connected to an OWE transition network, NetworkManager +reports the connected API with a hidden SSID. + +Handle this by using the active connection's name before +ultimately falling back to the device name. + +https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6918 + +Part-of: + +--- + js/ui/status/network.js | 28 +++++++++++++++++++--------- + 1 file changed, 19 insertions(+), 9 deletions(-) + +diff --git a/js/ui/status/network.js b/js/ui/status/network.js +index 99a8d51f82..b407d8e78d 100644 +--- a/js/ui/status/network.js ++++ b/js/ui/status/network.js +@@ -1395,26 +1395,36 @@ var NMDeviceWireless = class { + _getStatus() { + let ap = this._device.active_access_point; + +- if (this._isHotSpotMaster()) ++ if (this._isHotSpotMaster()) { + /* Translators: %s is a network identifier */ + return _("%s Hotspot Active").format(this._description); +- else if (this._device.state >= NM.DeviceState.PREPARE && +- this._device.state < NM.DeviceState.ACTIVATED) ++ } else if (this._device.state >= NM.DeviceState.PREPARE && ++ this._device.state < NM.DeviceState.ACTIVATED) { + /* Translators: %s is a network identifier */ + return _("%s Connecting").format(this._description); +- else if (ap) +- return ssidToLabel(ap.get_ssid()); +- else if (!this._client.wireless_hardware_enabled) ++ } else if (ap) { ++ const ssid = ap.get_ssid(); ++ if (ssid) ++ return ssidToLabel(ssid); ++ ++ // Use connection name when connected to hidden AP ++ const activeConnection = this._device.get_active_connection(); ++ if (activeConnection) ++ return activeConnection.connection.get_id(); ++ ++ return ssidToLabel(null); ++ } else if (!this._client.wireless_hardware_enabled) { + /* Translators: %s is a network identifier */ + return _("%s Hardware Disabled").format(this._description); +- else if (!this._client.wireless_enabled) ++ } else if (!this._client.wireless_enabled) { + /* Translators: %s is a network identifier */ + return _("%s Off").format(this._description); +- else if (this._device.state == NM.DeviceState.DISCONNECTED) ++ } else if (this._device.state == NM.DeviceState.DISCONNECTED) { + /* Translators: %s is a network identifier */ + return _("%s Not Connected").format(this._description); +- else ++ } else { + return ''; ++ } + } + + _getMenuIcon() { +-- +2.41.0 + diff --git a/SPECS/gnome-shell.spec b/SPECS/gnome-shell.spec index caee0c4..2b80567 100644 --- a/SPECS/gnome-shell.spec +++ b/SPECS/gnome-shell.spec @@ -2,7 +2,7 @@ Name: gnome-shell Version: 40.10 -Release: 13%{?dist} +Release: 17%{?dist} Summary: Window management and application launching for GNOME License: GPLv2+ @@ -56,6 +56,10 @@ Patch52: 0001-osk-layouts-Replace-SS-extra-key-with.patch Patch53: 0001-po-Update-translations.patch Patch54: 0001-st-icon-Only-get-resource-scale-after-peeking-theme-.patch Patch55: 0001-window-tracker-Only-emit-tracked-windows-changed-on-.patch +Patch56: owe-support.patch +Patch57: 0001-windowMenu-Ignore-release.patch +Patch58: optional-portal-helper.patch +Patch59: 0001-extensionSystem-Support-locking-down-extension-insta.patch %define eds_version 3.33.1 %define gnome_desktop_version 3.35.91 @@ -275,6 +279,22 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/evolution-calendar.de %{_mandir}/man1/gnome-shell.1* %changelog +* Sat Feb 10 2024 Florian Müllner - 40.10-17 +- Allow restricting extension installation + Resolves: RHEL-25017 + +* Wed Nov 01 2023 Michael Catanzaro - 40.10-16 +- Disable captive portal helper if WebKitGTK is not installed + Resolves: RHEL-10487 + +* Wed Oct 18 2023 Florian Müllner - 40.10-15 +- Fix window-menu closing immediately on open + Resolves: RHEL-2663 + +* Wed Sep 06 2023 Florian Müllner - 40.10-14 +- Support OWE networks + Resolves: #2236665 + * Mon May 15 2023 Ray Strode - 40.10-13 - Don't reset smartcard conversation twice when smartcard is inserted. Resolves: #2140898