Update to 1.12.0 + sync with Fedora
Resolves: bz#2048011 Resolves: bz#2021893
This commit is contained in:
parent
da2608ff21
commit
24a8d8f61c
1
.gitignore
vendored
1
.gitignore
vendored
@ -30,3 +30,4 @@ tigervnc-1.0.90-20100721svn4113.tar.bz2
|
||||
/tigervnc-1.10.1.tar.gz
|
||||
/tigervnc-1.10.90.tar.gz
|
||||
/tigervnc-1.11.0.tar.gz
|
||||
/tigervnc-1.12.0.tar.gz
|
||||
|
110
HOWTO.md
110
HOWTO.md
@ -1,110 +0,0 @@
|
||||
# What has changed
|
||||
The previous Tigervnc versions had a wrapper script called `vncserver` which
|
||||
could be run as a user manually to start *Xvnc* process. The usage was quite
|
||||
simple as you just run
|
||||
```
|
||||
$ vncserver :x [vncserver options] [Xvnc options]
|
||||
```
|
||||
and that was it. While this was working just fine, there were issues when users
|
||||
wanted to start a Tigervnc server using *systemd*. For these reasons things were
|
||||
completely changed and there is now a new way how this all is supposed to work.
|
||||
|
||||
# How to start Tigervnc server
|
||||
|
||||
## Add a user mapping
|
||||
With this you can map a user to a particular port. The mapping should be done in
|
||||
`/etc/tigervnc/vncserver.users` configuration file. It should be pretty
|
||||
straightforward once you open the file as there are some examples, but basically
|
||||
the mapping is in form
|
||||
```
|
||||
:x=user
|
||||
```
|
||||
For example you can have
|
||||
```
|
||||
:1=test
|
||||
:2=vncuser
|
||||
```
|
||||
|
||||
## Configure Xvnc options
|
||||
To configure Xvnc parameters, you need to go to the same directory where you did
|
||||
the user mapping and open `vncserver-config-defaults` configuration file. This
|
||||
file is for the default Xvnc configuration and will be applied to every user
|
||||
unless any of the following applies:
|
||||
* The user has its own configuration in `$HOME/.vnc/config`
|
||||
* The same option with different value is configured in
|
||||
`vncserver-config-mandatory` configuration file, which replaces the default
|
||||
configuration and has even a higher priority than the per-user configuration.
|
||||
This option is for system administrators when they want to force particular
|
||||
*Xvnc* options.
|
||||
|
||||
Format of the configuration file is also quite simple as the configuration is
|
||||
in form of
|
||||
```
|
||||
option=value
|
||||
option
|
||||
```
|
||||
for example
|
||||
```
|
||||
session=gnome
|
||||
securitytypes=vncauth,tlsvnc
|
||||
desktop=sandbox
|
||||
geometry=2000x1200
|
||||
localhost
|
||||
alwaysshared
|
||||
```
|
||||
### Note:
|
||||
There is one important option you need to set and that option is the session you
|
||||
want to start. E.g when you want to start GNOME desktop, then you have to use
|
||||
```
|
||||
session=gnome
|
||||
```
|
||||
which should match the name of a session desktop file from `/usr/share/xsessions`
|
||||
directory.
|
||||
|
||||
## Set VNC password
|
||||
You need to set a password for each user in order to be able to start the
|
||||
Tigervnc server. In order to create a password, you just run
|
||||
```
|
||||
$ vncpasswd
|
||||
```
|
||||
as the user you will be starting the server for.
|
||||
### Note:
|
||||
If you were using Tigervnc before for your user and you already created a
|
||||
password, then you will have to make sure the `$HOME/.vnc` folder created by
|
||||
`vncpasswd` will have the correct *SELinux* context. You either can delete this
|
||||
folder and recreate it again by creating the password one more time, or
|
||||
alternatively you can run
|
||||
```
|
||||
$ restorecon -RFv /home/<USER>/.vnc
|
||||
```
|
||||
|
||||
## Start the Tigervnc server
|
||||
Finally you can start the server using systemd service. To do so just run
|
||||
```
|
||||
$ systemctl start vncserver@:x
|
||||
```
|
||||
as root or
|
||||
```
|
||||
$ sudo systemctl start vncserver@:x
|
||||
```
|
||||
as a regular user in case it has permissions to run `sudo`. Don't forget to
|
||||
replace the `:x` by the actual number you configured in the user mapping file.
|
||||
Following our example by running
|
||||
```
|
||||
$ systemctl start vncserver@:1
|
||||
```
|
||||
you will start a Tigervnc server for user `test` with a GNOME session.
|
||||
|
||||
### Note:
|
||||
If you were previously using Tigervnc and you were used to start it using
|
||||
*systemd* then you will need to remove previous *systemd* configuration files,
|
||||
those you most likely copied to `/etc/systemd/system/vncserver@.service`,
|
||||
otherwise this service file will be preferred over the new one installed with
|
||||
latest Tigervnc.
|
||||
|
||||
# Limitations
|
||||
You will not be able to start a Tigervnc server for a user who is already
|
||||
logged into a graphical session. Avoid running the server as the `root` user as
|
||||
it's not a safe thing to do. While running the server as the `root` should work
|
||||
in general, it's not recommended to do so and there might be some things which
|
||||
are not working properly.
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (tigervnc-1.11.0.tar.gz) = 262676f065de6dfb72b1482c0ef1e6d8b764f53360ae6114debbe0986eede45d27e283e1452a72cb9b7540657ab347fd36df5b30b72d6db4a0f8cbea5b591025
|
||||
SHA512 (tigervnc-1.12.0.tar.gz) = a16b15e9cda552a49a3934e4174e49d186d06494d90d11582599ab82559014332662aed7760619a6dfb32a8c95f7d63c68ac7d632c29dd662a6b713f036672bb
|
||||
|
@ -1,43 +0,0 @@
|
||||
From 7ab92639848a6059e2b6b88499b008b9606f3af6 Mon Sep 17 00:00:00 2001
|
||||
From: johnmartin-oracle <55413843+johnmartin-oracle@users.noreply.github.com>
|
||||
Date: Thu, 27 Aug 2020 22:30:23 -0400
|
||||
Subject: [PATCH] Update Surface_X11.cxx
|
||||
|
||||
Runtime sellection of ARGB XImage byte order
|
||||
---
|
||||
vncviewer/Surface_X11.cxx | 22 +++++++++++-----------
|
||||
1 file changed, 11 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/vncviewer/Surface_X11.cxx b/vncviewer/Surface_X11.cxx
|
||||
index 6562634dc..8944c3f71 100644
|
||||
--- a/vncviewer/Surface_X11.cxx
|
||||
+++ b/vncviewer/Surface_X11.cxx
|
||||
@@ -123,17 +123,17 @@ void Surface::alloc()
|
||||
// we find such a format
|
||||
templ.type = PictTypeDirect;
|
||||
templ.depth = 32;
|
||||
-#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
|
||||
- templ.direct.alpha = 0;
|
||||
- templ.direct.red = 8;
|
||||
- templ.direct.green = 16;
|
||||
- templ.direct.blue = 24;
|
||||
-#else
|
||||
- templ.direct.alpha = 24;
|
||||
- templ.direct.red = 16;
|
||||
- templ.direct.green = 8;
|
||||
- templ.direct.blue = 0;
|
||||
-#endif
|
||||
+ if (XImageByteOrder(fl_display) == MSBFirst) {
|
||||
+ templ.direct.alpha = 0;
|
||||
+ templ.direct.red = 8;
|
||||
+ templ.direct.green = 16;
|
||||
+ templ.direct.blue = 24;
|
||||
+ } else {
|
||||
+ templ.direct.alpha = 24;
|
||||
+ templ.direct.red = 16;
|
||||
+ templ.direct.green = 8;
|
||||
+ templ.direct.blue = 0;
|
||||
+ }
|
||||
templ.direct.alphaMask = 0xff;
|
||||
templ.direct.redMask = 0xff;
|
||||
templ.direct.greenMask = 0xff;
|
@ -1,13 +0,0 @@
|
||||
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
|
||||
index 2b47f5f5..f78c096f 100644
|
||||
--- a/unix/vncserver/vncsession.c
|
||||
+++ b/unix/vncserver/vncsession.c
|
||||
@@ -99,7 +99,7 @@ begin_daemon(void)
|
||||
return -1;
|
||||
}
|
||||
|
||||
- if (pid == 0)
|
||||
+ if (pid != 0)
|
||||
_exit(0);
|
||||
|
||||
/* Send all stdio to /dev/null */
|
@ -1,14 +0,0 @@
|
||||
diff --git a/unix/vncserver b/unix/vncserver
|
||||
index a6c890f..687ef72 100755
|
||||
--- a/unix/vncserver
|
||||
+++ b/unix/vncserver
|
||||
@@ -208,7 +208,8 @@ if ((@ARGV > 0) && ($ARGV[0] =~ /^:(\d+)$/)) {
|
||||
$displayNumber = $1;
|
||||
shift(@ARGV);
|
||||
if (!&CheckDisplayNumber($displayNumber)) {
|
||||
- die "A VNC server is already running as :$displayNumber\n";
|
||||
+ warn "A VNC server is already running as :$displayNumber\n";
|
||||
+ $displayNumber = &GetDisplayNumber();
|
||||
}
|
||||
} elsif ((@ARGV > 0) && ($ARGV[0] !~ /^-/) && ($ARGV[0] !~ /^\+/)) {
|
||||
&Usage();
|
34
tigervnc-fix-typo-in-mirror-monitor-detection.patch
Normal file
34
tigervnc-fix-typo-in-mirror-monitor-detection.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From 2daf4126882f82b6e392dfbae87205dbdc559c3d Mon Sep 17 00:00:00 2001
|
||||
From: Pierre Ossman <ossman@cendio.se>
|
||||
Date: Thu, 23 Dec 2021 15:58:00 +0100
|
||||
Subject: [PATCH] Fix typo in mirror monitor detection
|
||||
|
||||
Bug introduced in fb561eb but still somehow passed manual testing.
|
||||
Resulted in some stray reads off the end of the stack, which were
|
||||
hopefully harmless.
|
||||
---
|
||||
vncviewer/MonitorIndicesParameter.cxx | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/vncviewer/MonitorIndicesParameter.cxx b/vncviewer/MonitorIndicesParameter.cxx
|
||||
index 5130831cb..4ac74dd1a 100644
|
||||
--- a/vncviewer/MonitorIndicesParameter.cxx
|
||||
+++ b/vncviewer/MonitorIndicesParameter.cxx
|
||||
@@ -211,13 +211,13 @@ std::vector<MonitorIndicesParameter::Monitor> MonitorIndicesParameter::fetchMoni
|
||||
// Only keep a single entry for mirrored screens
|
||||
match = false;
|
||||
for (int j = 0; j < ((int) monitors.size()); j++) {
|
||||
- if (monitors[i].x != monitor.x)
|
||||
+ if (monitors[j].x != monitor.x)
|
||||
continue;
|
||||
- if (monitors[i].y != monitor.y)
|
||||
+ if (monitors[j].y != monitor.y)
|
||||
continue;
|
||||
- if (monitors[i].w != monitor.w)
|
||||
+ if (monitors[j].w != monitor.w)
|
||||
continue;
|
||||
- if (monitors[i].h != monitor.h)
|
||||
+ if (monitors[j].h != monitor.h)
|
||||
continue;
|
||||
|
||||
match = true;
|
@ -1,22 +0,0 @@
|
||||
From dbf76d2ee8da157c2c2970c937bcc0ed9ef08a6f Mon Sep 17 00:00:00 2001
|
||||
From: Jan Grulich <jgrulich@redhat.com>
|
||||
Date: Tue, 25 May 2021 14:14:33 +0200
|
||||
Subject: [PATCH] Let user know that a view-only password is not used
|
||||
|
||||
---
|
||||
unix/vncpasswd/vncpasswd.cxx | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx
|
||||
index 3055223ef..8f3649fe9 100644
|
||||
--- a/unix/vncpasswd/vncpasswd.cxx
|
||||
+++ b/unix/vncpasswd/vncpasswd.cxx
|
||||
@@ -160,6 +160,8 @@ int main(int argc, char** argv)
|
||||
char yesno[3];
|
||||
if (fgets(yesno, 3, stdin) != NULL && (yesno[0] == 'y' || yesno[0] == 'Y')) {
|
||||
obfuscatedReadOnly = readpassword();
|
||||
+ } else {
|
||||
+ fprintf(stderr, "A view-only password is not used\n");
|
||||
}
|
||||
|
||||
FILE* fp = fopen(fname,"w");
|
@ -1,38 +0,0 @@
|
||||
From 5d834359bef6727df82cf4f2c2f3f255145f7785 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Grulich <jgrulich@redhat.com>
|
||||
Date: Tue, 25 May 2021 14:18:48 +0200
|
||||
Subject: [PATCH] CharArray: pre-fill empty array with zeroes
|
||||
|
||||
CharArray should always be null-terminated. There is a potential
|
||||
scenario where this all might lead to crash. In Password we call
|
||||
memset(), passing length of the array we get with strlen(), but
|
||||
this won't return correct value when the array is not properly
|
||||
null-terminated.
|
||||
---
|
||||
common/rfb/util.h | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/common/rfb/util.h b/common/rfb/util.h
|
||||
index 3100f90fd..71caac426 100644
|
||||
--- a/common/rfb/util.h
|
||||
+++ b/common/rfb/util.h
|
||||
@@ -52,14 +52,17 @@ namespace rfb {
|
||||
CharArray(char* str) : buf(str) {} // note: assumes ownership
|
||||
CharArray(size_t len) {
|
||||
buf = new char[len]();
|
||||
+ memset(buf, 0, len);
|
||||
}
|
||||
~CharArray() {
|
||||
- delete [] buf;
|
||||
+ if (buf) {
|
||||
+ delete [] buf;
|
||||
+ }
|
||||
}
|
||||
void format(const char *fmt, ...) __printf_attr(2, 3);
|
||||
// Get the buffer pointer & clear it (i.e. caller takes ownership)
|
||||
char* takeBuf() {char* tmp = buf; buf = 0; return tmp;}
|
||||
- void replaceBuf(char* b) {delete [] buf; buf = b;}
|
||||
+ void replaceBuf(char* b) {if (buf) delete [] buf; buf = b;}
|
||||
char* buf;
|
||||
private:
|
||||
CharArray(const CharArray&);
|
@ -11,16 +11,15 @@ as HOME_ROOT actually means base for home dirs (usually /home).
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc
|
||||
index ae768ba..5c03e46 100644
|
||||
index 6aaf4b1f4..bc81f8f25 100644
|
||||
--- a/unix/vncserver/selinux/vncsession.fc
|
||||
+++ b/unix/vncserver/selinux/vncsession.fc
|
||||
@@ -18,7 +18,7 @@
|
||||
#
|
||||
|
||||
HOME_DIR/\.vnc(/.*)? gen_context(system_u:object_r:xdm_home_t,s0)
|
||||
-HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:xdm_home_t,s0)
|
||||
+/root/\.vnc(/.*)? gen_context(system_u:object_r:xdm_home_t,s0)
|
||||
HOME_DIR/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0)
|
||||
-HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0)
|
||||
+/root/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0)
|
||||
|
||||
/usr/sbin/vncsession -- gen_context(system_u:object_r:vnc_session_exec_t,s0)
|
||||
/usr/libexec/vncsession-start -- gen_context(system_u:object_r:vnc_session_exec_t,s0)
|
||||
|
||||
|
@ -1,38 +0,0 @@
|
||||
From 6125695b80f6a43002f454786115b0a6c1730831 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Grulich <jgrulich@redhat.com>
|
||||
Date: Mon, 17 May 2021 13:44:32 +0200
|
||||
Subject: [PATCH 1/2] SELinux: Add missing compression and install policy to
|
||||
correct directory
|
||||
|
||||
---
|
||||
unix/vncserver/selinux/Makefile | 13 ++++++++-----
|
||||
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/unix/vncserver/selinux/Makefile b/unix/vncserver/selinux/Makefile
|
||||
index 7497bf846..b23f20f60 100644
|
||||
--- a/unix/vncserver/selinux/Makefile
|
||||
+++ b/unix/vncserver/selinux/Makefile
|
||||
@@ -10,15 +10,18 @@
|
||||
PREFIX=/usr
|
||||
DATADIR=$(PREFIX)/share
|
||||
|
||||
-all: vncsession.pp
|
||||
+all: vncsession.pp.bz2
|
||||
+
|
||||
+%.pp.bz2: %.pp
|
||||
+ bzip2 -9 $^
|
||||
|
||||
%.pp: %.te
|
||||
make -f $(DATADIR)/selinux/devel/Makefile $@
|
||||
|
||||
clean:
|
||||
- rm -f *.pp
|
||||
+ rm -f *.pp *.pp.bz2
|
||||
rm -rf tmp
|
||||
|
||||
-install: vncsession.pp
|
||||
- mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages
|
||||
- install vncsession.pp $(DESTDIR)$(DATADIR)/selinux/packages/vncsession.pp
|
||||
+install: vncsession.pp.bz2
|
||||
+ mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages/targeted/
|
||||
+ install vncsession.pp.bz2 $(DESTDIR)$(DATADIR)/selinux/packages/targeted/vncsession.pp.bz2
|
@ -1,183 +0,0 @@
|
||||
From 386542e6d50eeaa68aa91f821c0725ddd0ab9b2a Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Tue, 18 May 2021 12:23:15 +0200
|
||||
Subject: [PATCH] selinux: Fix issues reported by SELint
|
||||
|
||||
Style guide [1] issues only. No impact on policy functionality.
|
||||
|
||||
[1] - https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
|
||||
---
|
||||
unix/vncserver/selinux/vncsession.te | 7 +++----
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
|
||||
index a773fed39..63ad8a85f 100644
|
||||
--- a/unix/vncserver/selinux/vncsession.te
|
||||
+++ b/unix/vncserver/selinux/vncsession.te
|
||||
@@ -17,7 +17,7 @@
|
||||
# USA.
|
||||
#
|
||||
|
||||
-policy_module(vncsession, 1.0.0);
|
||||
+policy_module(vncsession, 1.0.0)
|
||||
|
||||
gen_require(`
|
||||
attribute userdomain;
|
||||
@@ -42,8 +42,8 @@ can_exec(vnc_session_t, vnc_session_exec_t)
|
||||
userdom_spec_domtrans_all_users(vnc_session_t)
|
||||
userdom_signal_all_users(vnc_session_t)
|
||||
|
||||
-allow vnc_session_t self:capability { kill chown dac_override dac_read_search fowner setgid setuid sys_resource };
|
||||
-allow vnc_session_t self:process { getcap setsched setexec setrlimit };
|
||||
+allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
|
||||
+allow vnc_session_t self:process { getcap setexec setrlimit setsched };
|
||||
allow vnc_session_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
|
||||
@@ -65,4 +65,3 @@ logging_append_all_logs(vnc_session_t)
|
||||
|
||||
mcs_process_set_categories(vnc_session_t)
|
||||
mcs_killall(vnc_session_t)
|
||||
-
|
||||
From 23cf514ac265a02dc666e8651dcc579022f0da77 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Tue, 18 May 2021 13:31:53 +0200
|
||||
Subject: [PATCH] selinux: further style and comprehensibility improvements
|
||||
|
||||
Sections and rules blocks reordered according to the Style guide.
|
||||
|
||||
https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
|
||||
---
|
||||
unix/vncserver/selinux/vncsession.te | 59 +++++++++++++++++-----------
|
||||
1 file changed, 36 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
|
||||
index 63ad8a85f..86fd6e5ef 100644
|
||||
--- a/unix/vncserver/selinux/vncsession.te
|
||||
+++ b/unix/vncserver/selinux/vncsession.te
|
||||
@@ -20,48 +20,61 @@
|
||||
policy_module(vncsession, 1.0.0)
|
||||
|
||||
gen_require(`
|
||||
- attribute userdomain;
|
||||
- type xdm_home_t;
|
||||
+ attribute userdomain;
|
||||
+ type xdm_home_t;
|
||||
')
|
||||
|
||||
-type vnc_session_exec_t;
|
||||
-corecmd_executable_file(vnc_session_exec_t)
|
||||
type vnc_session_t;
|
||||
+type vnc_session_exec_t;
|
||||
init_daemon_domain(vnc_session_t, vnc_session_exec_t)
|
||||
-auth_login_pgm_domain(vnc_session_t)
|
||||
+can_exec(vnc_session_t, vnc_session_exec_t)
|
||||
|
||||
type vnc_session_var_run_t;
|
||||
files_pid_file(vnc_session_var_run_t)
|
||||
-allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
|
||||
-files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
|
||||
-
|
||||
-auth_write_login_records(vnc_session_t)
|
||||
-
|
||||
-can_exec(vnc_session_t, vnc_session_exec_t)
|
||||
-
|
||||
-userdom_spec_domtrans_all_users(vnc_session_t)
|
||||
-userdom_signal_all_users(vnc_session_t)
|
||||
|
||||
allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
|
||||
allow vnc_session_t self:process { getcap setexec setrlimit setsched };
|
||||
allow vnc_session_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
+allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
|
||||
+files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
|
||||
+
|
||||
manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
|
||||
manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
|
||||
manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
|
||||
manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
|
||||
-userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
|
||||
-userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
|
||||
-
|
||||
-# This also affects other tools, e.g. vncpasswd
|
||||
-userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
|
||||
-userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
|
||||
-
|
||||
-miscfiles_read_localization(vnc_session_t)
|
||||
|
||||
kernel_read_kernel_sysctls(vnc_session_t)
|
||||
|
||||
-logging_append_all_logs(vnc_session_t)
|
||||
+corecmd_executable_file(vnc_session_exec_t)
|
||||
|
||||
mcs_process_set_categories(vnc_session_t)
|
||||
mcs_killall(vnc_session_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ auth_login_pgm_domain(vnc_session_t)
|
||||
+ auth_write_login_records(vnc_session_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ logging_append_all_logs(vnc_session_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ miscfiles_read_localization(vnc_session_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ userdom_spec_domtrans_all_users(vnc_session_t)
|
||||
+ userdom_signal_all_users(vnc_session_t)
|
||||
+
|
||||
+ userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
|
||||
+ userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
|
||||
+
|
||||
+ # This also affects other tools, e.g. vncpasswd
|
||||
+ gen_require(`
|
||||
+ attribute userdomain;
|
||||
+ ')
|
||||
+ userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
|
||||
+ userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
|
||||
+')
|
||||
From 3c8622691abfb377b48bf3749dd629c5a7120cf4 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Tue, 18 May 2021 13:39:11 +0200
|
||||
Subject: [PATCH] Allow vnc_session_t manage nfs dirs and files conditionally
|
||||
|
||||
The permissions set to manage directories and files with the nfs_t type
|
||||
is allowed when the use_nfs_home_dirs boolean is turned on.
|
||||
|
||||
Resolves: https://github.com/TigerVNC/tigervnc/issues/1189
|
||||
---
|
||||
unix/vncserver/selinux/vncsession.te | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
|
||||
index 86fd6e5ef..46e699117 100644
|
||||
--- a/unix/vncserver/selinux/vncsession.te
|
||||
+++ b/unix/vncserver/selinux/vncsession.te
|
||||
@@ -51,6 +51,11 @@ corecmd_executable_file(vnc_session_exec_t)
|
||||
mcs_process_set_categories(vnc_session_t)
|
||||
mcs_killall(vnc_session_t)
|
||||
|
||||
+tunable_policy(`use_nfs_home_dirs',`
|
||||
+ fs_manage_nfs_dirs(vnc_session_t)
|
||||
+ fs_manage_nfs_files(vnc_session_t)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
auth_login_pgm_domain(vnc_session_t)
|
||||
auth_write_login_records(vnc_session_t)
|
||||
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
|
||||
index 46e69911..f1108ec8 100644
|
||||
--- a/unix/vncserver/selinux/vncsession.te
|
||||
+++ b/unix/vncserver/selinux/vncsession.te
|
||||
@@ -20,7 +20,6 @@
|
||||
policy_module(vncsession, 1.0.0)
|
||||
|
||||
gen_require(`
|
||||
- attribute userdomain;
|
||||
type xdm_home_t;
|
||||
')
|
||||
|
@ -11,10 +11,10 @@ Subject: [PATCH] SELinux: restore SELinux context in case of different
|
||||
3 files changed, 30 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
||||
index 7bf9944..85be468 100644
|
||||
index 50247c7da..1708eb3d8 100644
|
||||
--- a/CMakeLists.txt
|
||||
+++ b/CMakeLists.txt
|
||||
@@ -276,6 +276,19 @@ if(UNIX AND NOT APPLE)
|
||||
@@ -268,6 +268,19 @@ if(UNIX AND NOT APPLE)
|
||||
endif()
|
||||
endif()
|
||||
|
||||
@ -35,7 +35,7 @@ index 7bf9944..85be468 100644
|
||||
configure_file(config.h.in config.h)
|
||||
add_definitions(-DHAVE_CONFIG_H)
|
||||
diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
|
||||
index eeb4b7b..bce1c3e 100644
|
||||
index f65ccc7db..ae69dc098 100644
|
||||
--- a/unix/vncserver/CMakeLists.txt
|
||||
+++ b/unix/vncserver/CMakeLists.txt
|
||||
@@ -1,5 +1,5 @@
|
||||
@ -46,7 +46,7 @@ index eeb4b7b..bce1c3e 100644
|
||||
configure_file(vncserver@.service.in vncserver@.service @ONLY)
|
||||
configure_file(vncsession-start.in vncsession-start @ONLY)
|
||||
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
|
||||
index f78c096..141f689 100644
|
||||
index 3573e5e9b..f6d2fd59e 100644
|
||||
--- a/unix/vncserver/vncsession.c
|
||||
+++ b/unix/vncserver/vncsession.c
|
||||
@@ -37,6 +37,11 @@
|
||||
@ -61,8 +61,8 @@ index f78c096..141f689 100644
|
||||
extern char **environ;
|
||||
|
||||
// PAM service name
|
||||
@@ -359,6 +364,17 @@ redir_stdio(const char *homedir, const char *display)
|
||||
perror("mkdir");
|
||||
@@ -360,6 +365,17 @@ redir_stdio(const char *homedir, const char *display)
|
||||
syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno));
|
||||
_exit(EX_OSERR);
|
||||
}
|
||||
+
|
||||
@ -78,4 +78,4 @@ index f78c096..141f689 100644
|
||||
+#endif
|
||||
}
|
||||
|
||||
if (gethostname(hostname, sizeof(hostname)) == -1) {
|
||||
hostlen = sysconf(_SC_HOST_NAME_MAX);
|
||||
|
@ -1,47 +0,0 @@
|
||||
From 40f104ffe1e36df9613f8d316f616fb2b089cc86 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Grulich <jgrulich@redhat.com>
|
||||
Date: Tue, 29 Sep 2020 13:37:16 +0200
|
||||
Subject: [PATCH] Use /run instead of /var/run which is just a symlink
|
||||
|
||||
---
|
||||
unix/vncserver/selinux/vncsession.fc | 2 +-
|
||||
unix/vncserver/vncserver@.service.in | 2 +-
|
||||
unix/vncserver/vncsession.c | 2 +-
|
||||
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc
|
||||
index 121cdd237..ae768baa4 100644
|
||||
--- a/unix/vncserver/selinux/vncsession.fc
|
||||
+++ b/unix/vncserver/selinux/vncsession.fc
|
||||
@@ -23,4 +23,4 @@ HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:xdm_home_t,s0)
|
||||
/usr/sbin/vncsession -- gen_context(system_u:object_r:vnc_session_exec_t,s0)
|
||||
/usr/libexec/vncsession-start -- gen_context(system_u:object_r:vnc_session_exec_t,s0)
|
||||
|
||||
-/var/run/vncsession-:[0-9]*\.pid -- gen_context(system_u:object_r:vnc_session_var_run_t,s0)
|
||||
+/run/vncsession-:[0-9]*\.pid -- gen_context(system_u:object_r:vnc_session_var_run_t,s0)
|
||||
diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in
|
||||
index 584ecf4b1..5624dff76 100644
|
||||
--- a/unix/vncserver/vncserver@.service.in
|
||||
+++ b/unix/vncserver/vncserver@.service.in
|
||||
@@ -36,7 +36,7 @@ After=syslog.target network.target
|
||||
[Service]
|
||||
Type=forking
|
||||
ExecStart=@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-start %i
|
||||
-PIDFile=/var/run/vncsession-%i.pid
|
||||
+PIDFile=/run/vncsession-%i.pid
|
||||
SELinuxContext=system_u:system_r:vnc_session_t:s0
|
||||
|
||||
[Install]
|
||||
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
|
||||
index 3e0c98f0f..2b47f5f55 100644
|
||||
--- a/unix/vncserver/vncsession.c
|
||||
+++ b/unix/vncserver/vncsession.c
|
||||
@@ -543,7 +543,7 @@ main(int argc, char **argv)
|
||||
}
|
||||
|
||||
snprintf(pid_file, sizeof(pid_file),
|
||||
- "/var/run/vncsession-%s.pid", display);
|
||||
+ "/run/vncsession-%s.pid", display);
|
||||
f = fopen(pid_file, "w");
|
||||
if (f == NULL) {
|
||||
syslog(LOG_ERR, "Failure creating pid file \"%s\": %s",
|
@ -1,149 +0,0 @@
|
||||
From 38c6848b30cb1908171f2b4628e345fbf6727b39 Mon Sep 17 00:00:00 2001
|
||||
From: Pierre Ossman <ossman@cendio.se>
|
||||
Date: Fri, 18 Sep 2020 10:44:32 +0200
|
||||
Subject: [PATCH] Tolerate specifying -BoolParam 0 and similar
|
||||
|
||||
This is needed by vncserver which doesn't know which parameters are
|
||||
boolean, and it cannot use the -Param=Value form as that isn't tolerated
|
||||
by the Xorg code.
|
||||
---
|
||||
unix/vncserver/vncserver.in | 8 ++++----
|
||||
unix/xserver/hw/vnc/RFBGlue.cc | 16 ++++++++++++++++
|
||||
unix/xserver/hw/vnc/RFBGlue.h | 1 +
|
||||
unix/xserver/hw/vnc/xvnc.c | 14 ++++++++++++++
|
||||
vncviewer/vncviewer.cxx | 20 ++++++++++++++++++++
|
||||
5 files changed, 55 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/unix/vncserver/vncserver.in b/unix/vncserver/vncserver.in
|
||||
index 25fbbd315..261b258f1 100755
|
||||
--- a/unix/vncserver/vncserver.in
|
||||
+++ b/unix/vncserver/vncserver.in
|
||||
@@ -107,7 +107,7 @@ $default_opts{rfbwait} = 30000;
|
||||
$default_opts{rfbauth} = "$vncUserDir/passwd";
|
||||
$default_opts{rfbport} = $vncPort;
|
||||
$default_opts{fp} = $fontPath if ($fontPath);
|
||||
-$default_opts{pn} = "";
|
||||
+$default_opts{pn} = undef;
|
||||
|
||||
# Load user-overrideable system defaults
|
||||
LoadConfig($vncSystemConfigDefaultsFile);
|
||||
@@ -242,13 +242,13 @@ push(@cmd, "@CMAKE_INSTALL_FULL_BINDIR@/Xvnc", ":$displayNumber");
|
||||
|
||||
foreach my $k (sort keys %config) {
|
||||
push(@cmd, "-$k");
|
||||
- push(@cmd, $config{$k}) if $config{$k};
|
||||
+ push(@cmd, $config{$k}) if defined($config{$k});
|
||||
delete $default_opts{$k}; # file options take precedence
|
||||
}
|
||||
|
||||
foreach my $k (sort keys %default_opts) {
|
||||
push(@cmd, "-$k");
|
||||
- push(@cmd, $default_opts{$k}) if $default_opts{$k};
|
||||
+ push(@cmd, $default_opts{$k}) if defined($default_opts{$k});
|
||||
}
|
||||
|
||||
warn "\nNew '$desktopName' desktop is $host:$displayNumber\n\n";
|
||||
@@ -291,7 +291,7 @@ sub LoadConfig {
|
||||
# current config file being loaded defined the logical opposite setting
|
||||
# (NeverShared vs. AlwaysShared, etc etc).
|
||||
$toggle = lc($1); # must normalize key case
|
||||
- $config{$toggle} = $k;
|
||||
+ $config{$toggle} = undef;
|
||||
}
|
||||
}
|
||||
close(IN);
|
||||
diff --git a/unix/xserver/hw/vnc/RFBGlue.cc b/unix/xserver/hw/vnc/RFBGlue.cc
|
||||
index f108fae43..7c32bea8f 100644
|
||||
--- a/unix/xserver/hw/vnc/RFBGlue.cc
|
||||
+++ b/unix/xserver/hw/vnc/RFBGlue.cc
|
||||
@@ -143,6 +143,22 @@ const char* vncGetParamDesc(const char *name)
|
||||
return param->getDescription();
|
||||
}
|
||||
|
||||
+int vncIsParamBool(const char *name)
|
||||
+{
|
||||
+ VoidParameter *param;
|
||||
+ BoolParameter *bparam;
|
||||
+
|
||||
+ param = rfb::Configuration::getParam(name);
|
||||
+ if (param == NULL)
|
||||
+ return false;
|
||||
+
|
||||
+ bparam = dynamic_cast<BoolParameter*>(param);
|
||||
+ if (bparam == NULL)
|
||||
+ return false;
|
||||
+
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
int vncGetParamCount(void)
|
||||
{
|
||||
int count;
|
||||
diff --git a/unix/xserver/hw/vnc/RFBGlue.h b/unix/xserver/hw/vnc/RFBGlue.h
|
||||
index 112405b84..695cea105 100644
|
||||
--- a/unix/xserver/hw/vnc/RFBGlue.h
|
||||
+++ b/unix/xserver/hw/vnc/RFBGlue.h
|
||||
@@ -41,6 +41,7 @@ int vncSetParam(const char *name, const char *value);
|
||||
int vncSetParamSimple(const char *nameAndValue);
|
||||
char* vncGetParam(const char *name);
|
||||
const char* vncGetParamDesc(const char *name);
|
||||
+int vncIsParamBool(const char *name);
|
||||
|
||||
int vncGetParamCount(void);
|
||||
char *vncGetParamList(void);
|
||||
diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c
|
||||
index 4eb0b0b13..5744acac8 100644
|
||||
--- a/unix/xserver/hw/vnc/xvnc.c
|
||||
+++ b/unix/xserver/hw/vnc/xvnc.c
|
||||
@@ -618,6 +618,20 @@ ddxProcessArgument(int argc, char *argv[], int i)
|
||||
exit(0);
|
||||
}
|
||||
|
||||
+ /* We need to resolve an ambiguity for booleans */
|
||||
+ if (argv[i][0] == '-' && i+1 < argc &&
|
||||
+ vncIsParamBool(&argv[i][1])) {
|
||||
+ if ((strcasecmp(argv[i+1], "0") == 0) ||
|
||||
+ (strcasecmp(argv[i+1], "1") == 0) ||
|
||||
+ (strcasecmp(argv[i+1], "true") == 0) ||
|
||||
+ (strcasecmp(argv[i+1], "false") == 0) ||
|
||||
+ (strcasecmp(argv[i+1], "yes") == 0) ||
|
||||
+ (strcasecmp(argv[i+1], "no") == 0)) {
|
||||
+ vncSetParam(&argv[i][1], argv[i+1]);
|
||||
+ return 2;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (vncSetParamSimple(argv[i]))
|
||||
return 1;
|
||||
|
||||
diff --git a/vncviewer/vncviewer.cxx b/vncviewer/vncviewer.cxx
|
||||
index d4dd3063c..77ba3d3f4 100644
|
||||
--- a/vncviewer/vncviewer.cxx
|
||||
+++ b/vncviewer/vncviewer.cxx
|
||||
@@ -556,6 +556,26 @@ int main(int argc, char** argv)
|
||||
}
|
||||
|
||||
for (int i = 1; i < argc;) {
|
||||
+ /* We need to resolve an ambiguity for booleans */
|
||||
+ if (argv[i][0] == '-' && i+1 < argc) {
|
||||
+ VoidParameter *param;
|
||||
+
|
||||
+ param = Configuration::getParam(&argv[i][1]);
|
||||
+ if ((param != NULL) &&
|
||||
+ (dynamic_cast<BoolParameter*>(param) != NULL)) {
|
||||
+ if ((strcasecmp(argv[i+1], "0") == 0) ||
|
||||
+ (strcasecmp(argv[i+1], "1") == 0) ||
|
||||
+ (strcasecmp(argv[i+1], "true") == 0) ||
|
||||
+ (strcasecmp(argv[i+1], "false") == 0) ||
|
||||
+ (strcasecmp(argv[i+1], "yes") == 0) ||
|
||||
+ (strcasecmp(argv[i+1], "no") == 0)) {
|
||||
+ param->setParam(argv[i+1]);
|
||||
+ i += 2;
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (Configuration::setParam(argv[i])) {
|
||||
i++;
|
||||
continue;
|
@ -1,198 +0,0 @@
|
||||
diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
|
||||
index 9900837..59d2086 100644
|
||||
--- a/common/rfb/CSecurityTLS.cxx
|
||||
+++ b/common/rfb/CSecurityTLS.cxx
|
||||
@@ -210,26 +210,66 @@ void CSecurityTLS::setParam()
|
||||
static const char kx_anon_priority[] = ":+ANON-ECDH:+ANON-DH";
|
||||
|
||||
int ret;
|
||||
- char *prio;
|
||||
- const char *err;
|
||||
|
||||
- prio = (char*)malloc(strlen(Security::GnuTLSPriority) +
|
||||
- strlen(kx_anon_priority) + 1);
|
||||
- if (prio == NULL)
|
||||
- throw AuthFailureException("Not enough memory for GnuTLS priority string");
|
||||
+ // Custom priority string specified?
|
||||
+ if (strcmp(Security::GnuTLSPriority, "") != 0) {
|
||||
+ char *prio;
|
||||
+ const char *err;
|
||||
|
||||
- strcpy(prio, Security::GnuTLSPriority);
|
||||
- if (anon)
|
||||
+ prio = (char*)malloc(strlen(Security::GnuTLSPriority) +
|
||||
+ strlen(kx_anon_priority) + 1);
|
||||
+ if (prio == NULL)
|
||||
+ throw AuthFailureException("Not enough memory for GnuTLS priority string");
|
||||
+
|
||||
+ strcpy(prio, Security::GnuTLSPriority);
|
||||
+ if (anon)
|
||||
+ strcat(prio, kx_anon_priority);
|
||||
+
|
||||
+ ret = gnutls_priority_set_direct(session, prio, &err);
|
||||
+
|
||||
+ free(prio);
|
||||
+
|
||||
+ if (ret != GNUTLS_E_SUCCESS) {
|
||||
+ if (ret == GNUTLS_E_INVALID_REQUEST)
|
||||
+ vlog.error("GnuTLS priority syntax error at: %s", err);
|
||||
+ throw AuthFailureException("gnutls_set_priority_direct failed");
|
||||
+ }
|
||||
+ } else if (anon) {
|
||||
+ const char *err;
|
||||
+
|
||||
+#if GNUTLS_VERSION_NUMBER >= 0x030603
|
||||
+ // gnutls_set_default_priority_appends() expects a normal priority string that
|
||||
+ // doesn't start with ":".
|
||||
+ ret = gnutls_set_default_priority_append(session, kx_anon_priority + 1, &err, 0);
|
||||
+ if (ret != GNUTLS_E_SUCCESS) {
|
||||
+ if (ret == GNUTLS_E_INVALID_REQUEST)
|
||||
+ vlog.error("GnuTLS priority syntax error at: %s", err);
|
||||
+ throw AuthFailureException("gnutls_set_default_priority_append failed");
|
||||
+ }
|
||||
+#else
|
||||
+ // We don't know what the system default priority is, so we guess
|
||||
+ // it's what upstream GnuTLS has
|
||||
+ static const char gnutls_default_priority[] = "NORMAL";
|
||||
+ char *prio;
|
||||
+
|
||||
+ prio = (char*)malloc(strlen(gnutls_default_priority) +
|
||||
+ strlen(kx_anon_priority) + 1);
|
||||
+ if (prio == NULL)
|
||||
+ throw AuthFailureException("Not enough memory for GnuTLS priority string");
|
||||
+
|
||||
+ strcpy(prio, gnutls_default_priority);
|
||||
strcat(prio, kx_anon_priority);
|
||||
|
||||
- ret = gnutls_priority_set_direct(session, prio, &err);
|
||||
+ ret = gnutls_priority_set_direct(session, prio, &err);
|
||||
|
||||
- free(prio);
|
||||
+ free(prio);
|
||||
|
||||
- if (ret != GNUTLS_E_SUCCESS) {
|
||||
- if (ret == GNUTLS_E_INVALID_REQUEST)
|
||||
- vlog.error("GnuTLS priority syntax error at: %s", err);
|
||||
- throw AuthFailureException("gnutls_set_priority_direct failed");
|
||||
+ if (ret != GNUTLS_E_SUCCESS) {
|
||||
+ if (ret == GNUTLS_E_INVALID_REQUEST)
|
||||
+ vlog.error("GnuTLS priority syntax error at: %s", err);
|
||||
+ throw AuthFailureException("gnutls_set_priority_direct failed");
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
|
||||
if (anon) {
|
||||
diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
|
||||
index ef5d8c9..f32f87f 100644
|
||||
--- a/common/rfb/SSecurityTLS.cxx
|
||||
+++ b/common/rfb/SSecurityTLS.cxx
|
||||
@@ -198,26 +198,66 @@ void SSecurityTLS::setParams(gnutls_session_t session)
|
||||
static const char kx_anon_priority[] = ":+ANON-ECDH:+ANON-DH";
|
||||
|
||||
int ret;
|
||||
- char *prio;
|
||||
- const char *err;
|
||||
|
||||
- prio = (char*)malloc(strlen(Security::GnuTLSPriority) +
|
||||
- strlen(kx_anon_priority) + 1);
|
||||
- if (prio == NULL)
|
||||
- throw AuthFailureException("Not enough memory for GnuTLS priority string");
|
||||
+ // Custom priority string specified?
|
||||
+ if (strcmp(Security::GnuTLSPriority, "") != 0) {
|
||||
+ char *prio;
|
||||
+ const char *err;
|
||||
|
||||
- strcpy(prio, Security::GnuTLSPriority);
|
||||
- if (anon)
|
||||
+ prio = (char*)malloc(strlen(Security::GnuTLSPriority) +
|
||||
+ strlen(kx_anon_priority) + 1);
|
||||
+ if (prio == NULL)
|
||||
+ throw AuthFailureException("Not enough memory for GnuTLS priority string");
|
||||
+
|
||||
+ strcpy(prio, Security::GnuTLSPriority);
|
||||
+ if (anon)
|
||||
+ strcat(prio, kx_anon_priority);
|
||||
+
|
||||
+ ret = gnutls_priority_set_direct(session, prio, &err);
|
||||
+
|
||||
+ free(prio);
|
||||
+
|
||||
+ if (ret != GNUTLS_E_SUCCESS) {
|
||||
+ if (ret == GNUTLS_E_INVALID_REQUEST)
|
||||
+ vlog.error("GnuTLS priority syntax error at: %s", err);
|
||||
+ throw AuthFailureException("gnutls_set_priority_direct failed");
|
||||
+ }
|
||||
+ } else if (anon) {
|
||||
+ const char *err;
|
||||
+
|
||||
+#if GNUTLS_VERSION_NUMBER >= 0x030603
|
||||
+ // gnutls_set_default_priority_appends() expects a normal priority string that
|
||||
+ // doesn't start with ":".
|
||||
+ ret = gnutls_set_default_priority_append(session, kx_anon_priority + 1, &err, 0);
|
||||
+ if (ret != GNUTLS_E_SUCCESS) {
|
||||
+ if (ret == GNUTLS_E_INVALID_REQUEST)
|
||||
+ vlog.error("GnuTLS priority syntax error at: %s", err);
|
||||
+ throw AuthFailureException("gnutls_set_default_priority_append failed");
|
||||
+ }
|
||||
+#else
|
||||
+ // We don't know what the system default priority is, so we guess
|
||||
+ // it's what upstream GnuTLS has
|
||||
+ static const char gnutls_default_priority[] = "NORMAL";
|
||||
+ char *prio;
|
||||
+
|
||||
+ prio = (char*)malloc(strlen(gnutls_default_priority) +
|
||||
+ strlen(kx_anon_priority) + 1);
|
||||
+ if (prio == NULL)
|
||||
+ throw AuthFailureException("Not enough memory for GnuTLS priority string");
|
||||
+
|
||||
+ strcpy(prio, gnutls_default_priority);
|
||||
strcat(prio, kx_anon_priority);
|
||||
|
||||
- ret = gnutls_priority_set_direct(session, prio, &err);
|
||||
+ ret = gnutls_priority_set_direct(session, prio, &err);
|
||||
|
||||
- free(prio);
|
||||
+ free(prio);
|
||||
|
||||
- if (ret != GNUTLS_E_SUCCESS) {
|
||||
- if (ret == GNUTLS_E_INVALID_REQUEST)
|
||||
- vlog.error("GnuTLS priority syntax error at: %s", err);
|
||||
- throw AuthFailureException("gnutls_set_priority_direct failed");
|
||||
+ if (ret != GNUTLS_E_SUCCESS) {
|
||||
+ if (ret == GNUTLS_E_INVALID_REQUEST)
|
||||
+ vlog.error("GnuTLS priority syntax error at: %s", err);
|
||||
+ throw AuthFailureException("gnutls_set_priority_direct failed");
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
|
||||
#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
||||
diff --git a/common/rfb/Security.cxx b/common/rfb/Security.cxx
|
||||
index 0666041..59deb78 100644
|
||||
--- a/common/rfb/Security.cxx
|
||||
+++ b/common/rfb/Security.cxx
|
||||
@@ -52,7 +52,7 @@ static LogWriter vlog("Security");
|
||||
#ifdef HAVE_GNUTLS
|
||||
StringParameter Security::GnuTLSPriority("GnuTLSPriority",
|
||||
"GnuTLS priority string that controls the TLS session’s handshake algorithms",
|
||||
- "NORMAL");
|
||||
+ "");
|
||||
#endif
|
||||
|
||||
Security::Security()
|
||||
diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
|
||||
index 83621c0..4a0d20c 100644
|
||||
--- a/unix/xserver/hw/vnc/Xvnc.man
|
||||
+++ b/unix/xserver/hw/vnc/Xvnc.man
|
||||
@@ -226,7 +226,9 @@ also be in PEM format.
|
||||
.TP
|
||||
.B \-GnuTLSPriority \fIpriority\fP
|
||||
GnuTLS priority string that controls the TLS session’s handshake algorithms.
|
||||
-See the GnuTLS manual for possible values. Default is \fBNORMAL\fP.
|
||||
+See the GnuTLS manual for possible values. For GnuTLS < 3.6.3 the default
|
||||
+value will be \fBNORMAL\fP to use upstream default. For newer versions
|
||||
+of GnuTLS system-wide crypto policy will be used.
|
||||
.
|
||||
.TP
|
||||
.B \-UseBlacklist
|
@ -8,29 +8,29 @@ for systemd service file in order to properly start the session
|
||||
in case the policy is updated (e.g. after Tigervnc update).
|
||||
|
||||
diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
|
||||
index bce1c3e..44c4e2a 100644
|
||||
index ae69dc09..04eb6fc4 100644
|
||||
--- a/unix/vncserver/CMakeLists.txt
|
||||
+++ b/unix/vncserver/CMakeLists.txt
|
||||
@@ -2,6 +2,7 @@ add_executable(vncsession vncsession.c)
|
||||
target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS})
|
||||
|
||||
|
||||
configure_file(vncserver@.service.in vncserver@.service @ONLY)
|
||||
+configure_file(vncsession-restore.in vncsession-restore @ONLY)
|
||||
configure_file(vncsession-start.in vncsession-start @ONLY)
|
||||
configure_file(vncserver.in vncserver @ONLY)
|
||||
|
||||
@@ -17,4 +18,5 @@ install(FILES vncserver.users DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/tiger
|
||||
configure_file(vncsession.man.in vncsession.man @ONLY)
|
||||
@@ -20,4 +21,5 @@ install(FILES HOWTO.md DESTINATION ${CMAKE_INSTALL_FULL_DOCDIR})
|
||||
if(INSTALL_SYSTEMD_UNITS)
|
||||
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncserver@.service DESTINATION ${CMAKE_INSTALL_FULL_UNITDIR})
|
||||
install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-start DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
|
||||
+ install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-restore DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
|
||||
endif()
|
||||
diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in
|
||||
index 5624dff..be62c85 100644
|
||||
index 39f81b73..a83e05a3 100644
|
||||
--- a/unix/vncserver/vncserver@.service.in
|
||||
+++ b/unix/vncserver/vncserver@.service.in
|
||||
@@ -35,6 +35,7 @@ After=syslog.target network.target
|
||||
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
+ExecStartPre=+@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-restore %i
|
||||
|
@ -1,120 +0,0 @@
|
||||
diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
|
||||
index d5ef47e..ef5d8c9 100644
|
||||
--- a/common/rfb/SSecurityTLS.cxx
|
||||
+++ b/common/rfb/SSecurityTLS.cxx
|
||||
@@ -37,7 +37,23 @@
|
||||
#include <rdr/TLSOutStream.h>
|
||||
#include <gnutls/x509.h>
|
||||
|
||||
-#define DH_BITS 1024 /* XXX This should be configurable! */
|
||||
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
||||
+/* FFDHE (RFC-7919) 2048-bit parameters, PEM-encoded */
|
||||
+static unsigned char ffdhe2048[] =
|
||||
+ "-----BEGIN DH PARAMETERS-----\n"
|
||||
+ "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
|
||||
+ "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
|
||||
+ "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
|
||||
+ "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
|
||||
+ "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
|
||||
+ "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAOE=\n"
|
||||
+ "-----END DH PARAMETERS-----\n";
|
||||
+
|
||||
+static const gnutls_datum_t ffdhe_pkcs3_param = {
|
||||
+ ffdhe2048,
|
||||
+ sizeof(ffdhe2048)
|
||||
+};
|
||||
+#endif
|
||||
|
||||
using namespace rfb;
|
||||
|
||||
@@ -50,10 +66,14 @@ StringParameter SSecurityTLS::X509_KeyFile
|
||||
static LogWriter vlog("TLS");
|
||||
|
||||
SSecurityTLS::SSecurityTLS(SConnection* sc, bool _anon)
|
||||
- : SSecurity(sc), session(NULL), dh_params(NULL), anon_cred(NULL),
|
||||
+ : SSecurity(sc), session(NULL), anon_cred(NULL),
|
||||
cert_cred(NULL), anon(_anon), tlsis(NULL), tlsos(NULL),
|
||||
rawis(NULL), rawos(NULL)
|
||||
{
|
||||
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
||||
+ dh_params = NULL;
|
||||
+#endif
|
||||
+
|
||||
certfile = X509_CertFile.getData();
|
||||
keyfile = X509_KeyFile.getData();
|
||||
|
||||
@@ -70,10 +90,12 @@ void SSecurityTLS::shutdown()
|
||||
}
|
||||
}
|
||||
|
||||
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
||||
if (dh_params) {
|
||||
gnutls_dh_params_deinit(dh_params);
|
||||
dh_params = 0;
|
||||
}
|
||||
+#endif
|
||||
|
||||
if (anon_cred) {
|
||||
gnutls_anon_free_server_credentials(anon_cred);
|
||||
@@ -198,17 +220,21 @@ void SSecurityTLS::setParams(gnutls_session_t session)
|
||||
throw AuthFailureException("gnutls_set_priority_direct failed");
|
||||
}
|
||||
|
||||
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
||||
if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
|
||||
throw AuthFailureException("gnutls_dh_params_init failed");
|
||||
|
||||
- if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
|
||||
- throw AuthFailureException("gnutls_dh_params_generate2 failed");
|
||||
+ if (gnutls_dh_params_import_pkcs3(dh_params, &ffdhe_pkcs3_param, GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS)
|
||||
+ throw AuthFailureException("gnutls_dh_params_import_pkcs3 failed");
|
||||
+#endif
|
||||
|
||||
if (anon) {
|
||||
if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
|
||||
throw AuthFailureException("gnutls_anon_allocate_server_credentials failed");
|
||||
|
||||
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
||||
gnutls_anon_set_server_dh_params(anon_cred, dh_params);
|
||||
+#endif
|
||||
|
||||
if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred)
|
||||
!= GNUTLS_E_SUCCESS)
|
||||
@@ -220,7 +246,9 @@ void SSecurityTLS::setParams(gnutls_session_t session)
|
||||
if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
|
||||
throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
|
||||
|
||||
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
||||
gnutls_certificate_set_dh_params(cert_cred, dh_params);
|
||||
+#endif
|
||||
|
||||
switch (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile, GNUTLS_X509_FMT_PEM)) {
|
||||
case GNUTLS_E_SUCCESS:
|
||||
diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h
|
||||
index dd89bb4..0cb463d 100644
|
||||
--- a/common/rfb/SSecurityTLS.h
|
||||
+++ b/common/rfb/SSecurityTLS.h
|
||||
@@ -36,6 +36,13 @@
|
||||
#include <rdr/OutStream.h>
|
||||
#include <gnutls/gnutls.h>
|
||||
|
||||
+/* In GnuTLS 3.6.0 DH parameter generation was deprecated. RFC7919 is used instead.
|
||||
+ * GnuTLS before 3.6.0 doesn't know about RFC7919 so we will have to import it.
|
||||
+ */
|
||||
+#if GNUTLS_VERSION_NUMBER < 0x030600
|
||||
+#define SSECURITYTLS__USE_DEPRECATED_DH
|
||||
+#endif
|
||||
+
|
||||
namespace rfb {
|
||||
|
||||
class SSecurityTLS : public SSecurity {
|
||||
@@ -55,7 +62,9 @@ namespace rfb {
|
||||
|
||||
private:
|
||||
gnutls_session_t session;
|
||||
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
||||
gnutls_dh_params_t dh_params;
|
||||
+#endif
|
||||
gnutls_anon_server_credentials_t anon_cred;
|
||||
gnutls_certificate_credentials_t cert_cred;
|
||||
char *keyfile, *certfile;
|
@ -4,8 +4,8 @@
|
||||
%global modulename vncsession
|
||||
|
||||
Name: tigervnc
|
||||
Version: 1.11.0
|
||||
Release: 21%{?dist}
|
||||
Version: 1.12.0
|
||||
Release: 1%{?dist}
|
||||
Summary: A TigerVNC remote display system
|
||||
|
||||
%global _hardened_build 1
|
||||
@ -17,28 +17,18 @@ Source0: %{name}-%{version}.tar.gz
|
||||
Source1: xvnc.service
|
||||
Source2: xvnc.socket
|
||||
Source3: 10-libvnc.conf
|
||||
Source4: HOWTO.md
|
||||
|
||||
# Backwards compatibility
|
||||
Source5: vncserver
|
||||
Source6: vncserver.man
|
||||
|
||||
# Downstream patches
|
||||
Patch1: tigervnc-use-gnome-as-default-session.patch
|
||||
|
||||
# Upstream patches (can be dropped with next Tigervnc release)
|
||||
Patch51: tigervnc-let-user-know-about-not-using-view-only-password.patch
|
||||
Patch52: tigervnc-working-tls-on-fips-systems.patch
|
||||
Patch53: tigervnc-utilize-system-crypto-policies.patch
|
||||
Patch54: tigervnc-passwd-crash-with-malloc-checks.patch
|
||||
Patch55: tigervnc-tolerate-specifying-boolparam.patch
|
||||
Patch56: tigervnc-systemd-service.patch
|
||||
Patch57: tigervnc-correctly-start-vncsession-as-daemon.patch
|
||||
Patch58: tigervnc-selinux-missing-compression-and-correct-location.patch
|
||||
Patch59: tigervnc-selinux-policy-improvements.patch
|
||||
Patch60: tigervnc-argb-runtime-ximage-byteorder-selection.patch
|
||||
Patch61: tigervnc-selinux-restore-context-in-case-of-different-policies.patch
|
||||
Patch62: tigervnc-root-user-selinux-context.patch
|
||||
Patch63: tigervnc-vncsession-restore-script-systemd-service.patch
|
||||
# Upstream patches
|
||||
Patch50: tigervnc-selinux-restore-context-in-case-of-different-policies.patch
|
||||
Patch51: tigervnc-fix-typo-in-mirror-monitor-detection.patch
|
||||
Patch52: tigervnc-root-user-selinux-context.patch
|
||||
Patch53: tigervnc-vncsession-restore-script-systemd-service.patch
|
||||
|
||||
# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
|
||||
Patch100: tigervnc-xserver120.patch
|
||||
@ -54,7 +44,7 @@ BuildRequires: libxkbfile-devel, openssl-devel, libpciaccess-devel
|
||||
BuildRequires: mesa-libGL-devel, libXinerama-devel, xorg-x11-font-utils
|
||||
BuildRequires: freetype-devel, libXdmcp-devel, libxshmfence-devel
|
||||
BuildRequires: libjpeg-turbo-devel, gnutls-devel, pam-devel
|
||||
BuildRequires: libdrm-devel, libXt-devel, pixman-devel,
|
||||
BuildRequires: libdrm-devel, libXt-devel, pixman-devel, libselinux-devel
|
||||
BuildRequires: systemd, cmake, desktop-file-utils, selinux-policy-devel
|
||||
%if 0%{?fedora} > 24 || 0%{?rhel} >= 7
|
||||
BuildRequires: libXfont2-devel
|
||||
@ -147,6 +137,10 @@ BuildRequires: selinux-policy-devel
|
||||
Requires: selinux-policy-%{selinuxtype}
|
||||
Requires(post): selinux-policy-%{selinuxtype}
|
||||
BuildRequires: selinux-policy-devel
|
||||
# Required for matchpathcon
|
||||
Requires: libselinux-utils
|
||||
# Required for restorecon
|
||||
Requires: policycoreutils
|
||||
%{?selinux_requires}
|
||||
|
||||
%description selinux
|
||||
@ -168,19 +162,10 @@ popd
|
||||
%patch1 -p1 -b .use-gnome-as-default-session
|
||||
|
||||
# Upstream patches
|
||||
%patch51 -p1 -b .let-user-know-about-not-using-view-only-password
|
||||
%patch52 -p1 -b .working-tls-on-fips-systems
|
||||
%patch53 -p1 -b .utilize-system-crypto-policies
|
||||
%patch54 -p1 -b .passwd-crash-with-malloc-checks
|
||||
%patch55 -p1 -b .tolerate-specifying-boolparam
|
||||
%patch56 -p1 -b .systemd-service
|
||||
%patch57 -p1 -b .correctly-start-vncsession-as-daemon
|
||||
%patch58 -p1 -b .selinux-missing-compression-and-correct-location
|
||||
%patch59 -p1 -b .selinux-policy-improvements
|
||||
%patch60 -p1 -b .argb-runtime-ximage-byteorder-selection
|
||||
%patch61 -p1 -b .selinux-restore-context-in-case-of-different-policies
|
||||
%patch62 -p1 -b .root-user-selinux-context
|
||||
%patch63 -p1 -b .vncsession-restore-script-systemd-service
|
||||
%patch50 -p1 -b .selinux-restore-context-in-case-of-different-policies
|
||||
%patch51 -p1 -b .fix-typo-in-mirror-monitor-detection
|
||||
%patch52 -p1 -b .root-user-selinux-context
|
||||
%patch53 -p1 -b .vncsession-restore-script-systemd-service
|
||||
|
||||
%build
|
||||
%ifarch sparcv9 sparc64 s390 s390x
|
||||
@ -275,10 +260,7 @@ echo "Please read /usr/share/doc/tigervnc/HOWTO.md for more information."
|
||||
EOF
|
||||
chmod +x %{buildroot}/%{_bindir}/vncserver
|
||||
%else
|
||||
rm -f %{buildroot}/%{_mandir}/man8/vncserver.8
|
||||
|
||||
install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver
|
||||
install -m 644 %{SOURCE6} %{buildroot}/%{_mandir}/man8/vncserver.8
|
||||
%endif
|
||||
|
||||
%find_lang %{name} %{name}.lang
|
||||
@ -289,14 +271,12 @@ rm -f %{buildroot}%{_libdir}/xorg/modules/extensions/libvnc.la
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/
|
||||
install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
|
||||
|
||||
install -m 644 %{SOURCE4} %{buildroot}/%{_docdir}/tigervnc/HOWTO.md
|
||||
|
||||
%post server
|
||||
%systemd_post xvnc@.service
|
||||
%systemd_post xvnc.socket
|
||||
|
||||
%preun server
|
||||
%systemd_preun xvnc@.service
|
||||
%systemd_preun xvnc@*.service
|
||||
%systemd_preun xvnc.socket
|
||||
|
||||
%postun server
|
||||
@ -365,6 +345,11 @@ fi
|
||||
%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
|
||||
|
||||
%changelog
|
||||
* Wed Mar 23 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-1
|
||||
- 1.12.0 + sync with Fedora
|
||||
Resolves: bz#2048011
|
||||
Resolves: bz#2021893
|
||||
|
||||
* Mon Feb 07 2022 Jan Grulich <jgrulich@redhat.com> - 1.11.0-21
|
||||
- Added vncsession-restore script for SELinux policy migration
|
||||
Fix SELinux context for root user
|
||||
|
@ -168,7 +168,8 @@ if ((@ARGV > 0) && ($ARGV[0] =~ /^:(\d+)$/)) {
|
||||
$displayNumber = $1;
|
||||
shift(@ARGV);
|
||||
if (!&CheckDisplayNumber($displayNumber)) {
|
||||
die "A VNC server is already running as :$displayNumber\n";
|
||||
warn "A VNC server is already running as :$displayNumber\n";
|
||||
$displayNumber = &GetDisplayNumber();
|
||||
}
|
||||
} elsif ((@ARGV > 0) && ($ARGV[0] !~ /^-/) && ($ARGV[0] !~ /^\+/)) {
|
||||
&Usage();
|
||||
|
Loading…
Reference in New Issue
Block a user