From 46af40e4bceb542e49abe006a71058a6773ca8ae Mon Sep 17 00:00:00 2001 From: Owen W. Taylor Date: Nov 30 2018 21:49:35 +0000 Subject: Fix OCI system remotes Add patches so that the system-helper downloads and creates the summary data, and so that the icon permissions are correct. --- diff --git a/OCI-Use-system-helper-to-generate-summary-for-OCI-re.patch b/OCI-Use-system-helper-to-generate-summary-for-OCI-re.patch new file mode 100644 index 0000000..27415bd --- /dev/null +++ b/OCI-Use-system-helper-to-generate-summary-for-OCI-re.patch @@ -0,0 +1,272 @@ +From efd698210389f6be52c04117ca8615971ec009fc Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Fri, 30 Nov 2018 10:30:20 +0100 +Subject: [PATCH] OCI: Use system helper to generate summary for OCI remotes + +The OCI support relies on downloading a json index and converting it +to a ostree-style summary, which we the use in all sorts of operations +in the client code. Currently this happens in the user code, which means +that it will fail (due to permissions) in the system installation case. + +We could do the conversion as the user, but when eventually installing +something the system-helper will anyway do this download and +conversion, so that would only double the work and risk things going out +of sync. Also, the OCI index is not gpg signed, so we can't realy on +downloads done as the user. + +So, the solution done here is to add a GenerateOciSummary +system-helper call which we use instead of directly generating the +oci summary. + +This fixes https://github.com/flatpak/flatpak/issues/2350 +--- + common/flatpak-dir-private.h | 5 ++ + common/flatpak-dir.c | 94 +++++++++++++++++++-------- + data/org.freedesktop.Flatpak.xml | 5 ++ + system-helper/flatpak-system-helper.c | 54 ++++++++++++++- + 4 files changed, 131 insertions(+), 27 deletions(-) + +diff --git a/common/flatpak-dir-private.h b/common/flatpak-dir-private.h +index da7ea8e3..4d47385a 100644 +--- a/common/flatpak-dir-private.h ++++ b/common/flatpak-dir-private.h +@@ -720,6 +720,11 @@ FlatpakRemoteState * flatpak_dir_get_remote_state_for_summary (FlatpakDir *sel + GBytes *opt_summary_sig, + GCancellable *cancellable, + GError **error); ++gboolean flatpak_dir_remote_make_oci_summary (FlatpakDir *self, ++ const char *remote, ++ GBytes **out_summary, ++ GCancellable *cancellable, ++ GError **error); + FlatpakRemoteState * flatpak_dir_get_remote_state_optional (FlatpakDir *self, + const char *remote, + GCancellable *cancellable, +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 0809a42b..4698aa4a 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -1385,6 +1385,22 @@ flatpak_dir_system_helper_call_update_summary (FlatpakDir *self, + return ret != NULL; + } + ++static gboolean ++flatpak_dir_system_helper_call_generate_oci_summary (FlatpakDir *self, ++ const gchar *arg_origin, ++ const gchar *arg_installation, ++ GCancellable *cancellable, ++ GError **error) ++{ ++ g_autoptr(GVariant) ret = ++ flatpak_dir_system_helper_call (self, "GenerateOciSummary", ++ g_variant_new ("(ss)", ++ arg_origin, ++ arg_installation), ++ cancellable, error); ++ return ret != NULL; ++} ++ + static OstreeRepo * + system_ostree_repo_new (GFile *repodir) + { +@@ -9104,7 +9120,7 @@ flatpak_dir_cache_summary (FlatpakDir *self, + G_UNLOCK (cache); + } + +-static gboolean ++gboolean + flatpak_dir_remote_make_oci_summary (FlatpakDir *self, + const char *remote, + GBytes **out_summary, +@@ -9119,42 +9135,68 @@ flatpak_dir_remote_make_oci_summary (FlatpakDir *self, + g_autoptr(GError) local_error = NULL; + g_autoptr(GMappedFile) mfile = NULL; + g_autoptr(GBytes) cache_bytes = NULL; ++ g_autoptr(GBytes) summary_bytes = NULL; + +- self_name = flatpak_dir_get_name (self); +- +- index_cache = flatpak_dir_update_oci_index (self, remote, &index_uri, cancellable, error); +- if (index_cache == NULL) +- return FALSE; ++ if (flatpak_dir_use_system_helper (self, NULL)) ++ { ++ const char *installation = flatpak_dir_get_id (self); + +- summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); +- if (summary_cache == NULL) +- return FALSE; ++ if (!flatpak_dir_system_helper_call_generate_oci_summary (self, remote, ++ installation ? installation : "", ++ cancellable, error)) ++ return FALSE; + +- if (check_destination_mtime (index_cache, summary_cache, cancellable)) ++ summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); ++ if (summary_cache == NULL) ++ return FALSE; ++ } ++ else + { +- mfile = g_mapped_file_new (flatpak_file_get_path_cached (summary_cache), FALSE, NULL); +- if (mfile) ++ self_name = flatpak_dir_get_name (self); ++ ++ index_cache = flatpak_dir_update_oci_index (self, remote, &index_uri, cancellable, error); ++ if (index_cache == NULL) ++ return FALSE; ++ ++ summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); ++ if (summary_cache == NULL) ++ return FALSE; ++ ++ if (!check_destination_mtime (index_cache, summary_cache, cancellable)) + { +- cache_bytes = g_mapped_file_get_bytes (mfile); +- *out_summary = g_steal_pointer (&cache_bytes); ++ summary = flatpak_oci_index_make_summary (index_cache, index_uri, cancellable, &local_error); ++ if (summary == NULL) ++ { ++ g_propagate_error (error, g_steal_pointer (&local_error)); ++ return FALSE; ++ } ++ ++ summary_bytes = g_variant_get_data_as_bytes (summary); ++ ++ if (!g_file_replace_contents (summary_cache, ++ g_bytes_get_data (summary_bytes, NULL), ++ g_bytes_get_size (summary_bytes), ++ NULL, FALSE, 0, NULL, cancellable, error)) ++ { ++ g_prefix_error (error, _("Failed to write summary cache: ")); ++ return FALSE; ++ } ++ ++ if (out_summary) ++ *out_summary = g_steal_pointer (&summary_bytes); + return TRUE; + } + } + +- summary = flatpak_oci_index_make_summary (index_cache, index_uri, cancellable, &local_error); +- if (summary == NULL) ++ if (out_summary) + { +- g_propagate_error (error, g_steal_pointer (&local_error)); +- return FALSE; +- } +- +- *out_summary = g_variant_get_data_as_bytes (summary); ++ mfile = g_mapped_file_new (flatpak_file_get_path_cached (summary_cache), FALSE, error); ++ if (mfile == NULL) ++ return FALSE; + +- if (!g_file_replace_contents (summary_cache, +- g_bytes_get_data (*out_summary, NULL), +- g_bytes_get_size (*out_summary), +- NULL, FALSE, 0, NULL, cancellable, NULL)) +- g_warning ("Failed to write summary cache"); ++ cache_bytes = g_mapped_file_get_bytes (mfile); ++ *out_summary = g_steal_pointer (&cache_bytes); ++ } + + return TRUE; + } +diff --git a/data/org.freedesktop.Flatpak.xml b/data/org.freedesktop.Flatpak.xml +index 25dc8a02..8b1606c6 100644 +--- a/data/org.freedesktop.Flatpak.xml ++++ b/data/org.freedesktop.Flatpak.xml +@@ -144,6 +144,11 @@ + + + ++ ++ ++ ++ ++ + + + +diff --git a/system-helper/flatpak-system-helper.c b/system-helper/flatpak-system-helper.c +index ce647b6e..24b3ddf9 100644 +--- a/system-helper/flatpak-system-helper.c ++++ b/system-helper/flatpak-system-helper.c +@@ -1122,6 +1122,56 @@ handle_update_summary (FlatpakSystemHelper *object, + return TRUE; + } + ++static gboolean ++handle_generate_oci_summary (FlatpakSystemHelper *object, ++ GDBusMethodInvocation *invocation, ++ const gchar *arg_origin, ++ const gchar *arg_installation) ++{ ++ g_autoptr(FlatpakDir) system = NULL; ++ g_autoptr(GError) error = NULL; ++ g_autofree char *new_branch = NULL; ++ g_autofree char *old_branch = NULL; ++ gboolean is_oci; ++ ++ g_debug ("GenerateOciSummary %s %s", arg_origin, arg_installation); ++ ++ system = dir_get_system (arg_installation, &error); ++ if (system == NULL) ++ { ++ g_dbus_method_invocation_return_gerror (invocation, error); ++ return TRUE; ++ } ++ ++ if (!flatpak_dir_ensure_repo (system, NULL, &error)) ++ { ++ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, ++ "Can't open system repo %s", error->message); ++ return TRUE; ++ } ++ ++ is_oci = flatpak_dir_get_remote_oci (system, arg_origin); ++ if (!is_oci) ++ { ++ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS, ++ "%s is not a OCI remote", arg_origin); ++ return TRUE; ++ } ++ ++ if (!flatpak_dir_remote_make_oci_summary (system, arg_origin, NULL, NULL, &error)) ++ { ++ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, ++ "Failed to update OCI summary: %s", error->message); ++ return TRUE; ++ } ++ ++ ++ flatpak_system_helper_complete_generate_oci_summary (object, invocation); ++ ++ return TRUE; ++} ++ ++ + static gboolean + flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface, + GDBusMethodInvocation *invocation, +@@ -1250,7 +1300,8 @@ flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface, + g_strcmp0 (method_name, "PruneLocalRepo") == 0 || + g_strcmp0 (method_name, "EnsureRepo") == 0 || + g_strcmp0 (method_name, "RunTriggers") == 0 || +- g_strcmp0 (method_name, "UpdateSummary") == 0) ++ g_strcmp0 (method_name, "UpdateSummary") == 0 || ++ g_strcmp0 (method_name, "GenerateOciSummary") == 0) + { + const char *remote; + +@@ -1321,6 +1372,7 @@ on_bus_acquired (GDBusConnection *connection, + g_signal_connect (helper, "handle-ensure-repo", G_CALLBACK (handle_ensure_repo), NULL); + g_signal_connect (helper, "handle-run-triggers", G_CALLBACK (handle_run_triggers), NULL); + g_signal_connect (helper, "handle-update-summary", G_CALLBACK (handle_update_summary), NULL); ++ g_signal_connect (helper, "handle-generate-oci-summary", G_CALLBACK (handle_generate_oci_summary), NULL); + + g_signal_connect (helper, "g-authorize-method", + G_CALLBACK (flatpak_authorize_method_handler), +-- +2.19.1 + diff --git a/flatpak.spec b/flatpak.spec index 24ac2c7..d209409 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -3,13 +3,18 @@ Name: flatpak Version: 1.0.6 -Release: 1%{?dist} +Release: 3%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ URL: http://flatpak.org/ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz +# https://github.com/flatpak/flatpak/pull/2357 +Patch0: OCI-Use-system-helper-to-generate-summary-for-OCI-re.patch +# https://github.com/flatpak/flatpak/pull/2362 +Patch1: flatpak_cache_http_uri-save-downloaded-files-with-pe.patch + BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(gio-unix-2.0) BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0 @@ -153,6 +158,10 @@ flatpak remote-list --system &> /dev/null || : %changelog +* Fri Nov 30 2018 fedora-toolbox - 1.0.6-3 +- Add a patch to fix OCI system remotes +- Add patch fixing permissions on icons downloaded from an OCI registry + * Fri Nov 16 2018 Kalev Lember - 1.0.6-1 - Update to 1.0.6 diff --git a/flatpak_cache_http_uri-save-downloaded-files-with-pe.patch b/flatpak_cache_http_uri-save-downloaded-files-with-pe.patch new file mode 100644 index 0000000..b724c14 --- /dev/null +++ b/flatpak_cache_http_uri-save-downloaded-files-with-pe.patch @@ -0,0 +1,30 @@ +From bb1076ab776886b82efcfee753f201a6ff72dfce Mon Sep 17 00:00:00 2001 +From: "Owen W. Taylor" +Date: Fri, 30 Nov 2018 16:11:06 -0500 +Subject: [PATCH] flatpak_cache_http_uri: save downloaded files with permission + 0644 + +Previously, downloaded files were being saved with 0600 permissions, +which prevented OCI icons downloaded by the system helper at appstream +creation time from being read by users. +--- + common/flatpak-utils-http.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/common/flatpak-utils-http.c b/common/flatpak-utils-http.c +index 53074162..997c9db8 100644 +--- a/common/flatpak-utils-http.c ++++ b/common/flatpak-utils-http.c +@@ -645,6 +645,9 @@ sync_and_rename_tmpfile (GLnxTmpfile *tmpfile, + if (fdatasync (tmpfile->fd) != 0) + return glnx_throw_errno_prefix (error, "fdatasync"); + ++ if (fchmod (tmpfile->fd, 0644) != 0) ++ return glnx_throw_errno_prefix (error, "fchmod"); ++ + if (!glnx_link_tmpfile_at (tmpfile, + GLNX_LINK_TMPFILE_REPLACE, + tmpfile->src_dfd, dest_name, error)) +-- +2.19.2 +