diff --git a/flatpak-1.13.3-add-gssproxy-support.patch b/flatpak-1.13.3-add-gssproxy-support.patch index d133daf..3e22d45 100644 --- a/flatpak-1.13.3-add-gssproxy-support.patch +++ b/flatpak-1.13.3-add-gssproxy-support.patch @@ -1,4 +1,4 @@ -From 66dec57ed23421c153af4eae36d2c3ca8501e380 Mon Sep 17 00:00:00 2001 +From b9f4200b9674638ee2879db568e30219e81d5ed8 Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Thu, 12 May 2022 12:44:59 -0500 Subject: [PATCH 1/2] Bind gssproxy socket into sandbox environment @@ -18,10 +18,10 @@ See also: https://github.com/gssapi/gssproxy/issues/45 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index e4391019a0..adf54ed474 100644 +index bf85f47c..3ec007cf 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c -@@ -923,6 +923,19 @@ flatpak_run_add_pulseaudio_args (FlatpakBwrap *bwrap, +@@ -955,6 +955,19 @@ flatpak_run_add_pulseaudio_args (FlatpakBwrap *bwrap, flatpak_bwrap_add_args (bwrap, "--dev-bind", "/dev/snd", "/dev/snd", NULL); } @@ -32,16 +32,16 @@ index e4391019a0..adf54ed474 100644 + * not intended to be exposed to sandboxed environments. + */ + g_autofree char *gssproxy_host_dir = g_build_filename (g_get_user_runtime_dir (), "gssproxy", NULL); -+ const char *gssproxy_sandboxed_dir = "/var/lib/gssproxy/"; ++ const char *gssproxy_sandboxed_dir = "/run/flatpak/gssproxy/"; + + if (g_file_test (gssproxy_host_dir, G_FILE_TEST_EXISTS)) -+ flatpak_bwrap_add_args (bwrap, "--bind", gssproxy_host_dir, gssproxy_sandboxed_dir, NULL); ++ flatpak_bwrap_add_args (bwrap, "--ro-bind", gssproxy_host_dir, gssproxy_sandboxed_dir, NULL); +} + static void flatpak_run_add_resolved_args (FlatpakBwrap *bwrap) { -@@ -4560,7 +4573,10 @@ flatpak_run_app (FlatpakDecomposed *app_ref, +@@ -4611,7 +4624,10 @@ flatpak_run_app (FlatpakDecomposed *app_ref, } if ((app_context->shares & FLATPAK_CONTEXT_SHARED_NETWORK) != 0) @@ -53,8 +53,10 @@ index e4391019a0..adf54ed474 100644 flatpak_run_add_journal_args (bwrap); add_font_path_args (bwrap); +-- +2.37.3 -From d9f214ed47fba50daa433ce6145acd93f56bc781 Mon Sep 17 00:00:00 2001 +From 9e32923a46ffd336dffc4fa7c7a1ee05ae2d39ae Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Mon, 23 May 2022 09:59:48 -0500 Subject: [PATCH 2/2] Block KRB5CCNAME from inheriting into sandbox @@ -77,10 +79,10 @@ host. 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index adf54ed474..e689920a08 100644 +index 3ec007cf..b650be46 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c -@@ -1850,7 +1850,8 @@ static const ExportData default_exports[] = { +@@ -1887,7 +1887,8 @@ static const ExportData default_exports[] = { {"XDG_RUNTIME_DIR", NULL}, /* Some env vars are common enough and will affect the sandbox badly @@ -90,7 +92,7 @@ index adf54ed474..e689920a08 100644 {"PYTHONPATH", NULL}, {"PERLLIB", NULL}, {"PERL5LIB", NULL}, -@@ -1867,6 +1868,7 @@ static const ExportData default_exports[] = { +@@ -1904,6 +1905,7 @@ static const ExportData default_exports[] = { {"GST_PTP_HELPER", NULL}, {"GST_PTP_HELPER_1_0", NULL}, {"GST_INSTALL_PLUGINS_HELPER", NULL}, @@ -99,7 +101,7 @@ index adf54ed474..e689920a08 100644 static const ExportData no_ld_so_cache_exports[] = { diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml -index f8d9e5eecd..4dc0b53149 100644 +index e1aa5e1c..77cd3ad0 100644 --- a/doc/flatpak-run.xml +++ b/doc/flatpak-run.xml @@ -97,6 +97,7 @@ @@ -110,3 +112,5 @@ index f8d9e5eecd..4dc0b53149 100644 Also several environment variables with the prefix "GST_" that are used by gstreamer +-- +2.37.3 diff --git a/flatpak.spec b/flatpak.spec index a6bdd96..ff8899c 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -6,7 +6,7 @@ Name: flatpak Version: 1.14.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ @@ -279,6 +279,9 @@ fi %changelog +* Thu Sep 15 2022 Michael Catanzaro - 1.14.0-2 +- Refresh gssproxy patch to use new socket path + * Wed Sep 07 2022 Kalev Lember - 1.14.0-1 - Update to 1.14.0