guix-patches
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#55072] [PATCH]: Do not leak GDK_PIXBUF_MODULE_FILE into the sandbox

From: Zhu Zihao
Subject: [bug#55072] [PATCH]: Do not leak GDK_PIXBUF_MODULE_FILE into the sandbox.
Date: Sat, 23 Apr 2022 10:45:47 +0800
User-agent: mu4e 1.6.10; emacs 27.2 


Attachment:
signature.asc

Description: PGP signature


>From affd34d0f0bf6bf04110b595ce77ed8e9448b2c7 Mon Sep 17 00:00:00 2001
From: Zhu Zihao <all_but_last@163.com>
Date: Thu, 21 Apr 2022 18:48:51 +0800
Subject: [PATCH 1/3] gnu: bubblewrap: Update to 0.6.1.

* gnu/packages/virtualization.scm (bubblewrap): Update to 0.6.1.
---
 gnu/packages/virtualization.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index f3396e7c94..3f7c6312f2 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -27,6 +27,7 @@
 ;;; Copyright © 2022 Oleg Pykhalov <go.wigust@gmail.com>
 ;;; Copyright © 2022 Ekaitz Zarraga <ekaitz@elenq.tech>
 ;;; Copyright © 2022 Arun Isaac <arunisaac@systemreboot.net>
+;;; Copyright © 2022 Zhu Zihao <all_but_last@163.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -1950,7 +1951,7 @@ (define-public python-vagrant
 (define-public bubblewrap
   (package
     (name "bubblewrap")
-    (version "0.5.0")
+    (version "0.6.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/containers/bubblewrap/";
@@ -1958,7 +1959,7 @@ (define-public bubblewrap
                                   version ".tar.xz"))
               (sha256
                (base32
-                "0608l2sjwhnb1c0mslah1h6yjvqr17wk60by6i710qwxg4rszz8n"))
+                "10ij62jg7p2scwdx0pm141ss7p2gjdkbbymb56y8miib2vfcf2cn"))
                (patches (search-patches 
"bubblewrap-fix-locale-in-tests.patch"))))
     (build-system gnu-build-system)
     (arguments
-- 
2.35.1


>From 3432b64e34d5df329c31b1a09f476ff01a743245 Mon Sep 17 00:00:00 2001
From: Zhu Zihao <all_but_last@163.com>
Date: Thu, 21 Apr 2022 18:52:21 +0800
Subject: [PATCH 2/3] gnu: flatpak: Use G-expressions.

* gnu/packages/package-management.scm (flatpak): Fix indentation.
[arguments]: Use G-expressions.
---
 gnu/packages/package-management.scm | 183 ++++++++++++++--------------
 1 file changed, 92 insertions(+), 91 deletions(-)

diff --git a/gnu/packages/package-management.scm 
b/gnu/packages/package-management.scm
index 9c5db0d608..2ea639d376 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -1795,103 +1795,104 @@ (define-public libostree
 
 (define-public flatpak
   (package
-   (name "flatpak")
-   (version "1.12.7")
-   (source
-    (origin
-     (method url-fetch)
-     (uri (string-append 
"https://github.com/flatpak/flatpak/releases/download/";
-                         version "/flatpak-" version ".tar.xz"))
-     (sha256
-      (base32 "05lkpbjiwp69q924i1jfyk5frcqbdbv9kyzbqwm2hy723i9jmdbd"))
-     (patches (search-patches "flatpak-fix-path.patch"))))
+    (name "flatpak")
+    (version "1.12.7")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append 
"https://github.com/flatpak/flatpak/releases/download/";
+                           version "/flatpak-" version ".tar.xz"))
+       (sha256
+        (base32 "05lkpbjiwp69q924i1jfyk5frcqbdbv9kyzbqwm2hy723i9jmdbd"))
+       (patches (search-patches "flatpak-fix-path.patch"))))
 
-   ;; Wrap 'flatpak' so that GIO_EXTRA_MODULES is set, thereby allowing GIO to
-   ;; find the TLS backend in glib-networking.
-   (build-system glib-or-gtk-build-system)
+    ;; Wrap 'flatpak' so that GIO_EXTRA_MODULES is set, thereby allowing GIO to
+    ;; find the TLS backend in glib-networking.
+    (build-system glib-or-gtk-build-system)
 
-   (arguments
-    '(#:configure-flags
-      (list
-       "--enable-documentation=no" ;; FIXME
-       "--enable-system-helper=no"
-       "--localstatedir=/var"
-       (string-append "--with-system-bubblewrap="
-                      (assoc-ref %build-inputs "bubblewrap")
-                      "/bin/bwrap")
-       (string-append "--with-system-dbus-proxy="
-                      (assoc-ref %build-inputs "xdg-dbus-proxy")
-                      "/bin/xdg-dbus-proxy"))
+    (arguments
+     (list
+      #:configure-flags
+      #~(list
+         "--enable-documentation=no" ;; FIXME
+         "--enable-system-helper=no"
+         "--localstatedir=/var"
+         (string-append "--with-system-bubblewrap="
+                        (assoc-ref %build-inputs "bubblewrap")
+                        "/bin/bwrap")
+         (string-append "--with-system-dbus-proxy="
+                        (assoc-ref %build-inputs "xdg-dbus-proxy")
+                        "/bin/xdg-dbus-proxy"))
       #:phases
-      (modify-phases %standard-phases
-        (add-after 'unpack 'fix-tests
-          (lambda* (#:key inputs #:allow-other-keys)
-            (copy-recursively
-             (search-input-directory inputs "lib/locale")
-             "/tmp/locale")
-            (for-each make-file-writable (find-files "/tmp"))
-            (substitute* "tests/make-test-runtime.sh"
-              (("cp `which.*") "echo guix\n")
-              (("cp -r /usr/lib/locale/C\\.\\*")
-               (string-append "mkdir ${DIR}/usr/lib/locale/en_US; \
+      #~(modify-phases %standard-phases
+          (add-after 'unpack 'fix-tests
+            (lambda* (#:key inputs #:allow-other-keys)
+              (copy-recursively
+               (search-input-directory inputs "lib/locale")
+               "/tmp/locale")
+              (for-each make-file-writable (find-files "/tmp"))
+              (substitute* "tests/make-test-runtime.sh"
+                (("cp `which.*") "echo guix\n")
+                (("cp -r /usr/lib/locale/C\\.\\*")
+                 (string-append "mkdir ${DIR}/usr/lib/locale/en_US; \
 cp -r /tmp/locale/*/en_US.*")))
-            (substitute* "tests/libtest.sh"
-              (("/bin/kill") (which "kill"))
-              (("/usr/bin/python3") (which "python3")))
-            #t))
-        (add-after 'unpack 'p11-kit-fix
-          (lambda* (#:key inputs #:allow-other-keys)
-            (let ((p11-path (search-input-file inputs "/bin/p11-kit")))
-              (substitute* "session-helper/flatpak-session-helper.c"
-                (("\"p11-kit\",")
-                 (string-append "\"" p11-path "\","))
-                (("if \\(g_find_program_in_path \\(\"p11-kit\"\\)\\)")
-                 (string-append "if (g_find_program_in_path (\""
-                                p11-path "\"))"))))))
-        ;; Many tests fail for unknown reasons, so we just run a few basic
-        ;; tests.
-        (replace 'check
-          (lambda _
-            (setenv "HOME" "/tmp")
-            (invoke "make" "check"
-                    "TESTS=tests/test-basic.sh tests/test-config.sh 
testcommon"))))))
-   (native-inputs
-    (list bison
-          dbus ; for dbus-daemon
-          gettext-minimal
-          `(,glib "bin") ; for glib-mkenums + gdbus-codegen
-          glibc-utf8-locales
-          gobject-introspection
-          libcap
-          pkg-config
-          python
-          python-pyparsing
-          socat
-          which))
-   (inputs
-    (list appstream-glib
-          bubblewrap
-          dconf
-          fuse
-          gdk-pixbuf
-          gpgme
-          json-glib
-          libarchive
-          libostree
-          libseccomp
-          libsoup-minimal-2
-          libxau
-          libxml2
-          p11-kit-next
-          util-linux
-          xdg-dbus-proxy))
-   (propagated-inputs (list glib-networking gnupg gsettings-desktop-schemas))
-   (home-page "https://flatpak.org";)
-   (synopsis "System for building, distributing, and running sandboxed desktop
+              (substitute* "tests/libtest.sh"
+                (("/bin/kill") (which "kill"))
+                (("/usr/bin/python3") (which "python3")))
+              #t))
+          (add-after 'unpack 'p11-kit-fix
+            (lambda* (#:key inputs #:allow-other-keys)
+              (let ((p11-path (search-input-file inputs "/bin/p11-kit")))
+                (substitute* "session-helper/flatpak-session-helper.c"
+                  (("\"p11-kit\",")
+                   (string-append "\"" p11-path "\","))
+                  (("if \\(g_find_program_in_path \\(\"p11-kit\"\\)\\)")
+                   (string-append "if (g_find_program_in_path (\""
+                                  p11-path "\"))"))))))
+          ;; Many tests fail for unknown reasons, so we just run a few basic
+          ;; tests.
+          (replace 'check
+            (lambda _
+              (setenv "HOME" "/tmp")
+              (invoke "make" "check"
+                      "TESTS=tests/test-basic.sh tests/test-config.sh 
testcommon"))))))
+    (native-inputs
+     (list bison
+           dbus ; for dbus-daemon
+           gettext-minimal
+           `(,glib "bin") ; for glib-mkenums + gdbus-codegen
+           glibc-utf8-locales
+           gobject-introspection
+           libcap
+           pkg-config
+           python
+           python-pyparsing
+           socat
+           which))
+    (inputs
+     (list appstream-glib
+           bubblewrap
+           dconf
+           fuse
+           gdk-pixbuf
+           gpgme
+           json-glib
+           libarchive
+           libostree
+           libseccomp
+           libsoup-minimal-2
+           libxau
+           libxml2
+           p11-kit-next
+           util-linux
+           xdg-dbus-proxy))
+    (propagated-inputs (list glib-networking gnupg gsettings-desktop-schemas))
+    (home-page "https://flatpak.org";)
+    (synopsis "System for building, distributing, and running sandboxed desktop
 applications")
-   (description "Flatpak is a system for building, distributing, and running
+    (description "Flatpak is a system for building, distributing, and running
 sandboxed desktop applications on GNU/Linux.")
-   (license license:lgpl2.1+)))
+    (license license:lgpl2.1+)))
 
 (define-public akku
   (package
-- 
2.35.1


>From 5f1369f8731cc1b35c3c80aac6ad7ebd89d3cb10 Mon Sep 17 00:00:00 2001
From: Zhu Zihao <all_but_last@163.com>
Date: Sat, 23 Apr 2022 10:39:32 +0800
Subject: [PATCH 3/3] gnu: flatpak: Do not leak GDK_PIXBUF_MODULE_FILE into the
 sandbox.

Fixes https://issues.guix.gnu.org/54784.

* gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add corresponding entry.
* gnu/packages/package-management.scm (flatpak)[source]: Use patch.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/package-management.scm           |  4 +++-
 ...flatpak-unset-gdk-pixbuf-for-sandbox.patch | 19 +++++++++++++++++++
 3 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 
gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 9bad87710c..ce25b0f21e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1070,6 +1070,7 @@ dist_patch_DATA =                                         
\
   %D%/packages/patches/findutils-localstatedir.patch           \
   %D%/packages/patches/flann-cmake-3.11.patch                  \
   %D%/packages/patches/flatpak-fix-path.patch                  \
+  %D%/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch      \
   %D%/packages/patches/fontconfig-cache-ignore-mtime.patch     \
   %D%/packages/patches/foobillard++-pkg-config.patch           \
   %D%/packages/patches/foomatic-filters-CVE-2015-8327.patch    \
diff --git a/gnu/packages/package-management.scm 
b/gnu/packages/package-management.scm
index 2ea639d376..1ab293e2dd 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -1804,7 +1804,9 @@ (define-public flatpak
                            version "/flatpak-" version ".tar.xz"))
        (sha256
         (base32 "05lkpbjiwp69q924i1jfyk5frcqbdbv9kyzbqwm2hy723i9jmdbd"))
-       (patches (search-patches "flatpak-fix-path.patch"))))
+       (patches
+        (search-patches "flatpak-fix-path.patch"
+                        "flatpak-unset-gdk-pixbuf-for-sandbox.patch"))))
 
     ;; Wrap 'flatpak' so that GIO_EXTRA_MODULES is set, thereby allowing GIO to
     ;; find the TLS backend in glib-networking.
diff --git a/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch 
b/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch
new file mode 100644
index 0000000000..79fec8e526
--- /dev/null
+++ b/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch
@@ -0,0 +1,19 @@
+Most Guix system setup with desktop evironment will install 
GDK_PIXBUF_MODULE_FILE
+environment variable in the system profile, and it'll be leaked into the 
sandbox
+environment of flatpak, so the applications in sandbox may fail to find correct
+GdkPixbuf loaders.
+
+This patch unset the GDK_PIXBUF_MODULE_FILE environment variable before running
+the sandboxed applications, prevents it to load GdkPixbuf loaders from the path
+of host system.
+
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -1853,6 +1853,7 @@ static const ExportData default_exports[] = {
+   {"GST_PTP_HELPER", NULL},
+   {"GST_PTP_HELPER_1_0", NULL},
+   {"GST_INSTALL_PLUGINS_HELPER", NULL},
++  {"GDK_PIXBUF_MODULE_FILE", NULL},
+ };
+ 
+ static const ExportData no_ld_so_cache_exports[] = {
-- 
2.35.1


-- 
Retrieve my PGP public key:

  gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F

Zihao














reply via email to








[Prev in Thread]
Current Thread
[Next in Thread]