From 55c332d22a555a7678ce3dfd2e3b7d538a171db4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 29 2019 16:25:54 +0000 Subject: import flatpak-1.0.2-7.el7 --- diff --git a/.flatpak.metadata b/.flatpak.metadata new file mode 100644 index 0000000..1450248 --- /dev/null +++ b/.flatpak.metadata @@ -0,0 +1,3 @@ +2dc9cc0f1d80421ea800be3c005d9b5dd94c8156 SOURCES/flatpak-1.0.2.tar.xz +5cab51142ec15ee113b4c87a2645b4e1c7179fa7 SOURCES/flatpak-builder-1.0.0.tar.xz +c8dabfe09e987a15d99e4723be23f23da9f7bbb3 SOURCES/libostree-2018.8.tar.xz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..48b75c2 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +SOURCES/flatpak-1.0.2.tar.xz +SOURCES/flatpak-builder-1.0.0.tar.xz +SOURCES/libostree-2018.8.tar.xz diff --git a/SOURCES/flatpak-1.0.2-CVE-2019-10063.patch b/SOURCES/flatpak-1.0.2-CVE-2019-10063.patch new file mode 100644 index 0000000..6a9d751 --- /dev/null +++ b/SOURCES/flatpak-1.0.2-CVE-2019-10063.patch @@ -0,0 +1,29 @@ +From 9686b3007afb15162cb2b5ca3219d906cc849a60 Mon Sep 17 00:00:00 2001 +From: Ryan Gonzalez +Date: Mon, 25 Mar 2019 13:00:15 -0500 +Subject: [PATCH] run: Only compare the lowest 32 ioctl arg bits for TIOCSTI + +Closes #2782. + +Closes: #2783 +Approved by: alexlarsson +--- + common/flatpak-run.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index b4f2c475..0e6b3141 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2122,7 +2122,7 @@ setup_seccomp (FlatpakBwrap *bwrap, + {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, + + /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ +- {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)}, ++ {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, + }; + + struct +-- +2.21.0 + diff --git a/SOURCES/flatpak-1.0.2-CVE-2019-5736.patch b/SOURCES/flatpak-1.0.2-CVE-2019-5736.patch new file mode 100644 index 0000000..2fa3347 --- /dev/null +++ b/SOURCES/flatpak-1.0.2-CVE-2019-5736.patch @@ -0,0 +1,66 @@ +From 86d9d711bdaada5677166a99b96b769df2c5e7b6 Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Sun, 10 Feb 2019 18:23:44 +0100 +Subject: [PATCH] Don't expose /proc when running apply_extra + +As shown by CVE-2019-5736, it is sometimes possible for the sandbox +app to access outside files using /proc/self/exe. This is not +typically an issue for flatpak as the sandbox runs as the user which +has no permissions to e.g. modify the host files. + +However, when installing apps using extra-data into the system repo +we *do* actually run a sandbox as root. So, in this case we disable mounting +/proc in the sandbox, which will neuter attacks like this. +--- + common/flatpak-common-types-private.h | 1 + + common/flatpak-dir.c | 2 +- + common/flatpak-run.c | 6 +++++- + 3 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h +index 8c40d2e8..1e94bd1c 100644 +--- a/common/flatpak-common-types-private.h ++++ b/common/flatpak-common-types-private.h +@@ -44,6 +44,7 @@ typedef enum { + FLATPAK_RUN_FLAG_SANDBOX = (1 << 14), + FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15), + FLATPAK_RUN_FLAG_BLUETOOTH = (1 << 16), ++ FLATPAK_RUN_FLAG_NO_PROC = (1 << 19), + } FlatpakRunFlags; + + typedef struct FlatpakDir FlatpakDir; +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index eb69225d..be370d49 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -6509,7 +6509,7 @@ apply_extra_data (FlatpakDir *self, + NULL); + + if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_ref_parts[2], +- FLATPAK_RUN_FLAG_NO_SESSION_HELPER, ++ FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC, + error)) + return FALSE; + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 6ab466af..b4f2c475 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2347,9 +2347,13 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap, + "# Disable user pkcs11 config, because the host modules don't work in the runtime\n" + "user-config: none\n"; + ++ if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0) ++ flatpak_bwrap_add_args (bwrap, ++ "--proc", "/proc", ++ NULL); ++ + flatpak_bwrap_add_args (bwrap, + "--unshare-pid", +- "--proc", "/proc", + "--dir", "/tmp", + "--dir", "/var/tmp", + "--dir", "/run/host", +-- +2.20.1 + diff --git a/SOURCES/flatpak-1.0.4-oci-fixes.patch b/SOURCES/flatpak-1.0.4-oci-fixes.patch new file mode 100644 index 0000000..663d389 --- /dev/null +++ b/SOURCES/flatpak-1.0.4-oci-fixes.patch @@ -0,0 +1,346 @@ +From 3f5235e925ba6555cd9c639684660356867c952f Mon Sep 17 00:00:00 2001 +From: "Owen W. Taylor" +Date: Fri, 30 Nov 2018 16:11:06 -0500 +Subject: [PATCH 1/3] flatpak_cache_http_uri: save downloaded files with + permission 0644 + +Previously, downloaded files were being saved with 0600 permissions, +which prevented OCI icons downloaded by the system helper at appstream +creation time from being read by users. + +Closes: #2362 +Approved by: matthiasclasen +--- + common/flatpak-utils-http.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/common/flatpak-utils-http.c b/common/flatpak-utils-http.c +index 53074162..997c9db8 100644 +--- a/common/flatpak-utils-http.c ++++ b/common/flatpak-utils-http.c +@@ -645,6 +645,9 @@ sync_and_rename_tmpfile (GLnxTmpfile *tmpfile, + if (fdatasync (tmpfile->fd) != 0) + return glnx_throw_errno_prefix (error, "fdatasync"); + ++ if (fchmod (tmpfile->fd, 0644) != 0) ++ return glnx_throw_errno_prefix (error, "fchmod"); ++ + if (!glnx_link_tmpfile_at (tmpfile, + GLNX_LINK_TMPFILE_REPLACE, + tmpfile->src_dfd, dest_name, error)) +-- +2.19.2 + + +From 3263827dbbd4d84919899e91ca066d2d3cf338bc Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Fri, 30 Nov 2018 10:30:20 +0100 +Subject: [PATCH 2/3] OCI: Use system helper to generate summary for OCI + remotes + +The OCI support relies on downloading a json index and converting it +to a ostree-style summary, which we the use in all sorts of operations +in the client code. Currently this happens in the user code, which means +that it will fail (due to permissions) in the system installation case. + +We could do the conversion as the user, but when eventually installing +something the system-helper will anyway do this download and +conversion, so that would only double the work and risk things going out +of sync. Also, the OCI index is not gpg signed, so we can't realy on +downloads done as the user. + +So, the solution done here is to add a GenerateOciSummary +system-helper call which we use instead of directly generating the +oci summary. + +This fixes https://github.com/flatpak/flatpak/issues/2350 + +Closes: #2363 +Approved by: matthiasclasen +--- + common/flatpak-dir-private.h | 5 ++ + common/flatpak-dir.c | 94 +++++++++++++++++++-------- + data/org.freedesktop.Flatpak.xml | 5 ++ + system-helper/flatpak-system-helper.c | 52 ++++++++++++++- + 4 files changed, 129 insertions(+), 27 deletions(-) + +diff --git a/common/flatpak-dir-private.h b/common/flatpak-dir-private.h +index 64a72758..f6126056 100644 +--- a/common/flatpak-dir-private.h ++++ b/common/flatpak-dir-private.h +@@ -718,6 +718,11 @@ FlatpakRemoteState * flatpak_dir_get_remote_state_for_summary (FlatpakDir *sel + GBytes *opt_summary_sig, + GCancellable *cancellable, + GError **error); ++gboolean flatpak_dir_remote_make_oci_summary (FlatpakDir *self, ++ const char *remote, ++ GBytes **out_summary, ++ GCancellable *cancellable, ++ GError **error); + FlatpakRemoteState * flatpak_dir_get_remote_state_optional (FlatpakDir *self, + const char *remote, + GCancellable *cancellable, +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 828945ca..7853b74a 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -1385,6 +1385,22 @@ flatpak_dir_system_helper_call_update_summary (FlatpakDir *self, + return ret != NULL; + } + ++static gboolean ++flatpak_dir_system_helper_call_generate_oci_summary (FlatpakDir *self, ++ const gchar *arg_origin, ++ const gchar *arg_installation, ++ GCancellable *cancellable, ++ GError **error) ++{ ++ g_autoptr(GVariant) ret = ++ flatpak_dir_system_helper_call (self, "GenerateOciSummary", ++ g_variant_new ("(ss)", ++ arg_origin, ++ arg_installation), ++ cancellable, error); ++ return ret != NULL; ++} ++ + static OstreeRepo * + system_ostree_repo_new (GFile *repodir) + { +@@ -9088,7 +9104,7 @@ flatpak_dir_cache_summary (FlatpakDir *self, + G_UNLOCK (cache); + } + +-static gboolean ++gboolean + flatpak_dir_remote_make_oci_summary (FlatpakDir *self, + const char *remote, + GBytes **out_summary, +@@ -9103,42 +9119,68 @@ flatpak_dir_remote_make_oci_summary (FlatpakDir *self, + g_autoptr(GError) local_error = NULL; + g_autoptr(GMappedFile) mfile = NULL; + g_autoptr(GBytes) cache_bytes = NULL; ++ g_autoptr(GBytes) summary_bytes = NULL; + +- self_name = flatpak_dir_get_name (self); +- +- index_cache = flatpak_dir_update_oci_index (self, remote, &index_uri, cancellable, error); +- if (index_cache == NULL) +- return FALSE; ++ if (flatpak_dir_use_system_helper (self, NULL)) ++ { ++ const char *installation = flatpak_dir_get_id (self); + +- summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); +- if (summary_cache == NULL) +- return FALSE; ++ if (!flatpak_dir_system_helper_call_generate_oci_summary (self, remote, ++ installation ? installation : "", ++ cancellable, error)) ++ return FALSE; + +- if (check_destination_mtime (index_cache, summary_cache, cancellable)) ++ summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); ++ if (summary_cache == NULL) ++ return FALSE; ++ } ++ else + { +- mfile = g_mapped_file_new (flatpak_file_get_path_cached (summary_cache), FALSE, NULL); +- if (mfile) ++ self_name = flatpak_dir_get_name (self); ++ ++ index_cache = flatpak_dir_update_oci_index (self, remote, &index_uri, cancellable, error); ++ if (index_cache == NULL) ++ return FALSE; ++ ++ summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); ++ if (summary_cache == NULL) ++ return FALSE; ++ ++ if (!check_destination_mtime (index_cache, summary_cache, cancellable)) + { +- cache_bytes = g_mapped_file_get_bytes (mfile); +- *out_summary = g_steal_pointer (&cache_bytes); ++ summary = flatpak_oci_index_make_summary (index_cache, index_uri, cancellable, &local_error); ++ if (summary == NULL) ++ { ++ g_propagate_error (error, g_steal_pointer (&local_error)); ++ return FALSE; ++ } ++ ++ summary_bytes = g_variant_get_data_as_bytes (summary); ++ ++ if (!g_file_replace_contents (summary_cache, ++ g_bytes_get_data (summary_bytes, NULL), ++ g_bytes_get_size (summary_bytes), ++ NULL, FALSE, 0, NULL, cancellable, error)) ++ { ++ g_prefix_error (error, _("Failed to write summary cache: ")); ++ return FALSE; ++ } ++ ++ if (out_summary) ++ *out_summary = g_steal_pointer (&summary_bytes); + return TRUE; + } + } + +- summary = flatpak_oci_index_make_summary (index_cache, index_uri, cancellable, &local_error); +- if (summary == NULL) ++ if (out_summary) + { +- g_propagate_error (error, g_steal_pointer (&local_error)); +- return FALSE; +- } +- +- *out_summary = g_variant_get_data_as_bytes (summary); ++ mfile = g_mapped_file_new (flatpak_file_get_path_cached (summary_cache), FALSE, error); ++ if (mfile == NULL) ++ return FALSE; + +- if (!g_file_replace_contents (summary_cache, +- g_bytes_get_data (*out_summary, NULL), +- g_bytes_get_size (*out_summary), +- NULL, FALSE, 0, NULL, cancellable, NULL)) +- g_warning ("Failed to write summary cache"); ++ cache_bytes = g_mapped_file_get_bytes (mfile); ++ *out_summary = g_steal_pointer (&cache_bytes); ++ } + + return TRUE; + } +diff --git a/data/org.freedesktop.Flatpak.xml b/data/org.freedesktop.Flatpak.xml +index 25dc8a02..8b1606c6 100644 +--- a/data/org.freedesktop.Flatpak.xml ++++ b/data/org.freedesktop.Flatpak.xml +@@ -144,6 +144,11 @@ + + + ++ ++ ++ ++ ++ + + + +diff --git a/system-helper/flatpak-system-helper.c b/system-helper/flatpak-system-helper.c +index ce647b6e..29a2d3e1 100644 +--- a/system-helper/flatpak-system-helper.c ++++ b/system-helper/flatpak-system-helper.c +@@ -1122,6 +1122,54 @@ handle_update_summary (FlatpakSystemHelper *object, + return TRUE; + } + ++static gboolean ++handle_generate_oci_summary (FlatpakSystemHelper *object, ++ GDBusMethodInvocation *invocation, ++ const gchar *arg_origin, ++ const gchar *arg_installation) ++{ ++ g_autoptr(FlatpakDir) system = NULL; ++ g_autoptr(GError) error = NULL; ++ gboolean is_oci; ++ ++ g_debug ("GenerateOciSummary %s %s", arg_origin, arg_installation); ++ ++ system = dir_get_system (arg_installation, &error); ++ if (system == NULL) ++ { ++ g_dbus_method_invocation_return_gerror (invocation, error); ++ return TRUE; ++ } ++ ++ if (!flatpak_dir_ensure_repo (system, NULL, &error)) ++ { ++ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, ++ "Can't open system repo %s", error->message); ++ return TRUE; ++ } ++ ++ is_oci = flatpak_dir_get_remote_oci (system, arg_origin); ++ if (!is_oci) ++ { ++ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS, ++ "%s is not a OCI remote", arg_origin); ++ return TRUE; ++ } ++ ++ if (!flatpak_dir_remote_make_oci_summary (system, arg_origin, NULL, NULL, &error)) ++ { ++ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, ++ "Failed to update OCI summary: %s", error->message); ++ return TRUE; ++ } ++ ++ ++ flatpak_system_helper_complete_generate_oci_summary (object, invocation); ++ ++ return TRUE; ++} ++ ++ + static gboolean + flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface, + GDBusMethodInvocation *invocation, +@@ -1250,7 +1298,8 @@ flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface, + g_strcmp0 (method_name, "PruneLocalRepo") == 0 || + g_strcmp0 (method_name, "EnsureRepo") == 0 || + g_strcmp0 (method_name, "RunTriggers") == 0 || +- g_strcmp0 (method_name, "UpdateSummary") == 0) ++ g_strcmp0 (method_name, "UpdateSummary") == 0 || ++ g_strcmp0 (method_name, "GenerateOciSummary") == 0) + { + const char *remote; + +@@ -1321,6 +1370,7 @@ on_bus_acquired (GDBusConnection *connection, + g_signal_connect (helper, "handle-ensure-repo", G_CALLBACK (handle_ensure_repo), NULL); + g_signal_connect (helper, "handle-run-triggers", G_CALLBACK (handle_run_triggers), NULL); + g_signal_connect (helper, "handle-update-summary", G_CALLBACK (handle_update_summary), NULL); ++ g_signal_connect (helper, "handle-generate-oci-summary", G_CALLBACK (handle_generate_oci_summary), NULL); + + g_signal_connect (helper, "g-authorize-method", + G_CALLBACK (flatpak_authorize_method_handler), +-- +2.19.2 + + +From b7f1d5118fc4e1df472f7108472f122e279fe2b9 Mon Sep 17 00:00:00 2001 +From: Matthias Clasen +Date: Fri, 7 Dec 2018 14:39:06 -0500 +Subject: [PATCH 3/3] Fix oci pull progress reporting + +Comparing the code in flatpak-utils.c:progress_cb, +we need to set bytes-transferred for the total amount +of data that has been transferred so far. The value +we were setting so far, fetched-delta-part-size, refers +to the size of the objects we already have locally, and +is subtracted from the total, which explains oci progress +running backwards. + +Closes: #2392 + +Closes: #2400 +Approved by: matthiasclasen +--- + common/flatpak-dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 7853b74a..51cd1e66 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -4154,7 +4154,7 @@ oci_pull_progress_cb (guint64 total_size, guint64 pulled_size, + "total-delta-parts", "u", n_layers, + "fetched-delta-fallbacks", "u", 0, + "total-delta-fallbacks", "u", 0, +- "fetched-delta-part-size", "t", pulled_size, ++ "bytes-transferred", "t", pulled_size, + "total-delta-part-size", "t", total_size, + "total-delta-part-usize", "t", total_size, + "total-delta-superblocks", "u", 0, +-- +2.19.2 + diff --git a/SOURCES/flatpak-ostree-bundle.patch b/SOURCES/flatpak-ostree-bundle.patch new file mode 100644 index 0000000..96102ff --- /dev/null +++ b/SOURCES/flatpak-ostree-bundle.patch @@ -0,0 +1,26 @@ +Make sure rpath gets added for ostree libs + +We bundle ostree in the package, so we need to make sure an rpath +gets set pointing to our bundled library. + +The Makefiles are missing the OSTREE_LIBS (and so the -Wl,-rpath), +so add them in. +--- flatpak-1.0.1/session-helper/Makefile.am.inc.old 2018-08-08 16:56:20.000000000 +0200 ++++ flatpak-1.0.1/session-helper/Makefile.am.inc 2018-09-12 13:23:08.304959872 +0200 +@@ -12,5 +12,5 @@ + session-helper/flatpak-session-helper.c \ + $(NULL) + +-flatpak_session_helper_LDADD = $(AM_LDADD) $(BASE_LIBS) libflatpak-common.la ++flatpak_session_helper_LDADD = $(AM_LDADD) $(BASE_LIBS) $(OSTREE_LIBS) libflatpak-common.la + flatpak_session_helper_CFLAGS = $(AM_CFLAGS) $(BASE_CFLAGS) $(SOUP_CFLAGS) $(OSTREE_CFLAGS) $(GSYSTEM_CFLAGS) $(JSON_CFLAGS) -DFLATPAK_COMPILATION +--- flatpak-1.0.1/portal/Makefile.am.inc.old 2018-08-08 16:56:20.000000000 +0200 ++++ flatpak-1.0.1/portal/Makefile.am.inc 2018-09-12 13:23:54.795014399 +0200 +@@ -34,6 +34,6 @@ + BUILT_SOURCES += $(nodist_flatpak_portal_SOURCES) + CLEANFILES += $(nodist_flatpak_portal_SOURCES) + +-flatpak_portal_LDADD = $(AM_LDADD) $(BASE_LIBS) ++flatpak_portal_LDADD = $(AM_LDADD) $(BASE_LIBS) $(OSTREE_LIBS) + flatpak_portal_CFLAGS = $(AM_CFLAGS) $(BASE_CFLAGS) -DFLATPAK_COMPILATION + flatpak_portal_CPPFLAGS = $(AM_CPPFLAGS) -I$(builddir)/portal diff --git a/SOURCES/no-user-systemd.patch b/SOURCES/no-user-systemd.patch new file mode 100644 index 0000000..add73d3 --- /dev/null +++ b/SOURCES/no-user-systemd.patch @@ -0,0 +1,23 @@ +Drop the SystemdService line in dbus service files + +I don't think we can dbus activate systemd services on +the session bus (we don't have a user bus, and I'm +pretty sure we don't have systemd --user) + +This commit just drops the lines, so dbus can activate on +its own. +diff -up flatpak-0.8.8/session-helper/org.freedesktop.Flatpak.service.in.no-user-systemd flatpak-0.8.8/session-helper/org.freedesktop.Flatpak.service.in +--- flatpak-0.8.8/session-helper/org.freedesktop.Flatpak.service.in.no-user-systemd 2017-11-08 16:33:21.045226761 -0500 ++++ flatpak-0.8.8/session-helper/org.freedesktop.Flatpak.service.in 2017-11-08 16:33:38.361037649 -0500 +@@ -1,4 +1,3 @@ + [D-BUS Service] + Name=org.freedesktop.Flatpak + Exec=@libexecdir@/flatpak-session-helper +-SystemdService=flatpak-session-helper.service +--- flatpak-1.0.1/portal/org.freedesktop.portal.Flatpak.service.in.no-user-systemd 2018-05-30 14:58:57.000000000 +0200 ++++ flatpak-1.0.1/portal/org.freedesktop.portal.Flatpak.service.in 2018-09-12 12:11:27.428215430 +0200 +@@ -1,4 +1,3 @@ + [D-BUS Service] + Name=org.freedesktop.portal.Flatpak + Exec=@libexecdir@/flatpak-portal +-SystemdService=flatpak-portal.service diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec new file mode 100644 index 0000000..eeba662 --- /dev/null +++ b/SPECS/flatpak.spec @@ -0,0 +1,451 @@ +%global flatpak_version 1.0.2 +%global flatpak_builder_version 1.0.0 +%global ostree_version 2018.8 + +Name: flatpak +Version: %{flatpak_version} +Release: 7%{?dist} +Summary: Application deployment framework for desktop apps + +License: LGPLv2+ +URL: http://flatpak.org/ +Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz +Source1: https://github.com/ostreedev/ostree/releases/download/v%{ostree_version}/libostree-%{ostree_version}.tar.xz +Source2: https://github.com/flatpak/flatpak-builder/releases/download/%{flatpak_builder_version}/flatpak-builder-%{flatpak_builder_version}.tar.xz + +# Avoid dbus activating systemd services on the session bus (we don't have a +# user bus, and I'm pretty sure we don't have systemd --user) +Patch0: no-user-systemd.patch +# Make sure our resulting binaries always have the rpath set to the bundled +# ostree directory +Patch1: flatpak-ostree-bundle.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1660137 +Patch2: flatpak-1.0.4-oci-fixes.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1675435 +Patch3: flatpak-1.0.2-CVE-2019-5736.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1700652 +Patch4: flatpak-1.0.2-CVE-2019-10063.patch + +BuildRequires: pkgconfig(appstream-glib) +BuildRequires: pkgconfig(fuse) +BuildRequires: pkgconfig(gio-unix-2.0) +BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0 +BuildRequires: pkgconfig(json-glib-1.0) +BuildRequires: pkgconfig(libarchive) >= 2.8.0 +BuildRequires: pkgconfig(libelf) >= 0.8.12 +BuildRequires: pkgconfig(libsoup-2.4) +BuildRequires: pkgconfig(libxml-2.0) >= 2.4 +BuildRequires: pkgconfig(polkit-gobject-1) +BuildRequires: pkgconfig(libseccomp) +BuildRequires: pkgconfig(liblzma) +BuildRequires: pkgconfig(yaml-0.1) +BuildRequires: pkgconfig(xau) +BuildRequires: pkgconfig(e2p) +BuildRequires: automake, autoconf, libtool, gettext-devel, gtk-doc +BuildRequires: bison +BuildRequires: docbook-dtds +BuildRequires: docbook-style-xsl +BuildRequires: intltool +BuildRequires: libattr-devel +BuildRequires: libcap-devel +BuildRequires: libdwarf-devel +BuildRequires: gpgme-devel +BuildRequires: systemd +BuildRequires: /usr/bin/eu-strip +BuildRequires: /usr/bin/xmlto +BuildRequires: /usr/bin/xsltproc +# Bundled ostree BRs: +BuildRequires: pkgconfig(zlib) +BuildRequires: pkgconfig(libcurl) +BuildRequires: openssl-devel +BuildRequires: pkgconfig(mount) +BuildRequires: pkgconfig(libsystemd) + +# libostree bundling +# https://fedoraproject.org/wiki/EPEL:Packaging_Autoprovides_and_Requires_Filtering +# We're using RPATH to pick up our bundled version +%filter_from_requires /libostree-1/d + +# And ensure we don't add a Provides +%{?filter_setup: +%filter_provides_in %{_libdir}/%{name}/.* +%filter_setup +} +# And for now we manually inject this dep; surprisingly the +# command line doesn't currently link to the public libflatpak +# library. +Requires: %{name}-libs = %{version}-%{release} + +# Make sure the document portal is installed +%if 0%{?fedora} || 0%{?rhel} > 7 +Recommends: xdg-desktop-portal > 0.10 +# Remove in F30. +Conflicts: xdg-desktop-portal < 0.10 +%else +Requires: xdg-desktop-portal > 0.10 +%endif + +%description +flatpak is a system for building, distributing and running sandboxed desktop +applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for +more information. + +%package builder +# Override to the version of the bundled flatpak-builder. +Version: %{flatpak_builder_version} +Summary: Build helper for %{name} +License: LGPLv2+ +# Overridden, as the macro expands to the version of this subpackage. +Requires: %{name}%{?_isa} = %{flatpak_version}-%{release} +Requires: /usr/bin/bzip2 +Requires: /usr/bin/bzr +Requires: /usr/bin/git +Requires: /usr/bin/patch +Requires: /usr/bin/strip +Requires: /usr/bin/svn +Requires: /usr/bin/tar +Requires: /usr/bin/unzip + +%description builder +flatpak-builder is a tool that makes it easy to build applications and their +dependencies by automating the configure && make && make install steps. + +%package devel +# Overriden, to reset the version macro back to that of the base package. +Version: %{flatpak_version} +Summary: Development files for %{name} +License: LGPLv2+ +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +%description devel +This package contains the pkg-config file and development headers for %{name}. + +%package libs +Summary: Libraries for %{name} +License: LGPLv2+ +# Drop if using an external ostree-libs. +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description libs +This package contains libflatpak. + + +%prep +%setup -q -a 1 -a 2 +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 + + +%build +cd libostree-%{ostree_version} + %configure \ + --disable-silent-rules \ + --disable-gtk-doc \ + --disable-man \ + --disable-rofiles-fuse \ + --without-libmount \ + --disable-introspection \ + --without-selinux \ + --without-dracut \ + LIBS=-lgpg-error \ + CPPFLAGS="$CPPFLAGS -DDISABLE_OTMPFILE" +%make_build V=1 +cd .. + +mkdir -p root/lib/pkgconfig +ROOT=`pwd`/root + +mv libostree-%{ostree_version}/.libs/libostree-1.so* root/lib +ls -al root/lib/libostree* +ln -s `pwd`/libostree-%{ostree_version}/src/libostree root/include + +cat > root/lib/pkgconfig/ostree-1.pc < flatpak < /dev/null || : + +%post libs -p /sbin/ldconfig + +%postun libs -p /sbin/ldconfig + + +%files -f %{name}.lang +%license COPYING +# Comply with the packaging guidelines about not mixing relative and absolute +# paths in doc. +%doc %{_pkgdocdir} +%{_bindir}/flatpak +%{_datadir}/bash-completion +%{_datadir}/dbus-1/interfaces/org.freedesktop.Flatpak.xml +%{_datadir}/dbus-1/interfaces/org.freedesktop.portal.Flatpak.xml +%{_datadir}/dbus-1/services/org.freedesktop.Flatpak.service +%{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service +%{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service +# Co-own directory. +%{_datadir}/gdm/env.d +%{_datadir}/%{name} +%{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy +%{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules +%{_datadir}/zsh/site-functions +%{_libexecdir}/flatpak-dbus-proxy +%{_libexecdir}/flatpak-portal +%{_libexecdir}/flatpak-session-helper +%{_libexecdir}/flatpak-system-helper +%attr(04755,root,root) %{_libexecdir}/flatpak-bwrap + +%dir %{_localstatedir}/lib/flatpak +%{_mandir}/man1/%{name}*.1* +%{_mandir}/man5/%{name}-metadata.5* +%{_mandir}/man5/flatpak-flatpakref.5* +%{_mandir}/man5/flatpak-flatpakrepo.5* +%{_mandir}/man5/flatpak-installation.5* +%{_mandir}/man5/flatpak-remote.5* +%exclude %{_mandir}/man1/flatpak-builder.1* +%{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf +%{_sysconfdir}/flatpak/remotes.d +%{_sysconfdir}/profile.d/flatpak.sh +%{_unitdir}/flatpak-system-helper.service +%{_userunitdir}/flatpak-portal.service +%{_userunitdir}/flatpak-session-helper.service +# Co-own directory. +%{_userunitdir}/dbus.service.d + +%files builder +%doc %{_docdir}/flatpak-builder +%{_bindir}/flatpak-builder +%{_mandir}/man1/flatpak-builder.1* +%{_mandir}/man5/flatpak-manifest.5* + +%files devel +%{_datadir}/gtk-doc/ +%{_includedir}/%{name}/ +%{_libdir}/libflatpak.so +%{_libdir}/pkgconfig/%{name}.pc + +%files libs +%license COPYING +%{_libdir}/flatpak/libostree-1.so* +%{_libdir}/libflatpak.so.* + + +%changelog +* Mon Apr 29 2019 David King - 1.0.2-7 +- Fix IOCSTI sandbox bypass (#1700652) + +* Fri Feb 15 2019 David King - 1.0.2-6 +- Tweak /proc sandbox patch (#1675435) + +* Wed Feb 13 2019 David King - 1.0.2-5 +- Do not mount /proc in root sandbox (#1675435) + +* Mon Jan 14 2019 David King - 1.0.2-4 +- Apply the OCI support patch (#1660137) + +* Mon Jan 07 2019 David King - 1.0.2-3 +- Backport patches to improve OCI support (#1660137) + +* Thu Sep 13 2018 Kalev Lember - 1.0.2-2 +- Update to 1.0.2 (#1570030) + +* Wed Sep 12 2018 Kalev Lember - 1.0.1-1 +- Update to 1.0.1 (#1570030) + +* Mon Jun 04 2018 David King - 0.10.4-2 +- Fix subpackage versions (#1585604) + +* Fri Jun 01 2018 David King - 0.10.4-1 +- Rebase to 0.10.4 (#1570030) + +* Mon Dec 11 2017 David King - 0.8.8-3 +- Disable O_TMPFILE in libglnx (#1520311) + +* Fri Nov 10 2017 Ray Strode - 0.8.8-2 +- Fix crasher in xdg-desktop-portal + Resolves: #1503579 +- Tweak spec file so it still builds even though we need to + autoreconf. + +* Wed Nov 01 2017 David King - 0.8.8-1 +- Update to 0.8.8 (#1500800) + +* Tue Aug 01 2017 Colin Walters - 0.8.7-3 +- Fix libostree bundling: + Ensure we do not Provide or Require libostree. + Move the shared library into flatpak-libs so flatpak always + depends on it. + Keep the shared library filename as libostree, but put it + under a private directory. Renaming the file on disk did not + really do much since the dynamic linker and RPM work from the + soname. + Resolves: #1476905 + +* Tue Aug 01 2017 Colin Walters - 0.8.7-2 +- Tweak build to work both with and without BZ#1392354 + +* Tue Jun 20 2017 Kalev Lember - 0.8.7-1 +- Update to 0.8.7 +- Resolves: #1391018 + +* Tue Apr 4 2017 Alexander Larsson - 0.8.5-2 +- Add libostree use-after-free patch +- Resolves: #1391018 + +* Mon Apr 03 2017 Kalev Lember - 0.8.5-1 +- Update to 0.8.5 +- Resolves: #1391018 + +* Fri Mar 10 2017 David King - 0.8.4-2 +- Sync bzip2 dependency with Fedora package +- Make the libs subpackage depend on the base package for libostree +- Fix multilib issues with XML-based documentation + +* Fri Mar 10 2017 Kalev Lember - 0.8.4-1 +- Update to 0.8.4 +- Resolves: #1391018 + +* Wed Feb 22 2017 Kalev Lember - 0.8.3-4 +- Remove ExcludeArch ppc now that we have libseccomp there +- Resolves: #1391018 + +* Fri Feb 17 2017 Alexander Larsson - 0.8.3-3 +- ExcludeArch 32bit ppc which doesn't have libseccomp +- Resolves: #1391018 + +* Fri Feb 17 2017 Alexander Larsson - 0.8.3-2 +- Added pkgconfig(e2p) build dependency +- Resolves: #1391018 + +* Fri Feb 17 2017 Alexander Larsson - 0.8.3-1 +- Bundle ostree and bubblewrap +- Resolves: #1391018 + +* Tue Feb 14 2017 Kalev Lember - 0.8.3-1 +- Update to 0.8.3 + +* Fri Jan 27 2017 Kalev Lember - 0.8.2-1 +- Update to 0.8.2 + +* Wed Jan 18 2017 David King - 0.8.1-1 +- Update to 0.8.1 + +* Tue Dec 20 2016 Kalev Lember - 0.8.0-1 +- Update to 0.8.0 + +* Tue Nov 29 2016 David King - 0.6.14-2 +- Add a patch to fix a GNOME Software crash +- Silence repository listing during post + +* Tue Nov 29 2016 Kalev Lember - 0.6.14-1 +- Update to 0.6.14 + +* Wed Oct 26 2016 David King - 0.6.13-2 +- Add empty /etc/flatpak/remotes.d + +* Tue Oct 25 2016 David King - 0.6.13-1 +- Update to 0.6.13 + +* Thu Oct 06 2016 David King - 0.6.12-1 +- Update to 0.6.12 + +* Tue Sep 20 2016 Kalev Lember - 0.6.11-1 +- Update to 0.6.11 +- Set minimum ostree and bubblewrap versions + +* Mon Sep 12 2016 David King - 0.6.10-1 +- Update to 0.6.10 + +* Tue Sep 06 2016 David King - 0.6.9-2 +- Look for bwrap in PATH + +* Thu Aug 25 2016 David King - 0.6.9-1 +- Update to 0.6.9 + +* Mon Aug 01 2016 David King - 0.6.8-1 +- Update to 0.6.8 (#1361823) + +* Thu Jul 21 2016 David King - 0.6.7-2 +- Use system bubblewrap + +* Fri Jul 01 2016 David King - 0.6.7-1 +- Update to 0.6.7 + +* Thu Jun 23 2016 David King - 0.6.6-1 +- Update to 0.6.6 + +* Fri Jun 10 2016 David King - 0.6.5-1 +- Update to 0.6.5 + +* Wed Jun 01 2016 David King - 0.6.4-1 +- Update to 0.6.4 + +* Tue May 31 2016 David King - 0.6.3-1 +- Update to 0.6.3 +- Move bwrap to main package + +* Tue May 24 2016 David King - 0.6.2-1 +- Rename from xdg-app to flatpak (#1337434)