diff mbox series

[bug#55072] : Do not leak GDK_PIXBUF_MODULE_FILE into the sandbox.

Message ID 86ilr0o6t4.fsf@163.com
State Accepted
Headers show
Series [bug#55072] : Do not leak GDK_PIXBUF_MODULE_FILE into the sandbox. | expand

Checks

Context Check Description
cbaines/applying patch fail View Laminar job
cbaines/issue success View issue

Commit Message

Zhu Zihao April 23, 2022, 2:45 a.m. UTC

Comments

Ludovic Courtès April 28, 2022, 2:55 p.m. UTC | #1 
Hi,

Zhu Zihao <all_but_last@163.com> skribis:

>>From affd34d0f0bf6bf04110b595ce77ed8e9448b2c7 Mon Sep 17 00:00:00 2001
> From: Zhu Zihao <all_but_last@163.com>
> Date: Thu, 21 Apr 2022 18:48:51 +0800
> Subject: [PATCH 1/3] gnu: bubblewrap: Update to 0.6.1.
>
> * gnu/packages/virtualization.scm (bubblewrap): Update to 0.6.1.

Applied to the ‘staging’ branch, due to the high number of rebuilds.

>>From 3432b64e34d5df329c31b1a09f476ff01a743245 Mon Sep 17 00:00:00 2001
> From: Zhu Zihao <all_but_last@163.com>
> Date: Thu, 21 Apr 2022 18:52:21 +0800
> Subject: [PATCH 2/3] gnu: flatpak: Use G-expressions.
>
> * gnu/packages/package-management.scm (flatpak): Fix indentation.
> [arguments]: Use G-expressions.

[...]

>>From 5f1369f8731cc1b35c3c80aac6ad7ebd89d3cb10 Mon Sep 17 00:00:00 2001
> From: Zhu Zihao <all_but_last@163.com>
> Date: Sat, 23 Apr 2022 10:39:32 +0800
> Subject: [PATCH 3/3] gnu: flatpak: Do not leak GDK_PIXBUF_MODULE_FILE into the
>  sandbox.
>
> Fixes https://issues.guix.gnu.org/54784.
>
> * gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add corresponding entry.
> * gnu/packages/package-management.scm (flatpak)[source]: Use patch.

Applied to ‘master’.

Thanks!

Ludo’.
diff mbox series

Patch

From 5f1369f8731cc1b35c3c80aac6ad7ebd89d3cb10 Mon Sep 17 00:00:00 2001
From: Zhu Zihao <all_but_last@163.com>
Date: Sat, 23 Apr 2022 10:39:32 +0800
Subject: [PATCH 3/3] gnu: flatpak: Do not leak GDK_PIXBUF_MODULE_FILE into the
 sandbox.

Fixes https://issues.guix.gnu.org/54784.

* gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add corresponding entry.
* gnu/packages/package-management.scm (flatpak)[source]: Use patch.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/package-management.scm           |  4 +++-
 ...flatpak-unset-gdk-pixbuf-for-sandbox.patch | 19 +++++++++++++++++++
 3 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 9bad87710c..ce25b0f21e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1070,6 +1070,7 @@  dist_patch_DATA =						\
   %D%/packages/patches/findutils-localstatedir.patch		\
   %D%/packages/patches/flann-cmake-3.11.patch			\
   %D%/packages/patches/flatpak-fix-path.patch			\
+  %D%/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch	\
   %D%/packages/patches/fontconfig-cache-ignore-mtime.patch	\
   %D%/packages/patches/foobillard++-pkg-config.patch		\
   %D%/packages/patches/foomatic-filters-CVE-2015-8327.patch	\
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index 2ea639d376..1ab293e2dd 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -1804,7 +1804,9 @@  (define-public flatpak
                            version "/flatpak-" version ".tar.xz"))
        (sha256
         (base32 "05lkpbjiwp69q924i1jfyk5frcqbdbv9kyzbqwm2hy723i9jmdbd"))
-       (patches (search-patches "flatpak-fix-path.patch"))))
+       (patches
+        (search-patches "flatpak-fix-path.patch"
+                        "flatpak-unset-gdk-pixbuf-for-sandbox.patch"))))
 
     ;; Wrap 'flatpak' so that GIO_EXTRA_MODULES is set, thereby allowing GIO to
     ;; find the TLS backend in glib-networking.
diff --git a/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch b/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch
new file mode 100644
index 0000000000..79fec8e526
--- /dev/null
+++ b/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch
@@ -0,0 +1,19 @@ 
+Most Guix system setup with desktop evironment will install GDK_PIXBUF_MODULE_FILE
+environment variable in the system profile, and it'll be leaked into the sandbox
+environment of flatpak, so the applications in sandbox may fail to find correct
+GdkPixbuf loaders.
+
+This patch unset the GDK_PIXBUF_MODULE_FILE environment variable before running
+the sandboxed applications, prevents it to load GdkPixbuf loaders from the path
+of host system.
+
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -1853,6 +1853,7 @@ static const ExportData default_exports[] = {
+   {"GST_PTP_HELPER", NULL},
+   {"GST_PTP_HELPER_1_0", NULL},
+   {"GST_INSTALL_PLUGINS_HELPER", NULL},
++  {"GDK_PIXBUF_MODULE_FILE", NULL},
+ };
+ 
+ static const ExportData no_ld_so_cache_exports[] = {
-- 
2.35.1