From 5f1369f8731cc1b35c3c80aac6ad7ebd89d3cb10 Mon Sep 17 00:00:00 2001
From: Zhu Zihao <all_but_last@163.com>
Date: Sat, 23 Apr 2022 10:39:32 +0800
Subject: [PATCH 3/3] gnu: flatpak: Do not leak GDK_PIXBUF_MODULE_FILE into the
sandbox.
Fixes https://issues.guix.gnu.org/54784.
* gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add corresponding entry.
* gnu/packages/package-management.scm (flatpak)[source]: Use patch.
---
gnu/local.mk | 1 +
gnu/packages/package-management.scm | 4 +++-
...flatpak-unset-gdk-pixbuf-for-sandbox.patch | 19 +++++++++++++++++++
3 files changed, 23 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch
@@ -1070,6 +1070,7 @@ dist_patch_DATA = \
%D%/packages/patches/findutils-localstatedir.patch \
%D%/packages/patches/flann-cmake-3.11.patch \
%D%/packages/patches/flatpak-fix-path.patch \
+ %D%/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch \
%D%/packages/patches/fontconfig-cache-ignore-mtime.patch \
%D%/packages/patches/foobillard++-pkg-config.patch \
%D%/packages/patches/foomatic-filters-CVE-2015-8327.patch \
@@ -1804,7 +1804,9 @@ (define-public flatpak
version "/flatpak-" version ".tar.xz"))
(sha256
(base32 "05lkpbjiwp69q924i1jfyk5frcqbdbv9kyzbqwm2hy723i9jmdbd"))
- (patches (search-patches "flatpak-fix-path.patch"))))
+ (patches
+ (search-patches "flatpak-fix-path.patch"
+ "flatpak-unset-gdk-pixbuf-for-sandbox.patch"))))
;; Wrap 'flatpak' so that GIO_EXTRA_MODULES is set, thereby allowing GIO to
;; find the TLS backend in glib-networking.
new file mode 100644
@@ -0,0 +1,19 @@
+Most Guix system setup with desktop evironment will install GDK_PIXBUF_MODULE_FILE
+environment variable in the system profile, and it'll be leaked into the sandbox
+environment of flatpak, so the applications in sandbox may fail to find correct
+GdkPixbuf loaders.
+
+This patch unset the GDK_PIXBUF_MODULE_FILE environment variable before running
+the sandboxed applications, prevents it to load GdkPixbuf loaders from the path
+of host system.
+
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -1853,6 +1853,7 @@ static const ExportData default_exports[] = {
+ {"GST_PTP_HELPER", NULL},
+ {"GST_PTP_HELPER_1_0", NULL},
+ {"GST_INSTALL_PLUGINS_HELPER", NULL},
++ {"GDK_PIXBUF_MODULE_FILE", NULL},
+ };
+
+ static const ExportData no_ld_so_cache_exports[] = {
--
2.35.1