From patchwork Sat Apr 23 02:45:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhu Zihao X-Patchwork-Id: 38763 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 20BD827BBEA; Sat, 23 Apr 2022 03:49:09 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,SPF_HELO_PASS, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 3471227BBE9 for ; Sat, 23 Apr 2022 03:49:08 +0100 (BST) Received: from localhost ([::1]:43582 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ni5pb-0007Cl-9y for patchwork@mira.cbaines.net; Fri, 22 Apr 2022 22:49:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40804) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ni5oY-0005eE-DS for guix-patches@gnu.org; Fri, 22 Apr 2022 22:48:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:32813) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ni5oY-0006ur-38 for guix-patches@gnu.org; Fri, 22 Apr 2022 22:48:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ni5oX-0003ld-V4 for guix-patches@gnu.org; Fri, 22 Apr 2022 22:48:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#55072] [PATCH]: Do not leak GDK_PIXBUF_MODULE_FILE into the sandbox. Resent-From: Zhu Zihao Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 23 Apr 2022 02:48:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 55072 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 55072@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.165068203514277 (code B ref -1); Sat, 23 Apr 2022 02:48:01 +0000 Received: (at submit) by debbugs.gnu.org; 23 Apr 2022 02:47:15 +0000 Received: from localhost ([127.0.0.1]:54943 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ni5nh-0003i5-40 for submit@debbugs.gnu.org; Fri, 22 Apr 2022 22:47:15 -0400 Received: from lists.gnu.org ([209.51.188.17]:49302) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ni5nc-0003ht-M6 for submit@debbugs.gnu.org; Fri, 22 Apr 2022 22:47:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40782) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ni5nb-0004f5-FZ for guix-patches@gnu.org; Fri, 22 Apr 2022 22:47:03 -0400 Received: from mail-m973.mail.163.com ([123.126.97.3]:21647) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ni5nR-0006mP-Uu for guix-patches@gnu.org; Fri, 22 Apr 2022 22:46:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-ID:MIME-Version; bh=m48sJ 4vDgddmu3Yys63Uu5LewFLs8wBlWwNw/ToQ27E=; b=o+CUQ3mE1ZkKObK7Bbay+ sICkyNTlHXcRxqyMrXH6DjeeVVP3oDMWxnY5PBpdBsTAJNsYFZhYUDMPjH+8gJ26 zl54wDh4n0ONu8grGmPKDVa+WP6eLx71LnfRYD7+JKx162VwzijhyFZYZrqFFG+I pl9PqzUFEp0vrjFC/kOoj0= Received: from asus-laptop (unknown [163.125.202.140]) by smtp3 (Coremail) with SMTP id G9xpCgB3DZCMaGNislHCCg--.16237S2; Sat, 23 Apr 2022 10:46:38 +0800 (CST) User-agent: mu4e 1.6.10; emacs 27.2 From: Zhu Zihao Date: Sat, 23 Apr 2022 10:45:47 +0800 Message-ID: <86ilr0o6t4.fsf@163.com> MIME-Version: 1.0 X-CM-TRANSID: G9xpCgB3DZCMaGNislHCCg--.16237S2 X-Coremail-Antispam: 1Uf129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7v73 VFW2AGmfu7bjvjm3AaLaJ3UbIYCTnIWIevJa73UjIFyTuYvjxU0lkVDUUUU X-Originating-IP: [163.125.202.140] X-CM-SenderInfo: pdoosuxxwbztlvw6il2tof0z/xtbBPQ7rr2AY-9FqdgAAs9 Received-SPF: pass client-ip=123.126.97.3; envelope-from=all_but_last@163.com; helo=mail-m973.mail.163.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches From 5f1369f8731cc1b35c3c80aac6ad7ebd89d3cb10 Mon Sep 17 00:00:00 2001 From: Zhu Zihao Date: Sat, 23 Apr 2022 10:39:32 +0800 Subject: [PATCH 3/3] gnu: flatpak: Do not leak GDK_PIXBUF_MODULE_FILE into the sandbox. Fixes https://issues.guix.gnu.org/54784. * gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch: New file. * gnu/local.mk (dist_patch_DATA): Add corresponding entry. * gnu/packages/package-management.scm (flatpak)[source]: Use patch. --- gnu/local.mk | 1 + gnu/packages/package-management.scm | 4 +++- ...flatpak-unset-gdk-pixbuf-for-sandbox.patch | 19 +++++++++++++++++++ 3 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch diff --git a/gnu/local.mk b/gnu/local.mk index 9bad87710c..ce25b0f21e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1070,6 +1070,7 @@ dist_patch_DATA = \ %D%/packages/patches/findutils-localstatedir.patch \ %D%/packages/patches/flann-cmake-3.11.patch \ %D%/packages/patches/flatpak-fix-path.patch \ + %D%/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch \ %D%/packages/patches/fontconfig-cache-ignore-mtime.patch \ %D%/packages/patches/foobillard++-pkg-config.patch \ %D%/packages/patches/foomatic-filters-CVE-2015-8327.patch \ diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm index 2ea639d376..1ab293e2dd 100644 --- a/gnu/packages/package-management.scm +++ b/gnu/packages/package-management.scm @@ -1804,7 +1804,9 @@ (define-public flatpak version "/flatpak-" version ".tar.xz")) (sha256 (base32 "05lkpbjiwp69q924i1jfyk5frcqbdbv9kyzbqwm2hy723i9jmdbd")) - (patches (search-patches "flatpak-fix-path.patch")))) + (patches + (search-patches "flatpak-fix-path.patch" + "flatpak-unset-gdk-pixbuf-for-sandbox.patch")))) ;; Wrap 'flatpak' so that GIO_EXTRA_MODULES is set, thereby allowing GIO to ;; find the TLS backend in glib-networking. diff --git a/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch b/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch new file mode 100644 index 0000000000..79fec8e526 --- /dev/null +++ b/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch @@ -0,0 +1,19 @@ +Most Guix system setup with desktop evironment will install GDK_PIXBUF_MODULE_FILE +environment variable in the system profile, and it'll be leaked into the sandbox +environment of flatpak, so the applications in sandbox may fail to find correct +GdkPixbuf loaders. + +This patch unset the GDK_PIXBUF_MODULE_FILE environment variable before running +the sandboxed applications, prevents it to load GdkPixbuf loaders from the path +of host system. + +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -1853,6 +1853,7 @@ static const ExportData default_exports[] = { + {"GST_PTP_HELPER", NULL}, + {"GST_PTP_HELPER_1_0", NULL}, + {"GST_INSTALL_PLUGINS_HELPER", NULL}, ++ {"GDK_PIXBUF_MODULE_FILE", NULL}, + }; + + static const ExportData no_ld_so_cache_exports[] = { -- 2.35.1