[PATCH]: Do not leak GDK_PIXBUF_MODULE_FILE into the sandbox.

  • Done
  • quality assurance status badge
Details
2 participants
  • Zhu Zihao
  • Ludovic Courtès
Owner
unassigned
Submitted by
Zhu Zihao
Severity
normal
Z
Z
Zhu Zihao wrote on 23 Apr 2022 04:45
(address . guix-patches@gnu.org)
86ilr0o6t4.fsf@163.com

-----BEGIN PGP SIGNATURE-----

iIsEARYIADMWIQRefA5qkqvnKdl/GTlmOX+E92aT+QUCYmNohxUcYWxsX2J1dF9s
YXN0QDE2My5jb20ACgkQZjl/hPdmk/l+qwEAnDgfdFUzH1nnXFlxPFJ4bKxx5FTk
eYexdAnvEaIxw0kBAPTZI2txd3pUJTi1INrmFDthGAJQczjXf0hPumj8EkgN
=jT8/
-----END PGP SIGNATURE-----

From affd34d0f0bf6bf04110b595ce77ed8e9448b2c7 Mon Sep 17 00:00:00 2001
From: Zhu Zihao <all_but_last@163.com>
Date: Thu, 21 Apr 2022 18:48:51 +0800
Subject: [PATCH 1/3] gnu: bubblewrap: Update to 0.6.1.

* gnu/packages/virtualization.scm (bubblewrap): Update to 0.6.1.
---
gnu/packages/virtualization.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index f3396e7c94..3f7c6312f2 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -27,6 +27,7 @@
;;; Copyright © 2022 Oleg Pykhalov <go.wigust@gmail.com>
;;; Copyright © 2022 Ekaitz Zarraga <ekaitz@elenq.tech>
;;; Copyright © 2022 Arun Isaac <arunisaac@systemreboot.net>
+;;; Copyright © 2022 Zhu Zihao <all_but_last@163.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -1950,7 +1951,7 @@ (define-public python-vagrant
(define-public bubblewrap
(package
(name "bubblewrap")
- (version "0.5.0")
+ (version "0.6.1")
(source (origin
(method url-fetch)
(uri (string-append "https://github.com/containers/bubblewrap/"
@@ -1958,7 +1959,7 @@ (define-public bubblewrap
version ".tar.xz"))
(sha256
(base32
- "0608l2sjwhnb1c0mslah1h6yjvqr17wk60by6i710qwxg4rszz8n"))
+ "10ij62jg7p2scwdx0pm141ss7p2gjdkbbymb56y8miib2vfcf2cn"))
(patches (search-patches "bubblewrap-fix-locale-in-tests.patch"))))
(build-system gnu-build-system)
(arguments
--
2.35.1
Attachment: 0002-gnu-flatpak-Use-G-expressions.patch
From 5f1369f8731cc1b35c3c80aac6ad7ebd89d3cb10 Mon Sep 17 00:00:00 2001
From: Zhu Zihao <all_but_last@163.com>
Date: Sat, 23 Apr 2022 10:39:32 +0800
Subject: [PATCH 3/3] gnu: flatpak: Do not leak GDK_PIXBUF_MODULE_FILE into the
sandbox.


* gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add corresponding entry.
* gnu/packages/package-management.scm (flatpak)[source]: Use patch.
---
gnu/local.mk | 1 +
gnu/packages/package-management.scm | 4 +++-
...flatpak-unset-gdk-pixbuf-for-sandbox.patch | 19 +++++++++++++++++++
3 files changed, 23 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch

Toggle diff (54 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 9bad87710c..ce25b0f21e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1070,6 +1070,7 @@ dist_patch_DATA = \
%D%/packages/patches/findutils-localstatedir.patch \
%D%/packages/patches/flann-cmake-3.11.patch \
%D%/packages/patches/flatpak-fix-path.patch \
+ %D%/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch \
%D%/packages/patches/fontconfig-cache-ignore-mtime.patch \
%D%/packages/patches/foobillard++-pkg-config.patch \
%D%/packages/patches/foomatic-filters-CVE-2015-8327.patch \
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index 2ea639d376..1ab293e2dd 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -1804,7 +1804,9 @@ (define-public flatpak
version "/flatpak-" version ".tar.xz"))
(sha256
(base32 "05lkpbjiwp69q924i1jfyk5frcqbdbv9kyzbqwm2hy723i9jmdbd"))
- (patches (search-patches "flatpak-fix-path.patch"))))
+ (patches
+ (search-patches "flatpak-fix-path.patch"
+ "flatpak-unset-gdk-pixbuf-for-sandbox.patch"))))
;; Wrap 'flatpak' so that GIO_EXTRA_MODULES is set, thereby allowing GIO to
;; find the TLS backend in glib-networking.
diff --git a/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch b/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch
new file mode 100644
index 0000000000..79fec8e526
--- /dev/null
+++ b/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch
@@ -0,0 +1,19 @@
+Most Guix system setup with desktop evironment will install GDK_PIXBUF_MODULE_FILE
+environment variable in the system profile, and it'll be leaked into the sandbox
+environment of flatpak, so the applications in sandbox may fail to find correct
+GdkPixbuf loaders.
+
+This patch unset the GDK_PIXBUF_MODULE_FILE environment variable before running
+the sandboxed applications, prevents it to load GdkPixbuf loaders from the path
+of host system.
+
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -1853,6 +1853,7 @@ static const ExportData default_exports[] = {
+ {"GST_PTP_HELPER", NULL},
+ {"GST_PTP_HELPER_1_0", NULL},
+ {"GST_INSTALL_PLUGINS_HELPER", NULL},
++ {"GDK_PIXBUF_MODULE_FILE", NULL},
+ };
+
+ static const ExportData no_ld_so_cache_exports[] = {
--
2.35.1
--
Retrieve my PGP public key:

gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F

Zihao
L
L
Ludovic Courtès wrote on 28 Apr 2022 16:55
(name . Zhu Zihao)(address . all_but_last@163.com)
87a6c5cl60.fsf@gnu.org
Hi,

Zhu Zihao <all_but_last@163.com> skribis:

Toggle quote (7 lines)
>>From affd34d0f0bf6bf04110b595ce77ed8e9448b2c7 Mon Sep 17 00:00:00 2001
> From: Zhu Zihao <all_but_last@163.com>
> Date: Thu, 21 Apr 2022 18:48:51 +0800
> Subject: [PATCH 1/3] gnu: bubblewrap: Update to 0.6.1.
>
> * gnu/packages/virtualization.scm (bubblewrap): Update to 0.6.1.

Applied to the ‘staging’ branch, due to the high number of rebuilds.

Toggle quote (8 lines)
>>From 3432b64e34d5df329c31b1a09f476ff01a743245 Mon Sep 17 00:00:00 2001
> From: Zhu Zihao <all_but_last@163.com>
> Date: Thu, 21 Apr 2022 18:52:21 +0800
> Subject: [PATCH 2/3] gnu: flatpak: Use G-expressions.
>
> * gnu/packages/package-management.scm (flatpak): Fix indentation.
> [arguments]: Use G-expressions.

[...]

Toggle quote (12 lines)
>>From 5f1369f8731cc1b35c3c80aac6ad7ebd89d3cb10 Mon Sep 17 00:00:00 2001
> From: Zhu Zihao <all_but_last@163.com>
> Date: Sat, 23 Apr 2022 10:39:32 +0800
> Subject: [PATCH 3/3] gnu: flatpak: Do not leak GDK_PIXBUF_MODULE_FILE into the
> sandbox.
>
> Fixes https://issues.guix.gnu.org/54784.
>
> * gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add corresponding entry.
> * gnu/packages/package-management.scm (flatpak)[source]: Use patch.

Applied to ‘master’.

Thanks!

Ludo’.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 55072@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 55072
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch