GNU bug report logs - #55072
[PATCH]: Do not leak GDK_PIXBUF_MODULE_FILE into the sandbox.

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 55072 in the body.
You can then email your comments to 55072 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Zhu Zihao <all_but_last <at> 163.com>
To: guix-patches <at> gnu.org
Subject: [PATCH]: Do not leak GDK_PIXBUF_MODULE_FILE into the sandbox.
Date: Sat, 23 Apr 2022 10:45:47 +0800

[Message part 1 (text/plain, inline)]

[signature.asc (application/pgp-signature, inline)]

[0001-gnu-bubblewrap-Update-to-0.6.1.patch (text/x-patch, inline)]

From affd34d0f0bf6bf04110b595ce77ed8e9448b2c7 Mon Sep 17 00:00:00 2001
From: Zhu Zihao <all_but_last <at> 163.com>
Date: Thu, 21 Apr 2022 18:48:51 +0800
Subject: [PATCH 1/3] gnu: bubblewrap: Update to 0.6.1.

* gnu/packages/virtualization.scm (bubblewrap): Update to 0.6.1.
---
 gnu/packages/virtualization.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index f3396e7c94..3f7c6312f2 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -27,6 +27,7 @@
 ;;; Copyright © 2022 Oleg Pykhalov <go.wigust <at> gmail.com>
 ;;; Copyright © 2022 Ekaitz Zarraga <ekaitz <at> elenq.tech>
 ;;; Copyright © 2022 Arun Isaac <arunisaac <at> systemreboot.net>
+;;; Copyright © 2022 Zhu Zihao <all_but_last <at> 163.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -1950,7 +1951,7 @@ (define-public python-vagrant
 (define-public bubblewrap
   (package
     (name "bubblewrap")
-    (version "0.5.0")
+    (version "0.6.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/containers/bubblewrap/"
@@ -1958,7 +1959,7 @@ (define-public bubblewrap
                                   version ".tar.xz"))
               (sha256
                (base32
-                "0608l2sjwhnb1c0mslah1h6yjvqr17wk60by6i710qwxg4rszz8n"))
+                "10ij62jg7p2scwdx0pm141ss7p2gjdkbbymb56y8miib2vfcf2cn"))
                (patches (search-patches "bubblewrap-fix-locale-in-tests.patch"))))
     (build-system gnu-build-system)
     (arguments
-- 
2.35.1

[0002-gnu-flatpak-Use-G-expressions.patch (text/x-patch, inline)]

From 3432b64e34d5df329c31b1a09f476ff01a743245 Mon Sep 17 00:00:00 2001
From: Zhu Zihao <all_but_last <at> 163.com>
Date: Thu, 21 Apr 2022 18:52:21 +0800
Subject: [PATCH 2/3] gnu: flatpak: Use G-expressions.

* gnu/packages/package-management.scm (flatpak): Fix indentation.
[arguments]: Use G-expressions.
---
 gnu/packages/package-management.scm | 183 ++++++++++++++--------------
 1 file changed, 92 insertions(+), 91 deletions(-)

diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index 9c5db0d608..2ea639d376 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -1795,103 +1795,104 @@ (define-public libostree
 
 (define-public flatpak
   (package
-   (name "flatpak")
-   (version "1.12.7")
-   (source
-    (origin
-     (method url-fetch)
-     (uri (string-append "https://github.com/flatpak/flatpak/releases/download/"
-                         version "/flatpak-" version ".tar.xz"))
-     (sha256
-      (base32 "05lkpbjiwp69q924i1jfyk5frcqbdbv9kyzbqwm2hy723i9jmdbd"))
-     (patches (search-patches "flatpak-fix-path.patch"))))
+    (name "flatpak")
+    (version "1.12.7")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://github.com/flatpak/flatpak/releases/download/"
+                           version "/flatpak-" version ".tar.xz"))
+       (sha256
+        (base32 "05lkpbjiwp69q924i1jfyk5frcqbdbv9kyzbqwm2hy723i9jmdbd"))
+       (patches (search-patches "flatpak-fix-path.patch"))))
 
-   ;; Wrap 'flatpak' so that GIO_EXTRA_MODULES is set, thereby allowing GIO to
-   ;; find the TLS backend in glib-networking.
-   (build-system glib-or-gtk-build-system)
+    ;; Wrap 'flatpak' so that GIO_EXTRA_MODULES is set, thereby allowing GIO to
+    ;; find the TLS backend in glib-networking.
+    (build-system glib-or-gtk-build-system)
 
-   (arguments
-    '(#:configure-flags
-      (list
-       "--enable-documentation=no" ;; FIXME
-       "--enable-system-helper=no"
-       "--localstatedir=/var"
-       (string-append "--with-system-bubblewrap="
-                      (assoc-ref %build-inputs "bubblewrap")
-                      "/bin/bwrap")
-       (string-append "--with-system-dbus-proxy="
-                      (assoc-ref %build-inputs "xdg-dbus-proxy")
-                      "/bin/xdg-dbus-proxy"))
+    (arguments
+     (list
+      #:configure-flags
+      #~(list
+         "--enable-documentation=no" ;; FIXME
+         "--enable-system-helper=no"
+         "--localstatedir=/var"
+         (string-append "--with-system-bubblewrap="
+                        (assoc-ref %build-inputs "bubblewrap")
+                        "/bin/bwrap")
+         (string-append "--with-system-dbus-proxy="
+                        (assoc-ref %build-inputs "xdg-dbus-proxy")
+                        "/bin/xdg-dbus-proxy"))
       #:phases
-      (modify-phases %standard-phases
-        (add-after 'unpack 'fix-tests
-          (lambda* (#:key inputs #:allow-other-keys)
-            (copy-recursively
-             (search-input-directory inputs "lib/locale")
-             "/tmp/locale")
-            (for-each make-file-writable (find-files "/tmp"))
-            (substitute* "tests/make-test-runtime.sh"
-              (("cp `which.*") "echo guix\n")
-              (("cp -r /usr/lib/locale/C\\.\\*")
-               (string-append "mkdir ${DIR}/usr/lib/locale/en_US; \
+      #~(modify-phases %standard-phases
+          (add-after 'unpack 'fix-tests
+            (lambda* (#:key inputs #:allow-other-keys)
+              (copy-recursively
+               (search-input-directory inputs "lib/locale")
+               "/tmp/locale")
+              (for-each make-file-writable (find-files "/tmp"))
+              (substitute* "tests/make-test-runtime.sh"
+                (("cp `which.*") "echo guix\n")
+                (("cp -r /usr/lib/locale/C\\.\\*")
+                 (string-append "mkdir ${DIR}/usr/lib/locale/en_US; \
 cp -r /tmp/locale/*/en_US.*")))
-            (substitute* "tests/libtest.sh"
-              (("/bin/kill") (which "kill"))
-              (("/usr/bin/python3") (which "python3")))
-            #t))
-        (add-after 'unpack 'p11-kit-fix
-          (lambda* (#:key inputs #:allow-other-keys)
-            (let ((p11-path (search-input-file inputs "/bin/p11-kit")))
-              (substitute* "session-helper/flatpak-session-helper.c"
-                (("\"p11-kit\",")
-                 (string-append "\"" p11-path "\","))
-                (("if \\(g_find_program_in_path \\(\"p11-kit\"\\)\\)")
-                 (string-append "if (g_find_program_in_path (\""
-                                p11-path "\"))"))))))
-        ;; Many tests fail for unknown reasons, so we just run a few basic
-        ;; tests.
-        (replace 'check
-          (lambda _
-            (setenv "HOME" "/tmp")
-            (invoke "make" "check"
-                    "TESTS=tests/test-basic.sh tests/test-config.sh testcommon"))))))
-   (native-inputs
-    (list bison
-          dbus ; for dbus-daemon
-          gettext-minimal
-          `(,glib "bin") ; for glib-mkenums + gdbus-codegen
-          glibc-utf8-locales
-          gobject-introspection
-          libcap
-          pkg-config
-          python
-          python-pyparsing
-          socat
-          which))
-   (inputs
-    (list appstream-glib
-          bubblewrap
-          dconf
-          fuse
-          gdk-pixbuf
-          gpgme
-          json-glib
-          libarchive
-          libostree
-          libseccomp
-          libsoup-minimal-2
-          libxau
-          libxml2
-          p11-kit-next
-          util-linux
-          xdg-dbus-proxy))
-   (propagated-inputs (list glib-networking gnupg gsettings-desktop-schemas))
-   (home-page "https://flatpak.org")
-   (synopsis "System for building, distributing, and running sandboxed desktop
+              (substitute* "tests/libtest.sh"
+                (("/bin/kill") (which "kill"))
+                (("/usr/bin/python3") (which "python3")))
+              #t))
+          (add-after 'unpack 'p11-kit-fix
+            (lambda* (#:key inputs #:allow-other-keys)
+              (let ((p11-path (search-input-file inputs "/bin/p11-kit")))
+                (substitute* "session-helper/flatpak-session-helper.c"
+                  (("\"p11-kit\",")
+                   (string-append "\"" p11-path "\","))
+                  (("if \\(g_find_program_in_path \\(\"p11-kit\"\\)\\)")
+                   (string-append "if (g_find_program_in_path (\""
+                                  p11-path "\"))"))))))
+          ;; Many tests fail for unknown reasons, so we just run a few basic
+          ;; tests.
+          (replace 'check
+            (lambda _
+              (setenv "HOME" "/tmp")
+              (invoke "make" "check"
+                      "TESTS=tests/test-basic.sh tests/test-config.sh testcommon"))))))
+    (native-inputs
+     (list bison
+           dbus ; for dbus-daemon
+           gettext-minimal
+           `(,glib "bin") ; for glib-mkenums + gdbus-codegen
+           glibc-utf8-locales
+           gobject-introspection
+           libcap
+           pkg-config
+           python
+           python-pyparsing
+           socat
+           which))
+    (inputs
+     (list appstream-glib
+           bubblewrap
+           dconf
+           fuse
+           gdk-pixbuf
+           gpgme
+           json-glib
+           libarchive
+           libostree
+           libseccomp
+           libsoup-minimal-2
+           libxau
+           libxml2
+           p11-kit-next
+           util-linux
+           xdg-dbus-proxy))
+    (propagated-inputs (list glib-networking gnupg gsettings-desktop-schemas))
+    (home-page "https://flatpak.org")
+    (synopsis "System for building, distributing, and running sandboxed desktop
 applications")
-   (description "Flatpak is a system for building, distributing, and running
+    (description "Flatpak is a system for building, distributing, and running
 sandboxed desktop applications on GNU/Linux.")
-   (license license:lgpl2.1+)))
+    (license license:lgpl2.1+)))
 
 (define-public akku
   (package
-- 
2.35.1

[0003-gnu-flatpak-Do-not-leak-GDK_PIXBUF_MODULE_FILE-into-.patch (text/x-patch, inline)]

From 5f1369f8731cc1b35c3c80aac6ad7ebd89d3cb10 Mon Sep 17 00:00:00 2001
From: Zhu Zihao <all_but_last <at> 163.com>
Date: Sat, 23 Apr 2022 10:39:32 +0800
Subject: [PATCH 3/3] gnu: flatpak: Do not leak GDK_PIXBUF_MODULE_FILE into the
 sandbox.

Fixes https://issues.guix.gnu.org/54784.

* gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add corresponding entry.
* gnu/packages/package-management.scm (flatpak)[source]: Use patch.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/package-management.scm           |  4 +++-
 ...flatpak-unset-gdk-pixbuf-for-sandbox.patch | 19 +++++++++++++++++++
 3 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 9bad87710c..ce25b0f21e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1070,6 +1070,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/findutils-localstatedir.patch		\
   %D%/packages/patches/flann-cmake-3.11.patch			\
   %D%/packages/patches/flatpak-fix-path.patch			\
+  %D%/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch	\
   %D%/packages/patches/fontconfig-cache-ignore-mtime.patch	\
   %D%/packages/patches/foobillard++-pkg-config.patch		\
   %D%/packages/patches/foomatic-filters-CVE-2015-8327.patch	\
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index 2ea639d376..1ab293e2dd 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -1804,7 +1804,9 @@ (define-public flatpak
                            version "/flatpak-" version ".tar.xz"))
        (sha256
         (base32 "05lkpbjiwp69q924i1jfyk5frcqbdbv9kyzbqwm2hy723i9jmdbd"))
-       (patches (search-patches "flatpak-fix-path.patch"))))
+       (patches
+        (search-patches "flatpak-fix-path.patch"
+                        "flatpak-unset-gdk-pixbuf-for-sandbox.patch"))))
 
     ;; Wrap 'flatpak' so that GIO_EXTRA_MODULES is set, thereby allowing GIO to
     ;; find the TLS backend in glib-networking.
diff --git a/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch b/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch
new file mode 100644
index 0000000000..79fec8e526
--- /dev/null
+++ b/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch
@@ -0,0 +1,19 @@
+Most Guix system setup with desktop evironment will install GDK_PIXBUF_MODULE_FILE
+environment variable in the system profile, and it'll be leaked into the sandbox
+environment of flatpak, so the applications in sandbox may fail to find correct
+GdkPixbuf loaders.
+
+This patch unset the GDK_PIXBUF_MODULE_FILE environment variable before running
+the sandboxed applications, prevents it to load GdkPixbuf loaders from the path
+of host system.
+
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -1853,6 +1853,7 @@ static const ExportData default_exports[] = {
+   {"GST_PTP_HELPER", NULL},
+   {"GST_PTP_HELPER_1_0", NULL},
+   {"GST_INSTALL_PLUGINS_HELPER", NULL},
++  {"GDK_PIXBUF_MODULE_FILE", NULL},
+ };
+ 
+ static const ExportData no_ld_so_cache_exports[] = {
-- 
2.35.1

[Message part 6 (text/plain, inline)]

-- 
Retrieve my PGP public key:

  gpg --recv-keys D47A9C8B2AE3905B563D9135BE42B352A9F6821F

Zihao

Message #10 received at 55072-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Zhu Zihao <all_but_last <at> 163.com>
Cc: 55072-done <at> debbugs.gnu.org, 54784-done <at> debbugs.gnu.org
Subject: Re: bug#55072: [PATCH]: Do not leak GDK_PIXBUF_MODULE_FILE into the
 sandbox.
Date: Thu, 28 Apr 2022 16:55:19 +0200

Hi,

Zhu Zihao <all_but_last <at> 163.com> skribis:

>>From affd34d0f0bf6bf04110b595ce77ed8e9448b2c7 Mon Sep 17 00:00:00 2001
> From: Zhu Zihao <all_but_last <at> 163.com>
> Date: Thu, 21 Apr 2022 18:48:51 +0800
> Subject: [PATCH 1/3] gnu: bubblewrap: Update to 0.6.1.
>
> * gnu/packages/virtualization.scm (bubblewrap): Update to 0.6.1.

Applied to the ‘staging’ branch, due to the high number of rebuilds.

>>From 3432b64e34d5df329c31b1a09f476ff01a743245 Mon Sep 17 00:00:00 2001
> From: Zhu Zihao <all_but_last <at> 163.com>
> Date: Thu, 21 Apr 2022 18:52:21 +0800
> Subject: [PATCH 2/3] gnu: flatpak: Use G-expressions.
>
> * gnu/packages/package-management.scm (flatpak): Fix indentation.
> [arguments]: Use G-expressions.

[...]

>>From 5f1369f8731cc1b35c3c80aac6ad7ebd89d3cb10 Mon Sep 17 00:00:00 2001
> From: Zhu Zihao <all_but_last <at> 163.com>
> Date: Sat, 23 Apr 2022 10:39:32 +0800
> Subject: [PATCH 3/3] gnu: flatpak: Do not leak GDK_PIXBUF_MODULE_FILE into the
>  sandbox.
>
> Fixes https://issues.guix.gnu.org/54784.
>
> * gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add corresponding entry.
> * gnu/packages/package-management.scm (flatpak)[source]: Use patch.

Applied to ‘master’.

Thanks!

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.