Commit a69e7fd7 authored by Jan Tojnar's avatar Jan Tojnar
Browse files

flatpak: clean up icon validation 

Merge the two patches and prevent symlinking `/usr` subdirs and binding `/run/current-system` paths. The `wrapGAppsHook` already sets the `GDK_PIXBUF_MODULE_FILE` environment variable pointing to a hermetic store path.

When we re-exec the wrapped program (obtained from `/proc/self/exe`) in a sandbox, we need to pass the environment variable through.

Also introduce a test for the icon validator to prevent future breakage.

Expose the patch in passthru so that we can re-use it in xdg-desktop-portal.
parent 641f005b

pkgs/development/libraries/flatpak/bubblewrap-paths.patch

deleted100644 → 0
+0 −15
Original line number Diff line number Diff line 
diff --git a/icon-validator/validate-icon.c b/icon-validator/validate-icon.c

index 9e885070..d02eeb8c 100644

--- a/icon-validator/validate-icon.c

+++ b/icon-validator/validate-icon.c

@@ -156,8 +156,8 @@ rerun_in_sandbox (const char *arg_width,

             "--unshare-ipc",

             "--unshare-net",

             "--unshare-pid",

-            "--ro-bind", "/usr", "/usr",

-            "--ro-bind-try", "/etc/ld.so.cache", "/etc/ld.so.cache",

+            "--ro-bind", "@storeDir@", "@storeDir@",

+            "--ro-bind", "/run/current-system", "/run/current-system",

             "--ro-bind", validate_icon, validate_icon,

             NULL);

pkgs/development/libraries/flatpak/default.nix

+17 −11
Original line number Diff line number Diff line
@@ -13,6 +13,7 @@ 
, xmlto

, appstream-glib

, substituteAll

, runCommand

, bison

, xdg-dbus-proxy

, p11-kit
@@ -51,7 +52,7 @@ 
, makeWrapper

}:



stdenv.mkDerivation rec {

stdenv.mkDerivation (finalAttrs: {

  pname = "flatpak";

  version = "1.12.7";
@@ -59,7 +60,7 @@ stdenv.mkDerivation rec { 
  outputs = [ "out" "dev" "man" "doc" "devdoc" "installedTests" ];



  src = fetchurl {

    url = "https://github.com/flatpak/flatpak/releases/download/${version}/${pname}-${version}.tar.xz";

    url = "https://github.com/flatpak/flatpak/releases/download/${finalAttrs.version}/flatpak-${finalAttrs.version}.tar.xz";

    sha256 = "sha256-bbUqUxzieCgqx+v7mfZqC7PsyvROhkhEwslcHuW6kxY="; # Taken from https://github.com/flatpak/flatpak/releases/

  };
@@ -80,12 +81,6 @@ stdenv.mkDerivation rec { 
      p11kit = "${p11-kit.bin}/bin/p11-kit";

    })



    # Adapt paths exposed to sandbox for NixOS.

    (substituteAll {

      src = ./bubblewrap-paths.patch;

      inherit (builtins) storeDir;

    })



    # Allow gtk-doc to find schemas using XML_CATALOG_FILES environment variable.

    # Patch taken from gtk-doc expression.

    ./respect-xml-catalog-files-var.patch
@@ -94,8 +89,9 @@ stdenv.mkDerivation rec { 
    # https://github.com/NixOS/nixpkgs/issues/53441

    ./unset-env-vars.patch



    # But we want the GDK_PIXBUF_MODULE_FILE from the wrapper affect the icon validator.

    ./validate-icon-pixbuf.patch

    # The icon validator needs to access the gdk-pixbuf loaders in the Nix store

    # and cannot bind FHS paths since those are not available on NixOS.

    finalAttrs.passthru.icon-validator-patch

  ];



  nativeBuildInputs = [
@@ -187,8 +183,18 @@ stdenv.mkDerivation rec { 
  '';



  passthru = {

    icon-validator-patch = substituteAll {

      src = ./fix-icon-validation.patch;

      inherit (builtins) storeDir;

    };



    tests = {

      installedTests = nixosTests.installed-tests.flatpak;



      validate-icon = runCommand "test-icon-validation" { } ''

        ${finalAttrs.finalPackage}/libexec/flatpak-validate-icon --sandbox 512 512 ${../../../applications/audio/zynaddsubfx/ZynLogo.svg} > "$out"

        grep format=svg "$out"

      '';

    };

  };
@@ -199,4 +205,4 @@ stdenv.mkDerivation rec { 
    maintainers = with maintainers; [ jtojnar ];

    platforms = platforms.linux;

  };

}
 
})

pkgs/development/libraries/flatpak/validate-icon-pixbuf.patchpkgs/development/libraries/flatpak/fix-icon-validation.patch

+31 −0
Original line number Diff line number Diff line 
diff --git a/icon-validator/validate-icon.c b/icon-validator/validate-icon.c

index 9e885070..44fea035 100644

--- a/icon-validator/validate-icon.c

+++ b/icon-validator/validate-icon.c

@@ -200,6 +200,8 @@ rerun_in_sandbox (const char *arg_width,

@@ -163,7 +163,7 @@ rerun_in_sandbox (const char *arg_width,

                   const char *arg_height,

                   const char *filename)

 {

-  const char * const usrmerged_dirs[] = { "bin", "lib32", "lib64", "lib", "sbin" };

+  const char * const usrmerged_dirs[] = { };

   int i;

   g_autoptr(GPtrArray) args = g_ptr_array_new_with_free_func (g_free);

   char validate_icon[PATH_MAX + 1];

@@ -183,8 +183,7 @@ rerun_in_sandbox (const char *arg_width,

             "--unshare-ipc",

             "--unshare-net",

             "--unshare-pid",

-            "--ro-bind", "/usr", "/usr",

-            "--ro-bind-try", "/etc/ld.so.cache", "/etc/ld.so.cache",

+            "--ro-bind", "@storeDir@", "@storeDir@",

             "--ro-bind", validate_icon, validate_icon,

             NULL);

 

@@ -227,6 +226,9 @@ rerun_in_sandbox (const char *arg_width,

     add_args (args, "--setenv", "G_MESSAGES_DEBUG", g_getenv ("G_MESSAGES_DEBUG"), NULL);

   if (g_getenv ("G_MESSAGES_PREFIXED"))

     add_args (args, "--setenv", "G_MESSAGES_PREFIXED", g_getenv ("G_MESSAGES_PREFIXED"), NULL);

+  if (g_getenv ("GDK_PIXBUF_MODULE_FILE"))

+    add_args (args, "--setenv", "GDK_PIXBUF_MODULE_FILE", g_getenv ("GDK_PIXBUF_MODULE_FILE"), NULL);

+

 

   add_args (args, validate_icon, arg_width, arg_height, filename, NULL);

   g_ptr_array_add (args, NULL);