nixpkgs/pkgs/development/libraries/flatpak/fix-icon-validation.patch
Jan Tojnar a69e7fd7f4 flatpak: clean up icon validation
Merge the two patches and prevent symlinking `/usr` subdirs and binding `/run/current-system` paths. The `wrapGAppsHook` already sets the `GDK_PIXBUF_MODULE_FILE` environment variable pointing to a hermetic store path.

When we re-exec the wrapped program (obtained from `/proc/self/exe`) in a sandbox, we need to pass the environment variable through.

Also introduce a test for the icon validator to prevent future breakage.

Expose the patch in passthru so that we can re-use it in xdg-desktop-portal.
2022-10-11 18:52:32 +02:00

31 lines
1.4 KiB
Diff

--- a/icon-validator/validate-icon.c
+++ b/icon-validator/validate-icon.c
@@ -163,7 +163,7 @@ rerun_in_sandbox (const char *arg_width,
const char *arg_height,
const char *filename)
{
- const char * const usrmerged_dirs[] = { "bin", "lib32", "lib64", "lib", "sbin" };
+ const char * const usrmerged_dirs[] = { };
int i;
g_autoptr(GPtrArray) args = g_ptr_array_new_with_free_func (g_free);
char validate_icon[PATH_MAX + 1];
@@ -183,8 +183,7 @@ rerun_in_sandbox (const char *arg_width,
"--unshare-ipc",
"--unshare-net",
"--unshare-pid",
- "--ro-bind", "/usr", "/usr",
- "--ro-bind-try", "/etc/ld.so.cache", "/etc/ld.so.cache",
+ "--ro-bind", "@storeDir@", "@storeDir@",
"--ro-bind", validate_icon, validate_icon,
NULL);
@@ -227,6 +226,9 @@ rerun_in_sandbox (const char *arg_width,
add_args (args, "--setenv", "G_MESSAGES_DEBUG", g_getenv ("G_MESSAGES_DEBUG"), NULL);
if (g_getenv ("G_MESSAGES_PREFIXED"))
add_args (args, "--setenv", "G_MESSAGES_PREFIXED", g_getenv ("G_MESSAGES_PREFIXED"), NULL);
+ if (g_getenv ("GDK_PIXBUF_MODULE_FILE"))
+ add_args (args, "--setenv", "GDK_PIXBUF_MODULE_FILE", g_getenv ("GDK_PIXBUF_MODULE_FILE"), NULL);
+
add_args (args, validate_icon, arg_width, arg_height, filename, NULL);
g_ptr_array_add (args, NULL);