diff options
author | Vincent Batts <vbatts@hashbangbash.com> | 2017-01-23 18:33:31 +0000 |
---|---|---|
committer | David Spencer <idlemoor@slackbuilds.org> | 2017-01-24 00:21:55 +0000 |
commit | f27ee67502e103c979c779a327e6b34b5bff4164 (patch) | |
tree | 514b687c2a68f7c39c9c159af0b0c9c833fd4463 /desktop | |
parent | f42700b6d61be01b02e54bc348e639ec946e68c4 (diff) |
desktop/flatpak: Added (sandboxing desktop applications).
Signed-off-by: David Spencer <idlemoor@slackbuilds.org>
Diffstat (limited to 'desktop')
-rw-r--r-- | desktop/flatpak/0bea92b.diff | 67 | ||||
-rw-r--r-- | desktop/flatpak/260f3df.diff | 17 | ||||
-rw-r--r-- | desktop/flatpak/README | 31 | ||||
-rw-r--r-- | desktop/flatpak/doinst.sh | 1 | ||||
-rw-r--r-- | desktop/flatpak/flatpak.SlackBuild | 110 | ||||
-rw-r--r-- | desktop/flatpak/flatpak.info | 10 | ||||
-rw-r--r-- | desktop/flatpak/slack-desc | 19 |
7 files changed, 255 insertions, 0 deletions
diff --git a/desktop/flatpak/0bea92b.diff b/desktop/flatpak/0bea92b.diff new file mode 100644 index 0000000000000..05fd011cb2c3b --- /dev/null +++ b/desktop/flatpak/0bea92b.diff @@ -0,0 +1,67 @@ +commit 0bea92bd73c680b47482218c09f7987069d23ad8 +Author: Alexander Larsson <alexl@redhat.com> +Date: Mon Jan 23 18:24:21 2017 +0100 + + dbus-proxy: Make it work if XDG_RUNTIME_DIR not set + + The socket directory then ended up in $HOME which was read-only, so + we couldn't create the socket. We solve this by putting the sockets + in a subdirectory and always making this directory writable in the + proxy. + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 4fbb033..1774b0c 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2021,9 +2021,13 @@ flatpak_run_add_journal_args (GPtrArray *argv_array) + static char * + create_proxy_socket (char *template) + { +- g_autofree char *proxy_socket = g_build_filename (g_get_user_runtime_dir (), template, NULL); ++ g_autofree char *proxy_socket_dir = g_build_filename (g_get_user_runtime_dir (), ".dbus-proxy", NULL); ++ g_autofree char *proxy_socket = g_build_filename (proxy_socket_dir, template, NULL); + int fd; + ++ if (!glnx_shutil_mkdir_p_at (AT_FDCWD, proxy_socket_dir, 0755, NULL, NULL)) ++ return NULL; ++ + fd = g_mkstemp (proxy_socket); + if (fd == -1) + return NULL; +@@ -2061,7 +2065,7 @@ flatpak_run_add_system_dbus_args (FlatpakContext *context, + else if (dbus_proxy_argv && + g_hash_table_size (context->system_bus_policy) > 0) + { +- g_autofree char *proxy_socket = create_proxy_socket (".system-bus-proxy-XXXXXX"); ++ g_autofree char *proxy_socket = create_proxy_socket ("system-bus-proxy-XXXXXX"); + + if (proxy_socket == NULL) + return FALSE; +@@ -2112,7 +2116,7 @@ flatpak_run_add_session_dbus_args (GPtrArray *argv_array, + } + else if (dbus_proxy_argv && dbus_address != NULL) + { +- g_autofree char *proxy_socket = create_proxy_socket (".session-bus-proxy-XXXXXX"); ++ g_autofree char *proxy_socket = create_proxy_socket ("session-bus-proxy-XXXXXX"); + + if (proxy_socket == NULL) + return FALSE; +@@ -3393,6 +3397,7 @@ prepend_bwrap_argv_wrapper (GPtrArray *argv, + gsize bwrap_args_len; + glnx_fd_close int bwrap_args_fd = -1; + g_autofree char *bwrap_args_data = NULL; ++ g_autofree char *proxy_socket_dir = g_build_filename (g_get_user_runtime_dir (), ".dbus-proxy/", NULL); + + if (!glnx_dirfd_iterator_init_at (AT_FDCWD, "/", FALSE, &dir_iter, error)) + return FALSE; +@@ -3438,6 +3443,10 @@ prepend_bwrap_argv_wrapper (GPtrArray *argv, + } + } + ++ g_ptr_array_add (bwrap_args, g_strdup ("--bind")); ++ g_ptr_array_add (bwrap_args, g_strdup (proxy_socket_dir)); ++ g_ptr_array_add (bwrap_args, g_strdup (proxy_socket_dir)); ++ + g_ptr_array_add (bwrap_args, g_strdup ("--ro-bind-data")); + g_ptr_array_add (bwrap_args, g_strdup_printf ("%d", app_info_fd)); + g_ptr_array_add (bwrap_args, g_strdup ("/.flatpak-info")); diff --git a/desktop/flatpak/260f3df.diff b/desktop/flatpak/260f3df.diff new file mode 100644 index 0000000000000..d0231eda679a8 --- /dev/null +++ b/desktop/flatpak/260f3df.diff @@ -0,0 +1,17 @@ +commit 260f3df91cf3f4c271d3a66f0a3c8db1086e63c2 +Author: Alexander Larsson <alexl@redhat.com> +Date: Mon Jan 23 16:28:48 2017 +0100 + + system-helper: Add User=root to service file + + This is needed for systemd-less activation on the system bus. + +diff --git a/system-helper/org.freedesktop.Flatpak.SystemHelper.service.in b/system-helper/org.freedesktop.Flatpak.SystemHelper.service.in +index ed166ee..a6c7715 100644 +--- a/system-helper/org.freedesktop.Flatpak.SystemHelper.service.in ++++ b/system-helper/org.freedesktop.Flatpak.SystemHelper.service.in +@@ -2,3 +2,4 @@ + Name=org.freedesktop.Flatpak.SystemHelper + Exec=@libexecdir@/flatpak-system-helper@extraargs@ + SystemdService=flatpak-system-helper.service ++User=root diff --git a/desktop/flatpak/README b/desktop/flatpak/README new file mode 100644 index 0000000000000..38ed8cb413df6 --- /dev/null +++ b/desktop/flatpak/README @@ -0,0 +1,31 @@ +Flatpak + +Flatpak is the new framework for desktop applications on Linux + +Distributing applications on Linux is a pain: different distributions in +multiple versions, each with their own versions of libraries and packaging +formats. Flatpak is here to change all that. It allows the same app to be +installed on different Linux distributions, including different versions. And +it has been designed from the ground up with security in mind, so that apps +are isolated from each other and from the host system. + +Some of the examples from http://flatpak.org/#users are relying on polkit +helpers, that expect a user in the 'wheel' group to have privileges for, but +default polkit admin rule for slackware is just the root user. +So, if you run a command like: +``` +flatpak remote-add --from gnome https://sdk.gnome.org/gnome.flatpakrepo +flatpak remote-add --from gnome-apps https://sdk.gnome.org/gnome-apps.flatpakrepo +``` +as a limited user, you will get a polkit prompt for root's password. This is +because the default location for establishing these repos is in +`/var/lib/flatpak` and requires admin privileges. + +You can optionally add the flag `--user` to flatpak commands, and it will +instead manage the repos in `~/.local/share/flatpak`. + +There are examples of flatpak runtimes and applications on their wiki: +https://github.com/flatpak/flatpak/wiki/Examples + +The to have desktop launchers search by desktops like KDE and XFCE, it will +require a logout, as /etc/profile.d/flatpak.sh will need to be sourced. diff --git a/desktop/flatpak/doinst.sh b/desktop/flatpak/doinst.sh new file mode 100644 index 0000000000000..58b1450fef75f --- /dev/null +++ b/desktop/flatpak/doinst.sh @@ -0,0 +1 @@ +flatpak remote-list --system &> /dev/null || : diff --git a/desktop/flatpak/flatpak.SlackBuild b/desktop/flatpak/flatpak.SlackBuild new file mode 100644 index 0000000000000..05d0f7749e5a4 --- /dev/null +++ b/desktop/flatpak/flatpak.SlackBuild @@ -0,0 +1,110 @@ +#!/bin/sh + +# Slackware build script for flatpak + +# Copyright 2017 Vincent Batts <vbatts@hashbangbash.com> +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +PRGNAM=flatpak +VERSION=${VERSION:-0.8.1} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} + +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i586 ;; + arm*) ARCH=arm ;; + *) ARCH=$( uname -m ) ;; + esac +fi + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +set -e + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$VERSION.tar.xz +cd $PRGNAM-$VERSION +chown -R root:root . +find -L . \ + \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \ + -o -perm 511 \) -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ + -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; + +patch -p1 -b < $CWD/260f3df.diff # fixes the polkit hand-off (will be included in 0.8.2 or 0.9.x) +patch -p1 -b < $CWD/0bea92b.diff # fixes permissions in ~/.cache sandbox (will be included in 0.8.2 or 0.9.x) + +CFLAGS="$SLKCFLAGS" \ +CXXFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --mandir=/usr/man \ + --docdir=/usr/doc/$PRGNAM-$VERSION \ + --build=$ARCH-slackware-linux \ + --with-system-bubblewrap + +make +make install DESTDIR=$PKG + +chmod +x $PKG/etc/profile.d/flatpak.sh + +find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true + +find $PKG/usr/man -type f -exec gzip -9 {} \; +for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a \ + README.md COPYING INSTALL NEWS ABOUT-NLS \ + $PKG/usr/doc/$PRGNAM-$VERSION +cat $CWD/README > $PKG/usr/doc/$PRGNAM-$VERSION/README.SBo +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +cat $CWD/doinst.sh > $PKG/install/doinst.sh + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/desktop/flatpak/flatpak.info b/desktop/flatpak/flatpak.info new file mode 100644 index 0000000000000..62568c174e4ad --- /dev/null +++ b/desktop/flatpak/flatpak.info @@ -0,0 +1,10 @@ +PRGNAM="flatpak" +VERSION="0.8.1" +HOMEPAGE="http://flatpak.org/" +DOWNLOAD="https://github.com/flatpak/flatpak/releases/download/0.8.1/flatpak-0.8.1.tar.xz" +MD5SUM="36d756a3cfc0d93fe5804d3cea5eab3b" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +REQUIRES="bubblewrap ostree json-glib libseccomp" +MAINTAINER="Vincent Batts" +EMAIL="vbatts@hashbangbash.com" diff --git a/desktop/flatpak/slack-desc b/desktop/flatpak/slack-desc new file mode 100644 index 0000000000000..f247a3b33d870 --- /dev/null +++ b/desktop/flatpak/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. +# Line up the first '|' above the ':' following the base package name, and +# the '|' on the right side marks the last column you can put a character in. +# You must make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':' except on otherwise blank lines. + + |-----handy-ruler------------------------------------------------------| +flatpak: flatpak (sandboxing desktop applications) +flatpak: +flatpak: flatpak is tools and an API for building, distributing and running +flatpak: desktop applications in unprivileged sandboxes. +flatpak: +flatpak: +flatpak: +flatpak: +flatpak: +flatpak: +flatpak: |