[gnome-boxes/flatpak-usbredir] WIP: USB redirection (needs suid bit to work)
- From: Felipe Borges <felipeborges src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-boxes/flatpak-usbredir] WIP: USB redirection (needs suid bit to work)
- Date: Tue, 5 Nov 2019 10:48:12 +0000 (UTC)
commit 54c039f106eaef510dc67e3a0c7a74bc1a3e52c9
Author: Felipe Borges <felipeborges gnome org>
Date: Tue Nov 5 11:47:12 2019 +0100
WIP: USB redirection (needs suid bit to work)
Needs to install policykit .policy file (Flatpak)
build-aux/flatpak/org.gnome.Boxes.json | 105 ++++++++++------
build-aux/flatpak/polkit-autogen | 4 +
...build-Add-option-to-build-without-polkitd.patch | 132 +++++++++++++++++++++
build-aux/flatpak/spice-gtk-getpid.patch | 36 ++++++
4 files changed, 244 insertions(+), 33 deletions(-)
---
diff --git a/build-aux/flatpak/org.gnome.Boxes.json b/build-aux/flatpak/org.gnome.Boxes.json
index 68210db9..39ac2410 100644
--- a/build-aux/flatpak/org.gnome.Boxes.json
+++ b/build-aux/flatpak/org.gnome.Boxes.json
@@ -13,6 +13,7 @@
"--socket=pulseaudio",
"--share=network",
"--device=all",
+ "--system-talk-name=org.freedesktop.PolicyKit1",
"--system-talk-name=org.freedesktop.timedate1",
"--system-talk-name=org.freedesktop.Accounts",
"--filesystem=/var/lib/AccountsService/icons:ro",
@@ -228,6 +229,17 @@
}
]
},
+ {
+ "name" : "usbredir",
+ "sources" : [
+ {
+ "type" : "git",
+ "url" : "https://gitlab.freedesktop.org/spice/usbredir.git";,
+ "tag" : "usbredir-0.7.1",
+ "commit" : "e1a7e3dbbe091bfdc568372ff5ab18ed7eae972e"
+ }
+ ]
+ },
{
"name" : "spice",
"buildsystem" : "meson",
@@ -247,27 +259,6 @@
}
]
},
- {
- "name" : "spice-gtk",
- "buildsystem": "meson",
- "build-options" : {
- "env" : {
- "PYTHONPATH" : "/app"
- }
- },
- "config-opts" : [
- "-Dvapi=enabled",
- "-Dwebdav=enabled",
- "-Dgtk_doc=disabled"
- ],
- "sources" : [
- {
- "type" : "archive",
- "url" : "https://www.spice-space.org/download/gtk/spice-gtk-0.37.tar.bz2";,
- "sha256" : "1f28b706472ad391cda79a93fd7b4c7a03e84b88fc46ddb35dddbe323c923bb7"
- }
- ]
- },
{
"name" : "tracker",
"buildsystem" : "meson",
@@ -324,18 +315,6 @@
}
]
},
-
- {
- "name" : "usbredir",
- "sources" : [
- {
- "type" : "git",
- "url" : "https://gitlab.freedesktop.org/spice/usbredir.git";,
- "tag" : "usbredir-0.7.1",
- "commit" : "e1a7e3dbbe091bfdc568372ff5ab18ed7eae972e"
- }
- ]
- },
{
"name" : "python-mako",
"buildsystem" : "simple",
@@ -476,6 +455,66 @@
}
]
},
+ {
+ "name" : "polkit",
+ "config-opts" : [
+ "--disable-polkitd",
+ "--disable-man-pages",
+ "--disable-introspection",
+ "--disable-examples",
+ "--disable-gtk-doc",
+ "--disable-libelogind",
+ "--disable-libsystemd-login",
+ "--with-systemdsystemunitdir=no",
+ "--with-authdb=dummy",
+ "--with-authfw=none"
+ ],
+ "rm-configure" : true,
+ "sources" : [
+ {
+ "type" : "archive",
+ "url" : "https://www.freedesktop.org/software/polkit/releases/polkit-0.116.tar.gz";,
+ "sha256" : "88170c9e711e8db305a12fdb8234fac5706c61969b94e084d0f117d8ec5d34b1"
+ },
+ {
+ "type" : "patch",
+ "path" : "polkit-build-Add-option-to-build-without-polkitd.patch"
+ },
+ {
+ "type" : "file",
+ "path" : "polkit-autogen",
+ "dest-filename" : "autogen.sh"
+ }
+ ]
+ },
+ {
+ "name" : "spice-gtk",
+ "buildsystem": "meson",
+ "build-options" : {
+ "env" : {
+ "PYTHONPATH" : "/app"
+ }
+ },
+ "config-opts" : [
+ "-Dvapi=enabled",
+ "-Dwebdav=enabled",
+ "-Dgtk_doc=disabled",
+ "-Dusbredir=enabled",
+ "-Dpolkit=enabled",
+ "-Dusb-acl-helper-dir=/app/libexec/"
+ ],
+ "sources" : [
+ {
+ "type" : "archive",
+ "url" : "https://www.spice-space.org/download/gtk/spice-gtk-0.37.tar.bz2";,
+ "sha256" : "1f28b706472ad391cda79a93fd7b4c7a03e84b88fc46ddb35dddbe323c923bb7"
+ },
+ {
+ "type" : "patch",
+ "path" : "spice-gtk-getpid.patch"
+ }
+ ]
+ },
{
"name" : "gnome-boxes",
"buildsystem" : "meson",
diff --git a/build-aux/flatpak/polkit-autogen b/build-aux/flatpak/polkit-autogen
new file mode 100755
index 00000000..3ba457e5
--- /dev/null
+++ b/build-aux/flatpak/polkit-autogen
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+gtkdocize --flavour no-tmpl
+autoreconf -if
diff --git a/build-aux/flatpak/polkit-build-Add-option-to-build-without-polkitd.patch
b/build-aux/flatpak/polkit-build-Add-option-to-build-without-polkitd.patch
new file mode 100644
index 00000000..651f53ba
--- /dev/null
+++ b/build-aux/flatpak/polkit-build-Add-option-to-build-without-polkitd.patch
@@ -0,0 +1,132 @@
+From 1073a44277316348d40d86ecec908f1d4812f360 Mon Sep 17 00:00:00 2001
+From: Christian Hergert <chergert redhat com>
+Date: Mon, 27 May 2019 11:49:09 -0700
+Subject: [PATCH] flatpak: make polkit suitable for use within flatpak
+
+This is based on patches from Patrick Griffis with additional fixes
+to allow us to disable use of PAM within Flaptak.
+---
+ configure.ac | 20 ++++++++++++++++----
+ src/Makefile.am | 6 +++++-
+ src/polkitagent/Makefile.am | 5 +++++
+ test/Makefile.am | 6 +++++-
+ 4 files changed, 31 insertions(+), 6 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 5cedb4e..729d78d 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -79,11 +79,13 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
+ AC_SUBST(GLIB_CFLAGS)
+ AC_SUBST(GLIB_LIBS)
+
+-PKG_CHECK_MODULES(LIBJS, [mozjs-60])
++AS_IF([test x${enable_polkitd} = yes], [
++ PKG_CHECK_MODULES(LIBJS, [mozjs-60])
+
+-AC_SUBST(LIBJS_CFLAGS)
+-AC_SUBST(LIBJS_CXXFLAGS)
+-AC_SUBST(LIBJS_LIBS)
++ AC_SUBST(LIBJS_CFLAGS)
++ AC_SUBST(LIBJS_CXXFLAGS)
++ AC_SUBST(LIBJS_LIBS)
++])
+
+ EXPAT_LIB=""
+ AC_ARG_WITH(expat, [ --with-expat=<dir> Use expat from here],
+@@ -236,6 +238,15 @@ if test "x$with_systemdsystemunitdir" != "xno"; then
+ fi
+ AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$systemdsystemunitdir"])
+
++dnl ---------------------------------------------------------------------------
++dnl - Disable polkitd when using library alone
++dnl ---------------------------------------------------------------------------
++
++AC_ARG_ENABLE([polkitd],
++ [AS_HELP_STRING([--disable-polkitd], [Do not build polkitd])],
++ [enable_polkitd=$enableval], [enable_polkitd=yes])
++AM_CONDITIONAL(BUILD_POLKITD, [test x${enable_polkitd} = yes])
++
+ dnl ---------------------------------------------------------------------------
+ dnl - User for running polkitd
+ dnl ---------------------------------------------------------------------------
+@@ -579,6 +590,7 @@ echo "
+ Session tracking: ${SESSION_TRACKING}
+ PAM support: ${have_pam}
+ systemdsystemunitdir: ${systemdsystemunitdir}
++ polkitd: ${enable_polkitd}
+ polkitd user: ${POLKITD_USER}"
+
+ if test "$have_pam" = yes ; then
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 09fc7b3..c6fe91b 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -1,5 +1,9 @@
+
+-SUBDIRS = polkit polkitbackend polkitagent programs
++SUBDIRS = polkit polkitagent programs
++
++if BUILD_POLKITD
++SUBDIRS += polkitbackend
++endif
+
+ if BUILD_EXAMPLES
+ SUBDIRS += examples
+diff --git a/src/polkitagent/Makefile.am b/src/polkitagent/Makefile.am
+index 49720db..633f9d4 100644
+--- a/src/polkitagent/Makefile.am
++++ b/src/polkitagent/Makefile.am
+@@ -79,6 +79,7 @@ libpolkit_agent_1_la_LIBADD = \
+
+ libpolkit_agent_1_la_LDFLAGS = -export-symbols-regex '(^polkit_.*)'
+
++if !POLKIT_AUTHFW_NONE
+ libprivdir = $(prefix)/lib/polkit-1
+ libpriv_PROGRAMS = polkit-agent-helper-1
+
+@@ -113,6 +114,8 @@ polkit_agent_helper_1_LDFLAGS = \
+ $(AM_LDFLAGS) \
+ $(NULL)
+
++endif # !POLKIT_AUTHFW_NONE
++
+ if HAVE_INTROSPECTION
+
+ girdir = $(INTROSPECTION_GIRDIR)
+@@ -142,6 +145,7 @@ include $(INTROSPECTION_MAKEFILE)
+
+ endif # HAVE_INTROSPECTION
+
++if !POLKIT_AUTHFW_NONE
+ # polkit-agent-helper-1 need to be setuid root because it's used to
+ # authenticate not only the invoking user, but possibly also root
+ # and/or other users.
+@@ -149,6 +153,7 @@ endif # HAVE_INTROSPECTION
+ install-data-hook:
+ -chown root $(DESTDIR)$(libprivdir)/polkit-agent-helper-1
+ -chmod 4755 $(DESTDIR)$(libprivdir)/polkit-agent-helper-1
++endif # !POLKIT_AUTHFW_NONE
+
+ EXTRA_DIST = polkitagentmarshal.list polkitagentenumtypes.h.template polkitagentenumtypes.c.template
+ CLEANFILES = $(gir_DATA) $(typelibs_DATA)
+diff --git a/test/Makefile.am b/test/Makefile.am
+index 59d0680..d43b0fe 100644
+--- a/test/Makefile.am
++++ b/test/Makefile.am
+@@ -1,7 +1,11 @@
+
+-SUBDIRS = mocklibc . polkit polkitbackend
++SUBDIRS = mocklibc . polkit
+ AM_CFLAGS = $(GLIB_CFLAGS)
+
++if BUILD_POLKITD
++SUBDIRS += polkitbackend
++endif
++
+ noinst_LTLIBRARIES = libpolkit-test-helper.la
+ libpolkit_test_helper_la_SOURCES = polkittesthelper.c polkittesthelper.h
+ libpolkit_test_helper_la_LIBADD = $(GLIB_LIBS)
+--
+2.21.0
+
diff --git a/build-aux/flatpak/spice-gtk-getpid.patch b/build-aux/flatpak/spice-gtk-getpid.patch
new file mode 100644
index 00000000..94ed1303
--- /dev/null
+++ b/build-aux/flatpak/spice-gtk-getpid.patch
@@ -0,0 +1,36 @@
+From 405e11eaa913312aa996931ff6128a3273a42605 Mon Sep 17 00:00:00 2001
+From: Felipe Borges <felipeborges gnome org>
+Date: Mon, 4 Nov 2019 15:32:48 +0100
+Subject: [PATCH] pid
+
+---
+ src/spice-client-glib-usb-acl-helper.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/spice-client-glib-usb-acl-helper.c b/src/spice-client-glib-usb-acl-helper.c
+index f75e0fc..11a999e 100644
+--- a/src/spice-client-glib-usb-acl-helper.c
++++ b/src/spice-client-glib-usb-acl-helper.c
+@@ -321,6 +321,7 @@ clearenv (void)
+ int main(void)
+ {
+ pid_t parent_pid;
++ GDBusConnection *bus;
+ GInputStream *stdin_unix_stream;
+
+ /* Nuke the environment to get a well-known and sanitized
+@@ -340,8 +341,9 @@ int main(void)
+ FATAL_ERROR("Parent process was reaped by init(1)\n");
+ return 1;
+ }
+- /* Do what pkexec does */
+- subject = polkit_unix_process_new_for_owner(parent_pid, 0, getuid ());
++
++ bus = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, NULL);
++ subject = polkit_system_bus_name_new (g_dbus_connection_get_unique_name (bus));
+
+ stdin_unix_stream = g_unix_input_stream_new(STDIN_FILENO, 0);
+ stdin_stream = g_data_input_stream_new(stdin_unix_stream);
+--
+2.23.0
+
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
