diff --git a/flatpak-1.14.10.tar.xz b/flatpak-1.14.10.tar.xz deleted file mode 100644 index 5b0ded2..0000000 --- a/flatpak-1.14.10.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6bbdc7908127350ad85a4a47d70292ca2f4c46e977b32b1fd231c2a719d821cd -size 1647100 diff --git a/flatpak-1.16.0.tar.xz b/flatpak-1.16.0.tar.xz new file mode 100644 index 0000000..ce18433 --- /dev/null +++ b/flatpak-1.16.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cb0ac565adcb62127c6d11ed50ee7044d6a836fa69c354b2f4b640a22bfa4b2a +size 1186900 diff --git a/flatpak.changes b/flatpak.changes index f83f359..49561e3 100644 --- a/flatpak.changes +++ b/flatpak.changes @@ -1,7 +1,115 @@ ------------------------------------------------------------------- -Wed Oct 30 17:07:27 UTC 2024 - Michael Gorse +Thu Jan 9 17:41:58 UTC 2025 - Bjørn Lie -- Add gtk-doc to BuildRequires. +- Update to version 1.16.0: + + Bug fixes: + - Update libglnx to 2024-12-06: + . Fix an assertion failure if creating a parent directory + encounters a dangling symlink. + . Fix a Meson warning. + . Don't emit terminal progress indicator escape sequences by + default. They are interpreted as notifications by some + terminal emulators. + - Fix introspection annotations in libflatpak. + + Enhancements: + - Add the FLATPAK_TTY_PROGRESS environment variable, which + re-enables the terminal progress indicator escape sequences + added in 1.15.91. + - Document the FLATPAK_FANCY_OUTPUT environment variable, which + allows disabling the fancy formatting when outputting to a + terminal. + +------------------------------------------------------------------- +Fri Dec 20 17:52:37 UTC 2024 - Bjørn Lie + +- Update to version 1.15.91 (unstable): + + Enhancements: + - Add the FLATPAK_DATA_DIR environment variable, which allows + overriding at runtime the data directory location that + Flatpak uses to search for configuration files such as + remotes. This is useful for running tests, and for when + installing using Flatpak in a chroot. + - Add a FLATPAK_DOWNLOAD_TMPDIR variable. This allows using + download directories other than /var/tmp. + - Emit progress escape sequence. This can be used by terminal + emulators to detect and display progress of Flatpak + operations on their graphical user interfaces. + + Bug fixes: + - Install missing test data. This should fix "as-installed" + tests via ginsttest-runner, used for example in Debian's + autopkgtest framework. + - Unify and improve how the Wayland socket is passed to the + sandboxed app. This should fix a regression that is triggered + by compositors that both implement the security-context-v1 + protocol, and sets the WAYLAND_DISPLAY environment variable + when launching Flatpak apps. + - Fix the plural form of a translatable string. + +------------------------------------------------------------------- +Thu Nov 28 21:57:18 UTC 2024 - Bjørn Lie + +- Update to version 1.15.12: + + Return to using the process ID of the Flatpak app in the cgroup + name. Using the instance ID in 1.15.11 caused crashes when + installing apps, extensions or runtimes that use the "extra + data" mechanism, which does not set up an instance ID. +- Changes from version 1.15.11: + + Dependencies: + - In distributions that compile Flatpak to use a separate + xdg-dbus-proxy executable, version 0.1.6 is recommended (but + not required). + - The minimum xdg-dbus-proxy continues to be 0.1.0. + + Enhancements: + - Allow applications like WebKit to connect the AT-SPI + accessibility tree of processes in a sub-sandbox with the + tree in the main process. + . New sandboxing parameter flatpak run --a11y-own-name, which + is like --own-name but for the accessibility bus. + . flatpak-portal API v7: add new sandbox-a11y-own-names + option, which accepts names matching ${FLATPAK_ID}.* + . Apps may call the org.a11y.atspi.Socket.Embedded method on + names matching ${FLATPAK_ID}.Sandboxed.* by default + . flatpak run -vv $app_id shows all applicable sandboxing + parameters and their source, including overrides, as debug + messages + - Introduce USB device listing + . Apps can list which USB devices they want to access ahead + of time by using the --usb parameter. Check the manpages + for the more information about the accepted syntax. + . Denying access to USB devices is also possible with the + --no-usb parameter. The syntax is equal to --usb. + . Both options merely store metadata, and aren't used by + Flatpak itself. This metadata is intended to be used by the + (as of now, still in progress) USB portal to decide which + devices the app can enumerate and request access. + - Add support for KDE search completion + - Use the instance id of the Flatpak app as part of the cgroup + name. This better matches the naming conventions for cgroup. + + Bug fixes: + - Update libglnx to 2024-08-23 + - fix build in environments that use -Werror=return-type, such + as openSUSE Tumbleweed + - add a fallback definition for G_PID_FORMAT with older GLib + - avoid warnings for g_steal_fd() with newer GLib + - improve compatibility of g_closefrom() backport with newer + GLib + - Update meson wrap file for xdg-dbus-proxy to version 0.1.6: + - compatibility with D-Bus implementations that pipeline the + authentication handshake, such as sd-bus and zbus + - compatibility with D-Bus implementations that use + non-consecutive serial numbers, such as godbus and zbus + - broadcast signals can be allowed without having to add TALK + permission + - fix memory leaks + + Internal changes: + - Better const-correctness + - Fix a shellcheck warning in the tests +- Drop libglnx.patch: Fixed upstream. + +------------------------------------------------------------------- +Tue Oct 15 11:54:41 UTC 2024 - Dominique Leuenberger + +- Drop rcFOO symlinks (PED-266). ------------------------------------------------------------------- Wed Oct 2 15:16:49 UTC 2024 - Robert Frohl @@ -10,21 +118,340 @@ Wed Oct 2 15:16:49 UTC 2024 - Robert Frohl selinux_relabel_* in scriptlets to work on other codestreams ------------------------------------------------------------------- -Wed Aug 16 21:07:12 UTC 2024 - Cliff Zhao +Wed Aug 14 16:07:15 UTC 2024 - Bjørn Lie -- Update to version 1.14.10 -* Dependencies: In distributions that compile Flatpak to use a - separate bubblewrap (bwrap) executable, either version 0.10.0, - version 0.6.x ≥ 0.6.3, or a version with a backport of the - --bind-fd option is required. These versions add a new feature - which is required by the security fix in this release. -* Security fixes: Don't follow symbolic links when mounting - persistent directories (--persist option). This prevents a - sandbox escape where a malicious or compromised app could edit - the symlink to point to a directory that the app should not have - been allowed to read or write. (CVE-2024-42472, GHSA-7hgv-f2j8-xw87) -* Documentation: Mark the 1.12.x and 1.10.x branches as end-of-life (#5352) - (bsc#1229157, CVE-2024-42472) +- Update to version 1.15.10: + + Dependencies: In distributions that compile Flatpak to use a + separate bubblewrap (bwrap) executable, version 0.10.0 is + required. This version adds a new feature which is required by + the security fix in this release. + + Security fixes: Don't follow symbolic links when mounting + persistent directories (--persist option). This prevents a + sandbox escape where a malicious or compromised app could edit + the symlink to point to a directory that the app should not + have been allowed to read or write. (CVE-2024-42472, + GHSA-7hgv-f2j8-xw87, bsc#1229157) + + Documentation: Mark the 1.12.x and 1.10.x branches as + end-of-life + + Other bug fixes: Fix several memory leaks + + Internal changes: + - Record a log file when running build-time tests with + AddressSanitizer + - Add initial suppressions file for AddressSanitizer + +------------------------------------------------------------------- +Thu Aug 8 12:33:34 UTC 2024 - Imo Hester + +- As per documentation from flatpak 1.0: add weak dep on + p11-kit-server for certificate transfer (boo#1188902) + +------------------------------------------------------------------- +Fri Jun 14 13:51:38 UTC 2024 - pgajdos@suse.com + +- remove dependency on /usr/bin/python3 using + %python3_fix_shebang macro, [bsc#1212476] + +------------------------------------------------------------------- +Tue Apr 23 13:23:52 UTC 2024 - Robert Frohl + +- disable parental controls for now by using '-Dmalcontent=disabled', to work around + issues with xdg-desktop-portal + +------------------------------------------------------------------- +Fri Apr 19 08:05:28 UTC 2024 - Robert Frohl + +- Update to version 1.15.8: + + Security fixes: + - Don't allow an executable name to be misinterpreted as a + command-line option for bwrap(1). This prevents a sandbox + escape where a malicious or compromised app could ask + xdg-desktop-portal to generate a .desktop file with access to + files outside the sandbox. (CVE-2024-32462, boo#1223110). + + Other bug fixes: + - Pass the -export-dynamic linker option as + -Wl,-export-dynamic, fixing build failures with clang 18 and + lld 18. + - Fix a double-free when installation is cancelled. + - Fix installed-tests failure with "FUSERMOUNT: unbound + variable". +- Changes from version 1.15.7: + + New features: + - Automatically remove obsolete driver versions and other + autopruned refs. + - --socket=inherit-wayland-socket. + - Automatically reload D-Bus session bus configuration after + installing or upgrading apps, to pick up any exported D-Bus + services. + + Bug fixes: + - Don't parse as the application + name. + - Don't refuse to start apps when there is no D-Bus system bus + available. + - Don't try to repeat migration of apps whose data was migrated + to a new name and then deleted. + - Improve handling of mixed locales on systems with + systemd-localed. + - Improve display of ellipsized columns in wide terminals. + - Make flatpak info -e look for extensions in all + installations. + - Fix warnings from newer GLib versions. + - Always set the container environment variable. + - Always let the app inherit redirected file descriptors. + - In flatpak ps, add xdg-desktop-portal-gnome to the list of + backends we'll use to learn which apps are running in the + background. + - Don't use WAYLAND_SOCKET unless given + --socket=inherit-wayland-socket. + - Use fusermount3 if compiled with FUSE 3, overridable with + -Dsystem_fusermount compile-time option. + - Avoid leaking a temporary variable from + /etc/profile.d/flatpak.sh into the shell environment. + - Improve async-signal safety. + - Fix various memory leaks. + - Avoid undefined behaviour of signed left-shift when storing + object IDs in a hash table. + - Detect the correct gtk-doc when cross-compiling. + - Detect the correct wayland-scanner when cross-compiling. + - Documentation improvements. + - Skip more tests when FUSE isn't available. + - Updated translations. +- Add libglnx.patch: fix meson function detection. +- Switch build system to meson: + + Add meson BuildRequires. + + Switch configure/make_build/make_install macros to + meson/meson_build/meson_install, preserving the configure + parameters as close as possible: + --disable-silent-rules => obsoleted + --with-system-bubblewrap => -Dsystem_bubblewrap=bwrap + --with-curl => -Dhttp_backend=curl +- Add pkgconfig(malcontent-0) BuildRequires: enable malcontent + support. + +------------------------------------------------------------------- +Tue Mar 19 08:06:34 UTC 2024 - Antonio Larrosa + +- Make flatpak-remote-flathub only supplement flatpak in TW + (bsc#1221662). + +------------------------------------------------------------------- +Thu Mar 7 11:21:12 UTC 2024 - Antonio Larrosa + +- Add a flatpak-selinux subpackage that provides a SELinux policy + module (boo#1220591). + +------------------------------------------------------------------- +Tue Nov 14 19:34:15 UTC 2023 - Bjørn Lie + +- Update to version 1.15.6: + + In distributions that compile Flatpak to use a separate + bubblewrap (bwrap) executable, version 0.8.0 is now required. + + Enabling the optional Wayland security context feature requires + libwayland-client, wayland-scanner >= 1.15 and + wayland-protocols >= 1.32. + + Add --device=input, for access to evdev devices in /dev/input + + Update bundled copy of bubblewrap to version 0.8.0, and rely on + its features: + + Improve error message if seccomp is disabled in kernel config + + Security hardening: set user namespace limit to 0, to prevent + creation of nested user namespaces in a more robust way + + For subsandboxes started by flatpak-portal, inherit + environment variables from the flatpak run that started the + original instance rather than from flatpak-portal, fixing + behaviour of FLATPAK_GL_DRIVERS and similar features + + Stop http transfers if a download in progress becomes very slow + + Make it easier to configure extra languages, by picking them up + from AccountsService if configured there + + Add new flatpak_transaction_add_rebase_and_uninstall() API, + allowing end-of-life apps to be replaced by their intended + replacement more reliably + + Create a private Wayland socket with the "security context" + extension if available, allowing the compositor to identify + connections from sandboxed apps as belonging to the sandbox + + Update libglnx to 2023-08-29 + + Use features of newer GLib versions if available + + Turn off system-level crash reporting infrastructure during + some unit tests that involve intentional assertion failures + + Add anchors to link to sections of flatpak-metadata + documentation + + Bug fixes: + - Avoid warnings processing symbolic links with GLib >= 2.77.0, + and with GLib 2.76.0 (GLib 2.76.1 or later silences these + warnings) + - Bypass page cache for backend requests in revokefs, fixing + installation errors with libostree 2023.4 + - Show AppStream metadata in flatpak remote-info as intended + - Don't let Flatpak apps inherit VK_DRIVER_FILES or + VK_ICD_FILENAMES from the host system, which would be wrong + for the sandbox + - Fix build failure with prereleases of libappstream 0.17.x + - Forward-compatibility with libappstream 1.0 + - Fix installation with Meson if configured with + -Dauto_sideloading=true + - Fix a memory leak + - Fix compiler warnings + - Make the tests fail more comprehensibly if a required tool is + missing + - Clean up /var/tmp/flatpak-cache-* directories on boot + - Don't force GIO_USE_VFS=local for programs launched via + flatpak-spawn + - Clarify documentation for D-Bus name ownership + + Internal changes: + - Split up large source files into smaller modules, reducing + internal circular dependencies + - Re-synchronize code backported from GLib with the version in + GLib + - Clarify documentation for D-Bus name ownership + - Make the flags used to apply "extra data" clearer + - Use glnx_opendirat() where possible + + Updated translations. +- Add pkgconfig(wayland-client), pkgconfig(wayland-scanner) and + pkgconfig(wayland-protocols) BuildRequires and pass + with-wayland-security-context=yes to configure: Enable the + optional Wayland security context. + +------------------------------------------------------------------- +Wed Aug 2 20:23:29 UTC 2023 - Luciano Santos + +- Add update-user-flatpaks service and timer Systemd units - based + on update-system-flatpaks.{service,timer} - to help users keep + their user installed flatpaks up to date. +- Prefix /etc/flatpak/remotes.d/flathub.flatpakrepo with %config + macro to mark it as a configuration file. + +------------------------------------------------------------------- +Fri Mar 17 16:20:57 UTC 2023 - Bjørn Lie + +- Update to version 1.15.4 (CVE-2023-28101, CVE-2023-28100): + + Escape special characters when displaying permissions and + metadata, preventing malicious apps from manipulating the + appearance of the permissions list using crafted metadata + (CVE-2023-28101, bsc#1209410). + + If a Flatpak app is run on a Linux virtual console (tty1, tty2, + etc.), don't allow copy/paste via the TIOCLINUX ioctl + (CVE-2023-28100, bsc#1209411). Note that this is specific to virtual + consoles: Flatpak is not vulnerable to this if run from a + graphical terminal emulator such as xterm, gnome-terminal or + Konsole. + + Document the path used for flatpak override. + + Updated translations. + +------------------------------------------------------------------- +Fri Mar 17 10:06:34 UTC 2023 - Bjørn Lie + +- Update to version 1.15.3: + + Build system: Building this version of Flatpak with Meson is + recommended. The source release flatpak-1.15.3.tar.xz no longer + contains Autotools-generated files, although this version can + still be built using Autotools after running ./autogen.sh. + Future versions are likely to remove the Autotools buildsystem. + + Bug fixes: + - When splitting an upgrade into two steps (download without + installing, and then upgrade without allowing further + downloads) like GNOME Software does, if an app is marked EOL + and superseded by a replacement, don't remove the superseded + app in the first step, which would result in the replacement + incorrectly not being installed. + - Fix a crash when --socket=gpg-agent is used. + - Fix a crash when listing apps if one of them is broken or + misconfigured. + - If an app has invalid syntax in its overrides or metadata, + mention the filename in the error message. + - Unset $GDK_BACKEND for apps, ensuring GTK apps with + --socket=fallback-x11 can work. + - Fix a deprecation warning when compiled with curl >= 7.85. + + Updated translations. + + Internal changes: Better diagnostic messages for why runtimes + are or are not considered unused. +- Changes from version 1.15.2: + + Bug fixes: + - Never try to export a parent of reserved directories as a + --filesystem, for example /run, which would prevent the app + from starting. + - Never try to export a --filesystem below /run/flatpak or + /run/host, which could similarly prevent the app from + starting. + - The above change also fixes apps not starting if a + --filesystem is a symlink to the root directory. + - Show a warning when the --filesystem exists but cannot be + shared with the sandbox. + - Display the intended messages for flatpak repair. + - Exporting an app to an existing repository on a CIFS + filesystem now works as intended. + - Unset $GIO_EXTRA_MODULES for apps, avoiding misbehaviour in + some GLib apps when set to a path on the host. + - Unset $XKB_CONFIG_ROOT for apps, avoiding crashes in GTK and + Qt apps under Wayland when this variable is set to a path not + available in the sandbox. + - When using the fish shell, avoid duplicate XDG_DATA_DIRS + entries if the profile script is sourced more than once. + - Update included copy of bubblewrap to 0.7.0 for better error + messages. + - Install SELinux files correctly when building with Meson + + Internal changes: + - Update included copy of libglnx + - flatpak -v now uses the INFO log level, and flatpak -vv uses + the DEBUG log level in the flatpak log domain. Previously, + the extra messages that were logged by flatpak -vv were in a + separate "flatpak2" log domain. G_MESSAGES_DEBUG=flatpak + previously had an effect similar to flatpak -v, and is now + more similar to flatpak -vv. +- Changes from version 1.15.1: + + Dependencies: When building with Meson, gpgme 1.8.0 is now + required. Older versions can still be used by building with + Autotools. + + Features: If an old temporary deploy directory was leaked by + versions before #5146, clean it up the next time the same app + is updated. + + Bug fixes: + - If an app update is blocked by parental controls policies, + clean up the temporary deploy directory. + - Fix Autotools build with versions of gpgme that no longer + provide gpgme-config(1). + - Fix a possible parallel build failure with Meson. + - Fix a compiler warning on 32-bit architectures. + - When building with Autotools, be more consistent about + applying compiler warning flags. + - Unset $TEMP, $TEMPDIR and $TMP for apps, the same as $TMPDIR. + - Treat /efi the same as /boot/efi. +- Changes from version 1.15.0: + + Build system: + - Flatpak can now be compiled using Meson instead of Autotools. + This requires Meson 0.53.0 or later, and Python 3.5 or later. + - The Autotools build system is likely to be removed during + either the 1.15.x or 1.17.x cycle. + + New features: + - Allow the modify_ldt system call as part of + --allow=multiarch. This increases attack surface, but is + required when running 16-bit executables in some versions of + Wine. + - Share gssproxy socket, which acts like a portal for Kerberos + authentication. This lets apps use Kerberos authentication + without needing a sandbox hole. + - Add a httpbackend variable to flatpak.pc, allowing dependent + projects like GNOME Software to detect whether they are + compatible with libflatpak. + + Bug fixes: + - Terminate the flatpak-session-helper and flatpak-portal + services when the session ends, so that applications will not + inherit outdated Wayland and X11 socket addresses. + - When using fish shell, don't overwrite a previously-set + XDG_DATA_DIRS. + - Don't try to enable HTTP 2 if linked to a libcurl version + that doesn't support it. + - Stop systemd reporting the session-helper as failed when + terminated by a signal. + - Fix a warning when listing a document with no permissions. + - Fix compilation with GLib 2.66.x (as used in Debian 11). + - Fix compilation with GLib 2.58.x (as used in Debian 10). + - Make generated files more reproducible. + + Internal changes: + - Update project logo in README. + - Update libglnx subproject. + + Updated translations. +- Add libtool BuildRequires and pass autogen.sh, bootstrapping + build is now needed. +- Add gtk-doc and xmlto BuildRequires and pass enable-documentation + and enable-gtk-doc to configure, building documentation manually. ------------------------------------------------------------------- Thu Mar 16 16:15:42 UTC 2023 - Bjørn Lie diff --git a/flatpak.spec b/flatpak.spec index bc8d838..9d7dd8c 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -1,7 +1,7 @@ # # spec file for package flatpak # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,9 +15,10 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # + %global selinuxtype targeted %define libname libflatpak0 -%define bubblewrap_version 0.5.0 +%define bubblewrap_version 0.10.0 %define ostree_version 2020.8 %define xdg_dbus_proxy_version 0.1.0 @@ -34,7 +35,7 @@ %define support_environment_generators 1 %endif Name: flatpak -Version: 1.14.10 +Version: 1.16.0 Release: 0 Summary: OSTree based application bundles management License: LGPL-2.1-or-later @@ -43,9 +44,12 @@ URL: https://flatpak.github.io/ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz Source1: update-system-flatpaks.service Source2: update-system-flatpaks.timer -Source3: https://flathub.org/repo/flathub.flatpakrepo +Source3: update-user-flatpaks.service +Source4: update-user-flatpaks.timer +Source5: https://flathub.org/repo/flathub.flatpakrepo # PATCH-FEATURE-OPENSUSE polkit_rules_usability.patch -- Make the rules comply with openSUSE expectations Patch0: polkit_rules_usability.patch + BuildRequires: bison BuildRequires: bubblewrap >= %{bubblewrap_version} BuildRequires: docbook-xsl-stylesheets @@ -54,12 +58,16 @@ BuildRequires: intltool >= 0.35.0 BuildRequires: libcap-devel BuildRequires: libgpg-error-devel BuildRequires: libgpgme-devel >= 1.1.8 +BuildRequires: libtool +BuildRequires: meson BuildRequires: pkgconfig BuildRequires: python3-pyparsing BuildRequires: selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel BuildRequires: systemd-rpm-macros BuildRequires: sysuser-tools BuildRequires: xdg-dbus-proxy >= %{xdg_dbus_proxy_version} +BuildRequires: xmlto BuildRequires: xsltproc BuildRequires: pkgconfig(appstream) >= 0.12.0 BuildRequires: pkgconfig(dconf) >= 0.26 @@ -81,13 +89,19 @@ BuildRequires: pkgconfig(libzstd) >= 0.8.1 BuildRequires: pkgconfig(ostree-1) >= %{ostree_version} BuildRequires: pkgconfig(polkit-gobject-1) BuildRequires: pkgconfig(systemd) +BuildRequires: pkgconfig(wayland-client) >= 1.15 +BuildRequires: pkgconfig(wayland-protocols) >= 1.32 +BuildRequires: pkgconfig(wayland-scanner) >= 1.15 BuildRequires: pkgconfig(xau) Requires: %{libname} = %{version} Requires: bubblewrap >= %{bubblewrap_version} Requires: ostree >= %{ostree_version} Requires: xdg-dbus-proxy >= %{xdg_dbus_proxy_version} Requires: xdg-desktop-portal >= 0.10 +Requires: (flatpak-selinux = %{version} if selinux-policy-%{selinuxtype}) Requires: user(flatpak) +# as per documentation from flatpak 1.0: add weak dep on p11-kit-server for certificate transfer +Recommends: p11-kit-server # Remove after openSUSE Leap 42 is out of scope Provides: xdg-app = %{version} Obsoletes: xdg-app < %{version} @@ -153,15 +167,31 @@ more information. Summary: Add Flathub repository to system flatpak Group: System/Packages Requires: flatpak -Requires(postun):flatpak -Requires(postun):sed +Requires(postun): flatpak +Requires(postun): sed +%if 0%{?suse_version} > 1600 Supplements: flatpak +%endif BuildArch: noarch %description remote-flathub Flathub is a widely used repository for Flatpak applications. This package adds the Flathub repository to the list of system flatpak remotes. +%package selinux +Summary: SELinux policy module for flatpak +Group: System Environment/Base +Requires: flatpak +BuildArch: noarch +%{?selinux_requires} + +%description selinux +flatpak is a system for building, distributing and running sandboxed desktop +applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for +more information. + +This package provides the SELinux policy module for flatpak. + %postun remote-flathub # upon uninstall if [ $1 == 0 ]; then @@ -173,31 +203,33 @@ fi %lang_package +%python3_fix_shebang + %prep %autosetup -p1 sed -i -e '1s,#!%{_bindir}/env python3,#!%{_bindir}/python3,' scripts/flatpak-* %build -%configure \ - --disable-silent-rules \ - --with-system-bubblewrap \ - --with-curl \ - --with-priv-mode=none \ - --with-dbus-config-dir=%{_dbusconfigdir} \ - --with-system-dbus-proxy=%{_bindir}/xdg-dbus-proxy \ +%meson \ + -Dsystem_bubblewrap=%{_bindir}/bwrap \ + -Dhttp_backend=curl \ + -Ddbus_config_dir=%{_dbusconfigdir} \ + -Dsystem_dbus_proxy=%{_bindir}/xdg-dbus-proxy \ %if !%{support_environment_generators} - --enable-gdm-env-file \ + -Dgdm_env_file=enabled \ %endif - --docdir=%{_docdir}/%{name} \ - %{nil} -%make_build + -Dgtkdoc=enabled \ + -Dwayland_security_context=enabled \ + -Dselinux_module=enabled \ + -Dtests=false \ + -Dmalcontent=disabled \ + %{nil} +%meson_build %sysusers_generate_pre system-helper/flatpak.conf system-user-flatpak flatpak.conf %install -%make_install +%meson_install find %{buildroot} -type f -name "*.la" -delete -print -mkdir -p %{buildroot}%{_sbindir} -ln -s service %{buildroot}%{_sbindir}/rcflatpak-system-helper # add a 60- prefix to the rules file, otherwise it is not effective, because # /etc/polkit-1/rules.d/90-default-privs.rules is executed first and if no # polkit-default-privs rule grants access then an explicit reject is the @@ -210,12 +242,16 @@ rm -Rf %{buildroot}%{_systemd_user_env_generator_dir} rm -Rf %{buildroot}%{_systemd_system_env_generator_dir} %endif -install -D -m 644 %{SOURCE1} %{buildroot}%{_unitdir}/update-system-flatpaks.service -install -D -m 644 %{SOURCE2} %{buildroot}%{_unitdir}/update-system-flatpaks.timer +# System update Systemd service and timer units +install -D -m 644 -t %{buildroot}%{_unitdir} %{SOURCE1} +install -D -m 644 -t %{buildroot}%{_unitdir} %{SOURCE2} -mkdir -p %{buildroot}%{_sysconfdir}/flatpak/remotes.d -# Flathub -install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/flatpak/remotes.d +# User update Systemd service and timer units +install -D -m 644 -t %{buildroot}%{_userunitdir} %{SOURCE3} +install -D -m 644 -t %{buildroot}%{_userunitdir} %{SOURCE4} + +# Flathub remote repository +install -D -m 644 -t %{buildroot}%{_sysconfdir}/flatpak/remotes.d %{SOURCE5} %find_lang %{name} @@ -242,16 +278,34 @@ if [ -e "%{_localstatedir}/lib/flatpak/repo" ] && [ -z "$(ls -A %{_localstatedir rm -r %{_localstatedir}/lib/flatpak/repo fi %{_bindir}/flatpak remotes 1> /dev/null +%tmpfiles_create %{_tmpfilesdir}/flatpak.conf %postun %service_del_postun flatpak-system-helper.service %service_del_postun update-system-flatpaks.service %service_del_postun update-system-flatpaks.timer +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/flatpak.pp.bz2 + +%preun selinux +%selinux_relabel_pre -s %{selinuxtype} + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} flatpak + %selinux_relabel_post -s %{selinuxtype} +fi; + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + %files -f %{name}.lang %license COPYING %{_bindir}/flatpak -%{_exec_prefix}/lib/tmpfiles.d/flatpak.conf %{_libexecdir}/flatpak-portal %{_libexecdir}/flatpak-session-helper %{_libexecdir}/flatpak-system-helper @@ -279,17 +333,19 @@ fi %{_mandir}/man1/%{name}*.1%{?ext_man} %{_mandir}/man5/flatpak-metadata.5%{?ext_man} %{_mandir}/man5/flatpak-flatpakref.5%{?ext_man} +%{_mandir}/man5/flatpakref.5%{?ext_man} %{_mandir}/man5/flatpak-flatpakrepo.5%{?ext_man} +%{_mandir}/man5/flatpakrepo.5%{?ext_man} %{_mandir}/man5/flatpak-installation.5%{?ext_man} %{_mandir}/man5/flatpak-remote.5%{?ext_man} %{_datadir}/%{name}/ %config %{_sysconfdir}/profile.d/flatpak.sh +%config %{_sysconfdir}/profile.d/flatpak.csh %dir %{_sysconfdir}/flatpak %dir %{_sysconfdir}/flatpak/remotes.d %{_unitdir}/flatpak-system-helper.service -%{_unitdir}/update-system-flatpaks.service -%{_unitdir}/update-system-flatpaks.timer -%{_sbindir}/rcflatpak-system-helper +%{_unitdir}/update-system-flatpaks.{service,timer} +%{_userunitdir}/update-user-flatpaks.{service,timer} %{_userunitdir}/flatpak-session-helper.service %{_userunitdir}/flatpak-portal.service %ghost %dir %{_localstatedir}/lib/flatpak @@ -307,6 +363,7 @@ fi %{_userunitdir}/flatpak-oci-authenticator.service %{_datadir}/dbus-1/interfaces/org.freedesktop.Flatpak.Authenticator.xml %{_datadir}/dbus-1/services/org.flatpak.Authenticator.Oci.service +%{_tmpfilesdir}/flatpak.conf %files -n system-user-flatpak %license COPYING @@ -328,6 +385,9 @@ fi %files devel %license COPYING %doc %{_datadir}/gtk-doc/html/flatpak +%dir %{_datadir}/doc/flatpak +%doc %{_datadir}/doc/flatpak/docbook.css +%doc %{_datadir}/doc/flatpak/flatpak-docs.html %{_bindir}/flatpak-bisect %{_bindir}/flatpak-coredumpctl %{_libdir}/pkgconfig/flatpak.pc @@ -336,6 +396,10 @@ fi %{_datadir}/gir-1.0/Flatpak-1.0.gir %files remote-flathub -%{_sysconfdir}/flatpak/remotes.d/flathub.flatpakrepo +%config %{_sysconfdir}/flatpak/remotes.d/flathub.flatpakrepo + +%files selinux +%{_datadir}/selinux/devel/include/contrib/flatpak.if +%{_datadir}/selinux/packages/flatpak.pp.bz2 %changelog diff --git a/update-user-flatpaks.service b/update-user-flatpaks.service new file mode 100644 index 0000000..804b9ad --- /dev/null +++ b/update-user-flatpaks.service @@ -0,0 +1,12 @@ +[Unit] +Description=Update user Flatpaks +Documentation=man:flatpak-update(1) +After=network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/flatpak --user update -y --noninteractive + +[Install] +WantedBy=default.target diff --git a/update-user-flatpaks.timer b/update-user-flatpaks.timer new file mode 100644 index 0000000..77f60c9 --- /dev/null +++ b/update-user-flatpaks.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Update user Flatpaks daily +Documentation=man:flatpak-update(1) + +[Timer] +OnCalendar=daily +Persistent=true + +[Install] +WantedBy=timers.target