From 779a07eba3a0a9a28704841a1f847f4258341d1ce83276dae45fd46f73c3b201 Mon Sep 17 00:00:00 2001 From: Christophe Giboudeaux Date: Sun, 26 Jul 2020 19:02:14 +0000 Subject: [PATCH] Accepting request 822683 from home:Vogtinator:boo1174448 - Add patch to disable the seccomp sandbox (boo#1174448): * 0001-Disable-the-seccomp-sandbox.patch OBS-URL: https://build.opensuse.org/request/show/822683 OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/kscreenlocker?expand=0&rev=225 --- 0001-Disable-the-seccomp-sandbox.patch | 51 ++++++++++++++++++++++++++ kscreenlocker.changes | 6 +++ kscreenlocker.spec | 5 ++- 3 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 0001-Disable-the-seccomp-sandbox.patch diff --git a/0001-Disable-the-seccomp-sandbox.patch b/0001-Disable-the-seccomp-sandbox.patch new file mode 100644 index 0000000..e791915 --- /dev/null +++ b/0001-Disable-the-seccomp-sandbox.patch @@ -0,0 +1,51 @@ +From cd2d031b191c6b4e6a0eb4bd51ed8b2c72c21f76 Mon Sep 17 00:00:00 2001 +From: Fabian Vogt +Date: Fri, 24 Jul 2020 13:22:50 +0200 +Subject: [PATCH] Disable the seccomp sandbox +References: boo#1174448 + +In the referenced bug, it somehow fails to make the created context current, +so no GL vendor detection is performed and it is assumed to not be Nvidia +or on Wayland. This breaks rendering. +While it would be enough to only disable the sandbox in this particular case, +it's planned to drop sandboxing anyway +(https://invent.kde.org/plasma/kscreenlocker/-/merge_requests/9) so just do the +same here, just in a simpler way with less side effects. +--- + greeter/seccomp_filter.cpp | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/greeter/seccomp_filter.cpp b/greeter/seccomp_filter.cpp +index bca3001..8e2f156 100644 +--- a/greeter/seccomp_filter.cpp ++++ b/greeter/seccomp_filter.cpp +@@ -28,6 +28,7 @@ along with this program. If not, see . + #include + #include + #include ++#include + + #include + #include +@@ -62,11 +63,18 @@ void init() + else if (gl->isSoftwareEmulation() && KWindowSystem::isPlatformWayland()) { + createSupported = writeSupported = false; + } ++ } else { ++ qWarning() << "Making the context current failed"; ++ return; + } ++ } else { ++ qWarning() << "Creating an offscreen context failed"; ++ return; + } + + // access DBus to have the socket open + QDBusConnection::sessionBus(); ++ return; + + // default action: allow + // we cannot use a whitelist approach of syscalls +-- +2.25.1 + diff --git a/kscreenlocker.changes b/kscreenlocker.changes index ddd7ea2..1858de3 100644 --- a/kscreenlocker.changes +++ b/kscreenlocker.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Jul 24 11:24:06 UTC 2020 - Fabian Vogt + +- Add patch to disable the seccomp sandbox (boo#1174448): + * 0001-Disable-the-seccomp-sandbox.patch + ------------------------------------------------------------------- Tue Jul 7 12:38:54 UTC 2020 - Fabian Vogt diff --git a/kscreenlocker.spec b/kscreenlocker.spec index 2a8a4d7..62c3037 100644 --- a/kscreenlocker.spec +++ b/kscreenlocker.spec @@ -32,6 +32,8 @@ Source1: https://download.kde.org/stable/plasma/%{version}/kscreenlocker- Source2: plasma.keyring %endif Source3: kde +# PATCH-FIX-UPSTREAM (kind of, https://invent.kde.org/plasma/kscreenlocker/-/merge_requests/9) +Patch1: 0001-Disable-the-seccomp-sandbox.patch BuildRequires: cmake >= 2.8.12 BuildRequires: extra-cmake-modules >= 1.8.0 BuildRequires: kf5-filesystem @@ -86,8 +88,9 @@ Requires: cmake(Qt5X11Extras) >= 5.5.0 Development files for Library and components for secure lock screen architecture. %lang_package + %prep -%setup -q -n %{name}-%{version} +%autosetup -p1 -n %{name}-%{version} %build %cmake_kf5 -d build -- -DKDE4_COMMON_PAM_SERVICE=kde -DCMAKE_INSTALL_LOCALEDIR=%{_kf5_localedir}