Accepting request 822683 from home:Vogtinator:boo1174448

- Add patch to disable the seccomp sandbox (boo#1174448):
  * 0001-Disable-the-seccomp-sandbox.patch

OBS-URL: https://build.opensuse.org/request/show/822683
OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/kscreenlocker?expand=0&rev=225
This commit is contained in:
Christophe Giboudeaux 2020-07-26 19:02:14 +00:00 committed by Git OBS Bridge
parent fe42db7f5e
commit 779a07eba3
3 changed files with 61 additions and 1 deletions

View File

@ -0,0 +1,51 @@
From cd2d031b191c6b4e6a0eb4bd51ed8b2c72c21f76 Mon Sep 17 00:00:00 2001
From: Fabian Vogt <fabian@ritter-vogt.de>
Date: Fri, 24 Jul 2020 13:22:50 +0200
Subject: [PATCH] Disable the seccomp sandbox
References: boo#1174448
In the referenced bug, it somehow fails to make the created context current,
so no GL vendor detection is performed and it is assumed to not be Nvidia
or on Wayland. This breaks rendering.
While it would be enough to only disable the sandbox in this particular case,
it's planned to drop sandboxing anyway
(https://invent.kde.org/plasma/kscreenlocker/-/merge_requests/9) so just do the
same here, just in a simpler way with less side effects.
---
greeter/seccomp_filter.cpp | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/greeter/seccomp_filter.cpp b/greeter/seccomp_filter.cpp
index bca3001..8e2f156 100644
--- a/greeter/seccomp_filter.cpp
+++ b/greeter/seccomp_filter.cpp
@@ -28,6 +28,7 @@ along with this program. If not, see <http://www.gnu.org/licenses/>.
#include <QDBusConnection>
#include <QOpenGLContext>
#include <QOffscreenSurface>
+#include <QDebug>
#include <seccomp.h>
#include <sys/socket.h>
@@ -62,11 +63,18 @@ void init()
else if (gl->isSoftwareEmulation() && KWindowSystem::isPlatformWayland()) {
createSupported = writeSupported = false;
}
+ } else {
+ qWarning() << "Making the context current failed";
+ return;
}
+ } else {
+ qWarning() << "Creating an offscreen context failed";
+ return;
}
// access DBus to have the socket open
QDBusConnection::sessionBus();
+ return;
// default action: allow
// we cannot use a whitelist approach of syscalls
--
2.25.1

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Fri Jul 24 11:24:06 UTC 2020 - Fabian Vogt <fabian@ritter-vogt.de>
- Add patch to disable the seccomp sandbox (boo#1174448):
* 0001-Disable-the-seccomp-sandbox.patch
-------------------------------------------------------------------
Tue Jul 7 12:38:54 UTC 2020 - Fabian Vogt <fabian@ritter-vogt.de>

View File

@ -32,6 +32,8 @@ Source1: https://download.kde.org/stable/plasma/%{version}/kscreenlocker-
Source2: plasma.keyring
%endif
Source3: kde
# PATCH-FIX-UPSTREAM (kind of, https://invent.kde.org/plasma/kscreenlocker/-/merge_requests/9)
Patch1: 0001-Disable-the-seccomp-sandbox.patch
BuildRequires: cmake >= 2.8.12
BuildRequires: extra-cmake-modules >= 1.8.0
BuildRequires: kf5-filesystem
@ -86,8 +88,9 @@ Requires: cmake(Qt5X11Extras) >= 5.5.0
Development files for Library and components for secure lock screen architecture.
%lang_package
%prep
%setup -q -n %{name}-%{version}
%autosetup -p1 -n %{name}-%{version}
%build
%cmake_kf5 -d build -- -DKDE4_COMMON_PAM_SERVICE=kde -DCMAKE_INSTALL_LOCALEDIR=%{_kf5_localedir}