From 69975cf67c69c10a78c34b9f89c7d2132bc4f9b80b4bbbb2cd08c49085f7df26 Mon Sep 17 00:00:00 2001 From: Stefan Dirsch Date: Mon, 28 Sep 2020 10:46:37 +0000 Subject: [PATCH 1/3] - U_Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch, U_Revert-linux-Fix-platform-device-PCI-detection-for-c.patch, U_Revert-linux-Fix-platform-device-probe-for-DT-based-.patch, U_Revert-linux-Make-platform-device-probe-less-fragile.patch * fix Xserver startup on Raspberry Pi 3 (boo#1176203) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=778 --- ...probing-a-non-PCI-platform-device-on.patch | 31 ++++ ...-platform-device-PCI-detection-for-c.patch | 40 ++++++ ...-platform-device-probe-for-DT-based-.patch | 60 ++++++++ ...e-platform-device-probe-less-fragile.patch | 132 ++++++++++++++++++ xorg-x11-server.changes | 9 ++ xorg-x11-server.spec | 9 ++ 6 files changed, 281 insertions(+) create mode 100644 U_Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch create mode 100644 U_Revert-linux-Fix-platform-device-PCI-detection-for-c.patch create mode 100644 U_Revert-linux-Fix-platform-device-probe-for-DT-based-.patch create mode 100644 U_Revert-linux-Make-platform-device-probe-less-fragile.patch diff --git a/U_Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch b/U_Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch new file mode 100644 index 0000000..7d2f56f --- /dev/null +++ b/U_Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch @@ -0,0 +1,31 @@ +From e50c85f4ebf559a3bac4817b41074c43d4691779 Mon Sep 17 00:00:00 2001 +From: Eric Anholt +Date: Fri, 26 Oct 2018 17:47:30 -0700 +Subject: [PATCH] Fix segfault on probing a non-PCI platform device on a system + with PCI. + +Some Broadcom set-top-box boards have PCI busses, but the GPU is still +probed through DT. We would dereference a null busid here in that +case. + +Signed-off-by: Eric Anholt +--- + hw/xfree86/common/xf86platformBus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/xfree86/common/xf86platformBus.c b/hw/xfree86/common/xf86platformBus.c +index cef47da03..dadbac6c8 100644 +--- a/hw/xfree86/common/xf86platformBus.c ++++ b/hw/xfree86/common/xf86platformBus.c +@@ -289,7 +289,7 @@ xf86platformProbe(void) + for (i = 0; i < xf86_num_platform_devices; i++) { + char *busid = xf86_platform_odev_attributes(i)->busid; + +- if (pci && (strncmp(busid, "pci:", 4) == 0)) { ++ if (pci && busid && (strncmp(busid, "pci:", 4) == 0)) { + platform_find_pci_info(&xf86_platform_devices[i], busid); + } + +-- +2.16.4 + diff --git a/U_Revert-linux-Fix-platform-device-PCI-detection-for-c.patch b/U_Revert-linux-Fix-platform-device-PCI-detection-for-c.patch new file mode 100644 index 0000000..30fac1b --- /dev/null +++ b/U_Revert-linux-Fix-platform-device-PCI-detection-for-c.patch @@ -0,0 +1,40 @@ +From 39cb95e959fab97a7e255dda1a1599b096fb0f7e Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Tue, 8 Sep 2020 10:03:11 +0200 +Subject: [PATCH] Revert "linux: Fix platform device PCI detection for complex + bus topologies" + +This reverts commit 5c96eb5f44e62a4cfe835023cde304eb5795b8fd. + +https://gitlab.freedesktop.org/xorg/xserver/-/issues/1068 +--- + config/udev.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/config/udev.c b/config/udev.c +index 14409549b..8c6c4b666 100644 +--- a/config/udev.c ++++ b/config/udev.c +@@ -470,7 +470,7 @@ config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path + config_odev_probe_proc_ptr probe_callback) + { + struct OdevAttributes *attribs = config_odev_allocate_attributes(); +- const char *value, *str; ++ const char *value; + + attribs->path = XNFstrdup(path); + attribs->syspath = XNFstrdup(syspath); +@@ -478,8 +478,8 @@ config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path + attribs->minor = minor; + + value = udev_device_get_property_value(udev_device, "ID_PATH"); +- if (value && (str = strstr(value, "pci-"))) { +- attribs->busid = XNFstrdup(str); ++ if (value && !strncmp(value, "pci-", 4)) { ++ attribs->busid = XNFstrdup(value); + attribs->busid[3] = ':'; + } + +-- +2.16.4 + diff --git a/U_Revert-linux-Fix-platform-device-probe-for-DT-based-.patch b/U_Revert-linux-Fix-platform-device-probe-for-DT-based-.patch new file mode 100644 index 0000000..62a510d --- /dev/null +++ b/U_Revert-linux-Fix-platform-device-probe-for-DT-based-.patch @@ -0,0 +1,60 @@ +From 4b6fce5975c2f931a0478cf4deeec97529b05eb6 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Tue, 8 Sep 2020 10:01:55 +0200 +Subject: [PATCH] Revert "linux: Fix platform device probe for DT-based PCI" + +This reverts commit 249a12c54a9316b089bd22683c011519348496df. + +https://gitlab.freedesktop.org/xorg/xserver/-/issues/1068 +--- + config/udev.c | 27 +-------------------------- + 1 file changed, 1 insertion(+), 26 deletions(-) + +diff --git a/config/udev.c b/config/udev.c +index b00d90237..14409549b 100644 +--- a/config/udev.c ++++ b/config/udev.c +@@ -464,31 +464,6 @@ config_udev_fini(void) + + #ifdef CONFIG_UDEV_KMS + +-/* Find the last occurrence of the needle in haystack */ +-static char *strrstr(const char *haystack, const char *needle) +-{ +- char *prev, *last, *tmp; +- +- prev = strstr(haystack, needle); +- if (!prev) +- return NULL; +- +- last = prev; +- tmp = prev + 1; +- +- while (tmp) { +- last = strstr(tmp, needle); +- if (!last) +- return prev; +- else { +- prev = last; +- tmp = prev + 1; +- } +- } +- +- return last; +-} +- + static void + config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path, const char *syspath, + int major, int minor, +@@ -503,7 +478,7 @@ config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path + attribs->minor = minor; + + value = udev_device_get_property_value(udev_device, "ID_PATH"); +- if (value && (str = strrstr(value, "pci-"))) { ++ if (value && (str = strstr(value, "pci-"))) { + attribs->busid = XNFstrdup(str); + attribs->busid[3] = ':'; + } +-- +2.16.4 + diff --git a/U_Revert-linux-Make-platform-device-probe-less-fragile.patch b/U_Revert-linux-Make-platform-device-probe-less-fragile.patch new file mode 100644 index 0000000..4e9e791 --- /dev/null +++ b/U_Revert-linux-Make-platform-device-probe-less-fragile.patch @@ -0,0 +1,132 @@ +From af4c84ce8855e84c0ad89b929bc972e884f0b8e3 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Tue, 8 Sep 2020 10:03:33 +0200 +Subject: [PATCH] Revert "linux: Make platform device probe less fragile" + +This reverts commit 74b7427c41b4e4104af7abf70a996c086d3d7628. + +https://gitlab.freedesktop.org/xorg/xserver/-/issues/1068 +--- + config/udev.c | 17 +++++------------ + hw/xfree86/os-support/linux/lnx_platform.c | 20 ++++++++++++++++++-- + 2 files changed, 23 insertions(+), 14 deletions(-) + +diff --git a/config/udev.c b/config/udev.c +index 8c6c4b666..3a73189e2 100644 +--- a/config/udev.c ++++ b/config/udev.c +@@ -56,7 +56,7 @@ static struct udev_monitor *udev_monitor; + + #ifdef CONFIG_UDEV_KMS + static void +-config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path, const char *syspath, ++config_udev_odev_setup_attribs(const char *path, const char *syspath, + int major, int minor, + config_odev_probe_proc_ptr probe_callback); + #endif +@@ -128,7 +128,7 @@ device_added(struct udev_device *udev_device) + + LogMessage(X_INFO, "config/udev: Adding drm device (%s)\n", path); + +- config_udev_odev_setup_attribs(udev_device, path, syspath, major(devnum), ++ config_udev_odev_setup_attribs(path, syspath, major(devnum), + minor(devnum), NewGPUDeviceRequest); + return; + } +@@ -322,7 +322,7 @@ device_removed(struct udev_device *device) + + LogMessage(X_INFO, "config/udev: removing GPU device %s %s\n", + syspath, path); +- config_udev_odev_setup_attribs(device, path, syspath, major(devnum), ++ config_udev_odev_setup_attribs(path, syspath, major(devnum), + minor(devnum), DeleteGPUDeviceRequest); + /* Retry vtenter after a drm node removal */ + systemd_logind_vtenter(); +@@ -465,24 +465,17 @@ config_udev_fini(void) + #ifdef CONFIG_UDEV_KMS + + static void +-config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path, const char *syspath, ++config_udev_odev_setup_attribs(const char *path, const char *syspath, + int major, int minor, + config_odev_probe_proc_ptr probe_callback) + { + struct OdevAttributes *attribs = config_odev_allocate_attributes(); +- const char *value; + + attribs->path = XNFstrdup(path); + attribs->syspath = XNFstrdup(syspath); + attribs->major = major; + attribs->minor = minor; + +- value = udev_device_get_property_value(udev_device, "ID_PATH"); +- if (value && !strncmp(value, "pci-", 4)) { +- attribs->busid = XNFstrdup(value); +- attribs->busid[3] = ':'; +- } +- + /* ownership of attribs is passed to probe layer */ + probe_callback(attribs); + } +@@ -523,7 +516,7 @@ config_udev_odev_probe(config_odev_probe_proc_ptr probe_callback) + else if (!check_seat(udev_device)) + goto no_probe; + +- config_udev_odev_setup_attribs(udev_device, path, syspath, major(devnum), ++ config_udev_odev_setup_attribs(path, syspath, major(devnum), + minor(devnum), probe_callback); + no_probe: + udev_device_unref(udev_device); +diff --git a/hw/xfree86/os-support/linux/lnx_platform.c b/hw/xfree86/os-support/linux/lnx_platform.c +index e62306219..70374ace8 100644 +--- a/hw/xfree86/os-support/linux/lnx_platform.c ++++ b/hw/xfree86/os-support/linux/lnx_platform.c +@@ -23,13 +23,13 @@ + static Bool + get_drm_info(struct OdevAttributes *attribs, char *path, int delayed_index) + { ++ drmSetVersion sv; + drmVersionPtr v; ++ char *buf; + int fd; + int err = 0; + Bool paused, server_fd = FALSE; + +- LogMessage(X_INFO, "Platform probe for %s\n", attribs->syspath); +- + fd = systemd_logind_take_fd(attribs->major, attribs->minor, path, &paused); + if (fd != -1) { + if (paused) { +@@ -48,6 +48,18 @@ get_drm_info(struct OdevAttributes *attribs, char *path, int delayed_index) + if (fd == -1) + return FALSE; + ++ sv.drm_di_major = 1; ++ sv.drm_di_minor = 4; ++ sv.drm_dd_major = -1; /* Don't care */ ++ sv.drm_dd_minor = -1; /* Don't care */ ++ ++ err = drmSetInterfaceVersion(fd, &sv); ++ if (err) { ++ xf86Msg(X_ERROR, "%s: failed to set DRM interface version 1.4: %s\n", ++ path, strerror(-err)); ++ goto out; ++ } ++ + /* for a delayed probe we've already added the device */ + if (delayed_index == -1) { + xf86_add_platform_device(attribs, FALSE); +@@ -57,6 +69,10 @@ get_drm_info(struct OdevAttributes *attribs, char *path, int delayed_index) + if (server_fd) + xf86_platform_devices[delayed_index].flags |= XF86_PDEV_SERVER_FD; + ++ buf = drmGetBusid(fd); ++ xf86_platform_odev_attributes(delayed_index)->busid = XNFstrdup(buf); ++ drmFreeBusid(buf); ++ + v = drmGetVersion(fd); + if (!v) { + xf86Msg(X_ERROR, "%s: failed to query DRM version\n", path); +-- +2.16.4 + diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index cdff067..3d8f086 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Mon Sep 28 10:29:23 UTC 2020 - Stefan Dirsch + +- U_Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch, + U_Revert-linux-Fix-platform-device-PCI-detection-for-c.patch, + U_Revert-linux-Fix-platform-device-probe-for-DT-based-.patch, + U_Revert-linux-Make-platform-device-probe-less-fragile.patch + * fix Xserver startup on Raspberry Pi 3 (boo#1176203) + ------------------------------------------------------------------- Wed Sep 9 18:50:37 UTC 2020 - Michael Gorse diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index c176aa3..d94788e 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -251,6 +251,11 @@ Patch1505: U_xwayland-Allow-passing-a-fd.patch Patch1600: U_glamor_egl-Reject-OpenGL-2.1-early-on.patch Patch1700: U_xfree86_take_second_ref_for_xcursor.patch +Patch1801: U_Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch +Patch1802: U_Revert-linux-Fix-platform-device-probe-for-DT-based-.patch +Patch1803: U_Revert-linux-Fix-platform-device-PCI-detection-for-c.patch +Patch1804: U_Revert-linux-Make-platform-device-probe-less-fragile.patch + %description This package contains the X.Org Server. @@ -400,6 +405,10 @@ sh %{SOURCE92} --verify . %{SOURCE91} %patch1505 -p1 %patch1600 -p1 %patch1700 -p1 +%patch1801 -p1 +%patch1802 -p1 +%patch1803 -p1 +%patch1804 -p1 %build %define _lto_cflags %{nil} From b7ed2575925a6a94274496ccdf2486bf1ccb637ff2cfbe07a85460a83bd9764f Mon Sep 17 00:00:00 2001 From: Stefan Dirsch Date: Wed, 30 Sep 2020 01:44:07 +0000 Subject: [PATCH 2/3] Accepting request 838619 from home:sndirsch:branches:X11:XOrg - u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch * replaced by improved version written by Matthias Gerstner of our security team + simplified the option parsing code a bit + changed the "ignore forbidden argument" logic into an "abort on forbidden argument" logic. This is safer and avoids surprises on the user's end that could occur if the desired command line arguments aren't effective but the Xorg server is still started. + tried to adjust to the coding style present in the file (mostly the function name) + added some logic to apply the option filtering only to non-root users when Xorg is actually started as root. This should allow for full flexibility if root calls the wrapper or if the Xorg server only runs with user privileges. - n_xorg-wrapper-rename-Xorg.patch * moved Xorg to Xorg.bin and Xorg.sh to Xorg (boo#1175867) - change default for needs_root_rights to auto in Xwrapper.config (boo#1175867) - reenabled SUID wrapper for TW (boo#1175867) - u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch * Xserver option whitelist filter (boo#1175867) OBS-URL: https://build.opensuse.org/request/show/838619 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=779 --- n_xorg-wrapper-rename-Xorg.patch | 20 ++++ ...per-Xserver-Options-Whitelist-Filter.patch | 96 +++++++++++++++++++ xorg-x11-server.changes | 34 +++++++ xorg-x11-server.spec | 49 +++++++--- 4 files changed, 184 insertions(+), 15 deletions(-) create mode 100644 n_xorg-wrapper-rename-Xorg.patch create mode 100644 u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch diff --git a/n_xorg-wrapper-rename-Xorg.patch b/n_xorg-wrapper-rename-Xorg.patch new file mode 100644 index 0000000..4563665 --- /dev/null +++ b/n_xorg-wrapper-rename-Xorg.patch @@ -0,0 +1,20 @@ +--- xserver-1.20.9/hw/xfree86/xorg-wrapper.c.old 2020-09-24 03:16:27.270885000 +0200 ++++ xserver-1.20.9/hw/xfree86/xorg-wrapper.c 2020-09-24 03:18:42.047597000 +0200 +@@ -375,7 +375,7 @@ int main(int argc, char *argv[]) + } + } + +- snprintf(buf, sizeof(buf), "%s/Xorg", SUID_WRAPPER_DIR); ++ snprintf(buf, sizeof(buf), "%s/Xorg.bin", SUID_WRAPPER_DIR); + + /* Check if the server is executable by our real uid */ + if (access(buf, X_OK) != 0) { +--- xserver-1.20.9/hw/xfree86/Xorg.sh.in.orig 2020-09-24 03:36:20.690412000 +0200 ++++ xserver-1.20.9/hw/xfree86/Xorg.sh.in 2020-09-24 03:36:37.594497000 +0200 +@@ -7,5 +7,5 @@ + if [ -x "$basedir"/Xorg.wrap ]; then + exec "$basedir"/Xorg.wrap "$@" + else +- exec "$basedir"/Xorg "$@" ++ exec "$basedir"/Xorg.bin "$@" + fi diff --git a/u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch b/u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch new file mode 100644 index 0000000..6fb7b47 --- /dev/null +++ b/u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch @@ -0,0 +1,96 @@ +--- xserver-1.20.9/hw/xfree86/xorg-wrapper.c ++++ xserver-1.20.9/hw/xfree86/xorg-wrapper.c 2020-09-29 12:52:59.256970275 +0200 +@@ -191,6 +191,60 @@ + return 0; + } + ++static int check_vt_range(long int vt) ++{ ++ if (vt >= 2 && vt <= 7 ) { ++ return 1; ++ } ++ ++ return 0; ++} ++ ++/* Xserver option whitelist filter (boo#1175867) */ ++static int option_filter(int argc, char* argv[]){ ++ ++ for(int pos=1; pos + +- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch + * replaced by improved version written by Matthias Gerstner of + our security team + + simplified the option parsing code a bit + + changed the "ignore forbidden argument" logic into an "abort + on forbidden argument" logic. This is safer and avoids + surprises on the user's end that could occur if the desired + command line arguments aren't effective but the Xorg server is + still started. + + tried to adjust to the coding style present in the file + (mostly the function name) + + added some logic to apply the option filtering only to + non-root users when Xorg is actually started as root. This + should allow for full flexibility if root calls the wrapper or + if the Xorg server only runs with user privileges. + ------------------------------------------------------------------- Mon Sep 28 10:29:23 UTC 2020 - Stefan Dirsch @@ -7,6 +26,21 @@ Mon Sep 28 10:29:23 UTC 2020 - Stefan Dirsch U_Revert-linux-Make-platform-device-probe-less-fragile.patch * fix Xserver startup on Raspberry Pi 3 (boo#1176203) +------------------------------------------------------------------- +Thu Sep 24 01:40:17 UTC 2020 - Stefan Dirsch + +- n_xorg-wrapper-rename-Xorg.patch + * moved Xorg to Xorg.bin and Xorg.sh to Xorg (boo#1175867) +- change default for needs_root_rights to auto in Xwrapper.config + (boo#1175867) + +------------------------------------------------------------------- +Wed Sep 16 10:54:32 UTC 2020 - Stefan Dirsch + +- reenabled SUID wrapper for TW (boo#1175867) +- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch + * Xserver option whitelist filter (boo#1175867) + ------------------------------------------------------------------- Wed Sep 9 18:50:37 UTC 2020 - Michael Gorse diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index d94788e..04a6743 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -26,19 +26,18 @@ %define have_wayland 1 %endif -%define build_suid_wrapper 0 - -%if 0%{!?build_suid_wrapper:1} -%ifarch s390 s390x -%define build_suid_wrapper 0 -%else -%if 0%{?suse_version} >= 1330 %define build_suid_wrapper 1 -%define suid_wrapper_dir %{_libexecdir} -%else -%define build_suid_wrapper 0 -%endif -%endif + +%if 0%{?build_suid_wrapper:1} + %ifarch s390 s390x + %define build_suid_wrapper 0 + %else + %if 0%{?suse_version} >= 1550 + %define suid_wrapper_dir %{_bindir} + %else + %define build_suid_wrapper 0 + %endif + %endif %endif Name: xorg-x11-server @@ -213,6 +212,8 @@ Patch6: N_fix-dpi-values.diff Patch7: N_Install-Avoid-failure-on-wrapper-installation.patch Patch8: u_xorg-wrapper-Drop-supplemental-group-IDs.patch Patch9: u_xorg-wrapper-build-Build-position-independent-code.patch +Patch10: u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch +Patch11: n_xorg-wrapper-rename-Xorg.patch Patch100: u_01-Improved-ConfineToShape.patch Patch101: u_02-DIX-ConfineTo-Don-t-bother-about-the-bounding-box-when-grabbing-a-shaped-window.patch # PATCH-FIX-UPSTREAM u_x86emu-include-order.patch schwab@suse.de -- Change include order to avoid conflict with system header, remove duplicate definitions @@ -305,8 +306,6 @@ Summary: Xserver SUID Wrapper Group: System/X11/Servers/XF86_4 PreReq: permissions Requires: xorg-x11-server == %{version} -Provides: xorg-x11-server-wayland = 7.6_%{version} -Obsoletes: xorg-x11-server-wayland < 7.6_%{version} %description wrapper This package contains an SUID wrapper for the Xserver. @@ -377,6 +376,8 @@ sh %{SOURCE92} --verify . %{SOURCE91} %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 # %patch100 -p1 #%patch101 -p1 @@ -493,6 +494,12 @@ chmod u-s %{buildroot}%{_bindir}/Xorg %__mkdir_p %{buildroot}%{pci_ids_dir} install -m 644 %{S:6} %{buildroot}%{pci_ids_dir} %endif +%if 0%{?build_suid_wrapper} == 1 +mv %{buildroot}%{_bindir}/Xorg \ + %{buildroot}%{_bindir}/Xorg.bin +mv %{buildroot}%{_bindir}/Xorg.sh \ + %{buildroot}%{_bindir}/Xorg +%endif ln -snf Xorg %{buildroot}%{_bindir}/X %if 0%{?suse_version} > 1120 %{__install} -m 644 %{S:5} %{buildroot}%{_datadir}/X11/xorg.conf.d @@ -536,6 +543,16 @@ ln -snf %{_sysconfdir}/alternatives/libglx.so %{buildroot}%{_libdir}/xorg/module mkdir -p %{buildroot}/usr/src/xserver xargs cp --parents --target-directory=%{buildroot}/usr/src/xserver < source-file-list +%if 0%{?build_suid_wrapper} == 1 +mkdir -p %{buildroot}%{_sysconfdir}/X11 +cat > %{buildroot}%{_sysconfdir}/X11/Xwrapper.config << EOF +# rootonly, console, anybody +allowed_users=anybody +# yes, no, auto +needs_root_rights=auto +EOF +%endif + %post %tmpfiles_create xbb.conf %ifnarch s390 s390x @@ -616,7 +633,7 @@ fi %ifnarch s390 s390x %{_bindir}/Xorg %if 0%{?build_suid_wrapper} == 1 -%{suid_wrapper_dir}/Xorg +%{_bindir}/Xorg.bin %endif %{_bindir}/X @@ -641,6 +658,8 @@ fi %files wrapper %defattr(-,root,root) %attr(4755,root,root) %{suid_wrapper_dir}/Xorg.wrap +%dir %{_sysconfdir}/X11 +%attr(0644,root,root) %config %{_sysconfdir}/X11/Xwrapper.config %endif %files extra From 3d14f5f1e6c900fe26e9436897f67181fafda73c513c35647b1114f045de5db9 Mon Sep 17 00:00:00 2001 From: Stefan Dirsch Date: Wed, 30 Sep 2020 10:40:49 +0000 Subject: [PATCH 3/3] - n_xorg-wrapper-anybody.patch * replace default config /etc/X11/Xwrapper, which allows anybody to use the wrapper, by a patch for the code, i.e. # rootonly, console, anybody allowed_users=anybody # yes, no, auto needs_root_rights=auto is now the default without any Xwrapper config (needs_root_rights=auto was already the default before) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=780 --- n_xorg-wrapper-anybody.patch | 11 +++++++++++ xorg-x11-server.changes | 13 +++++++++++++ xorg-x11-server.spec | 14 ++------------ 3 files changed, 26 insertions(+), 12 deletions(-) create mode 100644 n_xorg-wrapper-anybody.patch diff --git a/n_xorg-wrapper-anybody.patch b/n_xorg-wrapper-anybody.patch new file mode 100644 index 0000000..552762e --- /dev/null +++ b/n_xorg-wrapper-anybody.patch @@ -0,0 +1,11 @@ +--- xserver-1.20.9/hw/xfree86/xorg-wrapper.c.old 2020-09-30 12:25:12.757532000 +0200 ++++ xserver-1.20.9/hw/xfree86/xorg-wrapper.c 2020-09-30 12:27:12.809554000 +0200 +@@ -254,7 +254,7 @@ int main(int argc, char *argv[]) + int i, r, fd; + int kms_cards = 0; + int total_cards = 0; +- int allowed = CONSOLE_ONLY; ++ int allowed = ANYBODY; + int needs_root_rights = -1; + char *const empty_envp[1] = { NULL, }; + diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index 0ef5cee..afbcc42 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Wed Sep 30 10:30:06 UTC 2020 - Stefan Dirsch + +- n_xorg-wrapper-anybody.patch + * replace default config /etc/X11/Xwrapper, which allows + anybody to use the wrapper, by a patch for the code, i.e. + # rootonly, console, anybody + allowed_users=anybody + # yes, no, auto + needs_root_rights=auto + is now the default without any Xwrapper config + (needs_root_rights=auto was already the default before) + ------------------------------------------------------------------- Tue Sep 29 14:47:48 UTC 2020 - Stefan Dirsch diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 04a6743..c8bb9dd 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -214,6 +214,7 @@ Patch8: u_xorg-wrapper-Drop-supplemental-group-IDs.patch Patch9: u_xorg-wrapper-build-Build-position-independent-code.patch Patch10: u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch Patch11: n_xorg-wrapper-rename-Xorg.patch +Patch12: n_xorg-wrapper-anybody.patch Patch100: u_01-Improved-ConfineToShape.patch Patch101: u_02-DIX-ConfineTo-Don-t-bother-about-the-bounding-box-when-grabbing-a-shaped-window.patch # PATCH-FIX-UPSTREAM u_x86emu-include-order.patch schwab@suse.de -- Change include order to avoid conflict with system header, remove duplicate definitions @@ -378,6 +379,7 @@ sh %{SOURCE92} --verify . %{SOURCE91} %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 # %patch100 -p1 #%patch101 -p1 @@ -543,16 +545,6 @@ ln -snf %{_sysconfdir}/alternatives/libglx.so %{buildroot}%{_libdir}/xorg/module mkdir -p %{buildroot}/usr/src/xserver xargs cp --parents --target-directory=%{buildroot}/usr/src/xserver < source-file-list -%if 0%{?build_suid_wrapper} == 1 -mkdir -p %{buildroot}%{_sysconfdir}/X11 -cat > %{buildroot}%{_sysconfdir}/X11/Xwrapper.config << EOF -# rootonly, console, anybody -allowed_users=anybody -# yes, no, auto -needs_root_rights=auto -EOF -%endif - %post %tmpfiles_create xbb.conf %ifnarch s390 s390x @@ -658,8 +650,6 @@ fi %files wrapper %defattr(-,root,root) %attr(4755,root,root) %{suid_wrapper_dir}/Xorg.wrap -%dir %{_sysconfdir}/X11 -%attr(0644,root,root) %config %{_sysconfdir}/X11/Xwrapper.config %endif %files extra