├── flatpak ├── apulse │ ├── version │ ├── depends │ ├── sources │ ├── checksums │ └── build ├── flatpak │ ├── version │ ├── depends │ ├── sources │ ├── checksums │ ├── patches │ │ ├── fix-musl.patch │ │ ├── bubblewrap-musl.patch │ │ ├── flatpak-alsa.patch │ │ └── no-libcap.patch │ └── build ├── gpgme │ ├── version │ ├── depends │ ├── sources │ ├── checksums │ └── build ├── libassuan │ ├── version │ ├── depends │ ├── sources │ ├── checksums │ └── build ├── ostree │ ├── version │ ├── depends │ ├── sources │ ├── checksums │ └── build └── appstream-glib │ ├── version │ ├── depends │ ├── sources │ ├── checksums │ ├── build │ └── patches │ └── no-uuid.patch ├── README.md └── LICENSE.md /flatpak/apulse/version: -------------------------------------------------------------------------------- 1 | 0.1.13 1 2 | -------------------------------------------------------------------------------- /flatpak/flatpak/version: -------------------------------------------------------------------------------- 1 | 1.8.1 1 2 | -------------------------------------------------------------------------------- /flatpak/gpgme/version: -------------------------------------------------------------------------------- 1 | 1.14.0 1 2 | -------------------------------------------------------------------------------- /flatpak/libassuan/version: -------------------------------------------------------------------------------- 1 | 2.5.3 1 2 | -------------------------------------------------------------------------------- /flatpak/ostree/version: -------------------------------------------------------------------------------- 1 | 2020.4 1 2 | -------------------------------------------------------------------------------- /flatpak/appstream-glib/version: -------------------------------------------------------------------------------- 1 | 0.7.17 1 2 | -------------------------------------------------------------------------------- /flatpak/libassuan/depends: -------------------------------------------------------------------------------- 1 | libgpg-error 2 | -------------------------------------------------------------------------------- /flatpak/ostree/depends: -------------------------------------------------------------------------------- 1 | bison 2 | e2fsprogs 3 | -------------------------------------------------------------------------------- /flatpak/apulse/depends: -------------------------------------------------------------------------------- 1 | alsa-lib 2 | cmake make 3 | -------------------------------------------------------------------------------- /flatpak/gpgme/depends: -------------------------------------------------------------------------------- 1 | libassuan 2 | libgpg-error 3 | -------------------------------------------------------------------------------- /flatpak/apulse/sources: -------------------------------------------------------------------------------- 1 | https://github.com/i-rinat/apulse/archive/v0.1.13.tar.gz 2 | -------------------------------------------------------------------------------- /flatpak/gpgme/sources: -------------------------------------------------------------------------------- 1 | https://gnupg.org/ftp/gcrypt/gpgme/gpgme-1.14.0.tar.bz2 2 | -------------------------------------------------------------------------------- /flatpak/libassuan/sources: -------------------------------------------------------------------------------- 1 | https://gnupg.org/ftp/gcrypt/libassuan/libassuan-2.5.3.tar.bz2 2 | -------------------------------------------------------------------------------- /flatpak/appstream-glib/depends: -------------------------------------------------------------------------------- 1 | gdk-pixbuf 2 | gtk+3 3 | cmake 4 | glib 5 | gperf 6 | libarchive 7 | libsoup 8 | -------------------------------------------------------------------------------- /flatpak/apulse/checksums: -------------------------------------------------------------------------------- 1 | 9234ec4e10e408b9c01d5f4ea768ad1fc15494217c932db2c435202a9c7b5efd v0.1.13.tar.gz 2 | -------------------------------------------------------------------------------- /flatpak/ostree/sources: -------------------------------------------------------------------------------- 1 | https://github.com/ostreedev/ostree/releases/download/v2020.4/libostree-2020.4.tar.xz 2 | -------------------------------------------------------------------------------- /flatpak/gpgme/checksums: -------------------------------------------------------------------------------- 1 | cef1f710a6b0d28f5b44242713ad373702d1466dcbe512eb4e754d7f35cd4307 gpgme-1.14.0.tar.bz2 2 | -------------------------------------------------------------------------------- /flatpak/ostree/checksums: -------------------------------------------------------------------------------- 1 | 360d261205882a7d1f8f30bd456da2bc90a93e1129b124136b21977eb3642368 libostree-2020.4.tar.xz 2 | -------------------------------------------------------------------------------- /flatpak/libassuan/checksums: -------------------------------------------------------------------------------- 1 | 91bcb0403866b4e7c4bc1cc52ed4c364a9b5414b3994f718c70303f7f765e702 libassuan-2.5.3.tar.bz2 2 | -------------------------------------------------------------------------------- /flatpak/libassuan/build: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | ./configure \ 4 | --prefix=/usr 5 | 6 | make 7 | make DESTDIR="$1" install 8 | -------------------------------------------------------------------------------- /flatpak/appstream-glib/sources: -------------------------------------------------------------------------------- 1 | https://github.com/hughsie/appstream-glib/archive/appstream_glib_0_7_17.tar.gz 2 | patches/no-uuid.patch 3 | -------------------------------------------------------------------------------- /flatpak/flatpak/depends: -------------------------------------------------------------------------------- 1 | appstream-glib 2 | gdk-pixbuf 3 | glib 4 | gpgme 5 | gnupg1 6 | libarchive 7 | libsoup 8 | libxml2 9 | ostree 10 | python 11 | -------------------------------------------------------------------------------- /flatpak/appstream-glib/checksums: -------------------------------------------------------------------------------- 1 | cb612c9e634275e574fa639737cf63711358cd10b9d0d377f70025653fefdd16 appstream_glib_0_7_17.tar.gz 2 | 9fd076d68cd78a6c737492714ac9e30ab9384bf4be6e657a23cb4e72f27af537 no-uuid.patch 3 | -------------------------------------------------------------------------------- /flatpak/gpgme/build: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | ./configure \ 4 | --prefix=/usr \ 5 | --disable-nls \ 6 | --disable-gpg-test \ 7 | --disable-gpgconf-test 8 | 9 | make 10 | make DESTDIR="$1" install 11 | -------------------------------------------------------------------------------- /flatpak/ostree/build: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | ./configure \ 4 | --prefix=/usr \ 5 | --disable-gtk-doc \ 6 | --disable-man \ 7 | --disable-rofiles-fuse 8 | 9 | make 10 | make DESTDIR="$1" install 11 | -------------------------------------------------------------------------------- /flatpak/apulse/build: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | export DESTDIR="$1" 4 | 5 | cmake -B build \ 6 | -DCMAKE_INSTALL_PREFIX=/usr \ 7 | -DCMAKE_INSTALL_LIBDIR=/usr/lib \ 8 | -DCMAKE_SHARED_LIBS=True \ 9 | -DCMAKE_BUILD_TYPE=Release 10 | 11 | cmake --build build 12 | cmake --install build 13 | -------------------------------------------------------------------------------- /flatpak/flatpak/sources: -------------------------------------------------------------------------------- 1 | https://github.com/flatpak/flatpak/releases/download/1.8.1/flatpak-1.8.1.tar.xz 2 | https://github.com/pyparsing/pyparsing/releases/download/pyparsing_2.4.7/pyparsing-2.4.7.tar.gz pyparsing 3 | patches/bubblewrap-musl.patch 4 | patches/fix-musl.patch 5 | patches/flatpak-alsa.patch 6 | patches/no-libcap.patch 7 | -------------------------------------------------------------------------------- /flatpak/appstream-glib/build: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | patch -p1 < no-uuid.patch 4 | 5 | export DESTDIR="$1" 6 | 7 | # Don't build tests. 8 | sed -i "/subdir('tests')/d" meson.build 9 | 10 | meson \ 11 | --prefix=/usr \ 12 | --sysconfdir=/etc \ 13 | --mandir=/usr/share/man \ 14 | -Ddep11=false \ 15 | -Dman=false \ 16 | -Dstemmer=false \ 17 | -Dintrospection=false \ 18 | -Drpm=false \ 19 | . output 20 | 21 | ninja -C output 22 | ninja -C output install 23 | -------------------------------------------------------------------------------- /flatpak/flatpak/checksums: -------------------------------------------------------------------------------- 1 | 66914b66f9a64079386cc097a40a19fa8419568df7fb456f2e407f0f76ac9ead flatpak-1.8.1.tar.xz 2 | c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1 pyparsing-2.4.7.tar.gz 3 | 1f9f2f55965041953ce0ed4e436e181d73f8decc36457a923c6bc42442718da1 bubblewrap-musl.patch 4 | c2e8b0430715aa8d1a43be79d8279e1cd088a925ba6d375b0707aeda3f5408d2 fix-musl.patch 5 | f3e72d0994f3f2ef678e90c14de652fc44e10bdc0dd2d0d7da7d9bab580aa288 flatpak-alsa.patch 6 | f5c88cbb5597f70f1bad07f6f50332850e8c37aceb7a3d8e5e735b1ae4a40418 no-libcap.patch 7 | -------------------------------------------------------------------------------- /flatpak/flatpak/patches/fix-musl.patch: -------------------------------------------------------------------------------- 1 | --- a/config.h.in 2 | +++ b/config.h.in 3 | @@ -140,3 +140,14 @@ 4 | 5 | /* Define to 1 if you need to in order for `stat' and other things to work. */ 6 | #undef _POSIX_SOURCE 7 | + 8 | +/* taken from glibc unistd.h and fixes musl */ 9 | +#ifndef TEMP_FAILURE_RETRY 10 | +#define TEMP_FAILURE_RETRY(expression) \ 11 | + (__extension__ \ 12 | + ({ long int __result; \ 13 | + do __result = (long int) (expression); \ 14 | + while (__result == -1L && errno == EINTR); \ 15 | + __result; })) 16 | +#endif 17 | + 18 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # flatpak for kiss 2 | 3 | INSTRUCTIONS 4 | 5 | ``` 6 | # NOTE: You must have user namespaces enabled in your kernel. 7 | -> CONFIG_USER_NS=y 8 | 9 | # NOTE: The community repository must also be enabled. 10 | -> git clone https://github.com/dylanaraps/kiss-flatpak 11 | -> export KISS_PATH=/path/to/kiss-flatpak/flatpak:$KISS_PATH 12 | 13 | -> kiss b flatpak 14 | -> kiss i flatpak 15 | 16 | -> flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo 17 | -> flatpak install --user gimp 18 | -> flatpak run --user org.gimp.GIMP 19 | ``` 20 | 21 | ISSUES 22 | 23 | - [ ] No audio in flatpaks expecting a running PulseAudio server on the host. 24 | 25 | 26 | OTHER FLATPAK REPOSITORIES 27 | 28 | - https://flatpak.citra-emu.org/ 29 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2020 Dylan Araps 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /flatpak/flatpak/patches/bubblewrap-musl.patch: -------------------------------------------------------------------------------- 1 | add normpath(), originally written for xbps. 2 | diff --git bind-mount.c.orig bind-mount.c 3 | index 045fa0e..d05b540 100644 4 | --- a/bubblewrap/bind-mount.c.orig 5 | +++ b/bubblewrap/bind-mount.c 6 | @@ -23,6 +23,28 @@ 7 | #include "utils.h" 8 | #include "bind-mount.h" 9 | 10 | +#ifndef __GLIBC__ 11 | +static char * 12 | +normpath(char *path) 13 | +{ 14 | + char *seg = NULL, *p = NULL; 15 | + 16 | + for (p = path, seg = NULL; *p; p++) { 17 | + if (strncmp(p, "/../", 4) == 0 || strncmp(p, "/..", 4) == 0) { 18 | + memmove(seg ? seg : p, p+3, strlen(p+3) + 1); 19 | + return normpath(path); 20 | + } else if (strncmp(p, "/./", 3) == 0 || strncmp(p, "/.", 3) == 0) { 21 | + memmove(p, p+2, strlen(p+2) + 1); 22 | + } else if (strncmp(p, "//", 2) == 0 || strncmp(p, "/", 2) == 0) { 23 | + memmove(p, p+1, strlen(p+1) + 1); 24 | + } 25 | + if (*p == '/') 26 | + seg = p; 27 | + } 28 | + return path; 29 | +} 30 | +#endif 31 | + 32 | static char * 33 | skip_token (char *line, bool eat_whitespace) 34 | { 35 | @@ -397,7 +419,11 @@ bind_mount (int proc_fd, 36 | path, so to find it in the mount table we need to do that too. */ 37 | resolved_dest = realpath (dest, NULL); 38 | if (resolved_dest == NULL) 39 | +#ifdef __GLIBC__ 40 | return 2; 41 | +#else 42 | + resolved_dest = normpath(strdup(dest)); 43 | +#endif 44 | 45 | mount_tab = parse_mountinfo (proc_fd, resolved_dest); 46 | if (mount_tab[0].mountpoint == NULL) 47 | -------------------------------------------------------------------------------- /flatpak/flatpak/build: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | for patch in *.patch; do 4 | patch -p1 < "$patch" 5 | done 6 | 7 | # Remove libcap dependency (used solely when bwrap is suid 8 | # root). User namespaces are much better, should be used 9 | # in place of libcap and are free. 10 | sed -i 's/as_fn_error.*libcap/: "/g' configure 11 | sed -i 's/as_fn_error.*capability\.h/: "/g' configure 12 | 13 | # Remove fuse2 dependency (used solely with root "system-helper" 14 | # daemon for file transfer. Unneeded in our case and drops the 15 | # old fuse version. 16 | sed -i 's/as_fn_error.*fuse/: "/g' configure 17 | 18 | # Turn the fuse2 filesystem into a C program which does nothing. 19 | # This is the easiest way to "turn off" revokefs as there's 20 | # no official support for doing so. 21 | cat < revokefs/main.c 22 | int main() { return 0; } 23 | EOF 24 | : > revokefs/writer.c 25 | 26 | # Install python-pyparsing which is solely needed for 27 | # flatpak and thus contained in this build. 28 | { 29 | cd pyparsing 30 | 31 | python3 setup.py build 32 | python3 setup.py install \ 33 | --prefix=/usr \ 34 | --root="$PWD/dist" 35 | 36 | # Use a glob to avoid having to figure out the Python 37 | # version for the path below. 38 | cd dist/usr/lib/python*/site-packages 39 | 40 | # Set the PYTHONPATH so python knows where to find mako. 41 | # The one liner simply appends the existing path and 42 | # handles the case where an unset PYTHONPATH breaks 43 | # python as it will only contain our new addition. 44 | PYTHONPATH=$PWD:$(python -c "import sys; print(':'.join(sys.path))") 45 | 46 | cd -; cd .. 47 | } 48 | 49 | export PYTHONPATH 50 | 51 | ./configure \ 52 | --prefix=/usr \ 53 | --sysconfdir=/etc \ 54 | --without-systemd \ 55 | --disable-system-helper \ 56 | --disable-nls \ 57 | --disable-seccomp \ 58 | --disable-sandboxed-triggers \ 59 | --disable-documentation \ 60 | --disable-introspection \ 61 | --with-priv-mode=none 62 | 63 | make 64 | make DESTDIR="$1" install 65 | 66 | # Remove dbus/systemd/libraries (unneeded stuff). 67 | # This is a dumb warning which appears only when /usr/share does. 68 | # shellcheck disable=2115 69 | { 70 | rm -rf "$1/etc" 71 | rm -rf "$1/usr/share" 72 | rm -rf "$1/usr/lib" 73 | rm -rf "$1/usr/include" 74 | rm -f "$1/usr/libexec/revokefs-fuse" 75 | } 76 | -------------------------------------------------------------------------------- /flatpak/appstream-glib/patches/no-uuid.patch: -------------------------------------------------------------------------------- 1 | diff --git a/libappstream-glib/appstream-glib.pc.in b/libappstream-glib/appstream-glib.pc.in 2 | index 872d30d..60abcf6 100644 3 | --- a/libappstream-glib/appstream-glib.pc.in 4 | +++ b/libappstream-glib/appstream-glib.pc.in 5 | @@ -6,7 +6,7 @@ includedir=@includedir@ 6 | Name: appstream-glib 7 | Description: Objects and helper methods to help reading and writing AppStream metadata 8 | Version: @VERSION@ 9 | -Requires.private: libarchive uuid 10 | +Requires.private: libarchive 11 | Requires: glib-2.0, gobject-2.0, gdk-pixbuf-2.0 12 | Libs: -L${libdir} -lappstream-glib 13 | Cflags: -I${includedir}/libappstream-glib 14 | diff --git a/libappstream-glib/as-utils.c b/libappstream-glib/as-utils.c 15 | index 007a86b..35fd9d0 100644 16 | --- a/libappstream-glib/as-utils.c 17 | +++ b/libappstream-glib/as-utils.c 18 | @@ -23,13 +23,6 @@ 19 | #include 20 | #include 21 | #include 22 | -#ifndef _WIN32 23 | -#ifdef __APPLE__ 24 | -#include 25 | -#else 26 | -#include 27 | -#endif 28 | -#endif 29 | 30 | #ifdef HAVE_RPM 31 | #include 32 | @@ -1531,53 +1524,7 @@ as_utils_guid_from_data (const gchar *namespace_id, 33 | gsize data_len, 34 | GError **error) 35 | { 36 | -#ifdef _WIN32 37 | - g_set_error_literal (error, 38 | - AS_UTILS_ERROR, 39 | - AS_UTILS_ERROR_FAILED, 40 | - "not supported"); 41 | return FALSE; 42 | -#else 43 | - gchar guid_new[37]; /* 36 plus NUL */ 44 | - gsize digestlen = 20; 45 | - guint8 hash[20]; 46 | - gint rc; 47 | - uuid_t uu_namespace; 48 | - uuid_t uu_new; 49 | - g_autoptr(GChecksum) csum = NULL; 50 | - 51 | - g_return_val_if_fail (namespace_id != NULL, FALSE); 52 | - g_return_val_if_fail (data != NULL, FALSE); 53 | - g_return_val_if_fail (data_len != 0, FALSE); 54 | - 55 | - /* convert the namespace to binary */ 56 | - rc = uuid_parse (namespace_id, uu_namespace); 57 | - if (rc != 0) { 58 | - g_set_error (error, 59 | - AS_UTILS_ERROR, 60 | - AS_UTILS_ERROR_FAILED, 61 | - "namespace '%s' is invalid", 62 | - namespace_id); 63 | - return FALSE; 64 | - } 65 | - 66 | - /* hash the namespace and then the string */ 67 | - csum = g_checksum_new (G_CHECKSUM_SHA1); 68 | - g_checksum_update (csum, (guchar *) uu_namespace, 16); 69 | - g_checksum_update (csum, (guchar *) data, (gssize) data_len); 70 | - g_checksum_get_digest (csum, hash, &digestlen); 71 | - 72 | - /* copy most parts of the hash 1:1 */ 73 | - memcpy (uu_new, hash, 16); 74 | - 75 | - /* set specific bits according to Section 4.1.3 */ 76 | - uu_new[6] = (guint8) ((uu_new[6] & 0x0f) | (5 << 4)); 77 | - uu_new[8] = (guint8) ((uu_new[8] & 0x3f) | 0x80); 78 | - 79 | - /* return as a string */ 80 | - uuid_unparse (uu_new, guid_new); 81 | - return g_strdup (guid_new); 82 | -#endif 83 | } 84 | 85 | /** 86 | @@ -1593,20 +1540,7 @@ as_utils_guid_from_data (const gchar *namespace_id, 87 | gboolean 88 | as_utils_guid_is_valid (const gchar *guid) 89 | { 90 | -#ifdef _WIN32 91 | - /* XXX Ideally we should set a GError but this was already a public 92 | - * API, and it doesn't have such parameter. 93 | - */ 94 | - g_printerr ("%s: not supported\n", G_STRFUNC); 95 | return FALSE; 96 | -#else 97 | - gint rc; 98 | - uuid_t uu; 99 | - if (guid == NULL) 100 | - return FALSE; 101 | - rc = uuid_parse (guid, uu); 102 | - return rc == 0; 103 | -#endif 104 | } 105 | 106 | /** 107 | diff --git a/libappstream-glib/meson.build b/libappstream-glib/meson.build 108 | index 715123d..f5beaae 100644 109 | --- a/libappstream-glib/meson.build 110 | +++ b/libappstream-glib/meson.build 111 | @@ -16,7 +16,7 @@ if platform_win32 112 | elif platform_osx 113 | deps += [giounix] 114 | else 115 | - deps += [giounix, uuid] 116 | + deps += [giounix] 117 | endif 118 | 119 | if get_option('dep11') 120 | @@ -158,9 +158,6 @@ pkg_req_private = [ 121 | 'libarchive' 122 | ] 123 | 124 | -if not platform_win32 125 | - pkg_req_private += ['uuid'] 126 | -endif 127 | 128 | pkgg.generate( 129 | version : as_version, 130 | diff --git a/meson.build b/meson.build 131 | index 331dd7a..5ca8750 100644 132 | --- a/meson.build 133 | +++ b/meson.build 134 | @@ -69,7 +69,6 @@ elif platform_osx 135 | giounix = dependency('gio-unix-2.0', version : glib_ver) 136 | else 137 | giounix = dependency('gio-unix-2.0', version : glib_ver) 138 | - uuid = dependency('uuid') 139 | endif 140 | libarchive = dependency('libarchive') 141 | soup = dependency('libsoup-2.4', version : '>= 2.51.92') 142 | -------------------------------------------------------------------------------- /flatpak/flatpak/patches/flatpak-alsa.patch: -------------------------------------------------------------------------------- 1 | From 4b28611ab6e4c144af0599c39c5aedfb15a25a4c Mon Sep 17 00:00:00 2001 2 | From: Forest 3 | Date: Mon, 27 Jan 2020 17:03:37 -0800 4 | Subject: [PATCH] Support --device=snd, for ALSA-only systems. 5 | 6 | This allows sound on non-PulseAudio systems, without requiring --device=all. 7 | --- 8 | common/flatpak-context-private.h | 1 + 9 | common/flatpak-context.c | 1 + 10 | common/flatpak-run.c | 7 +++++++ 11 | doc/flatpak-build-finish.xml | 4 ++-- 12 | doc/flatpak-build.xml | 4 ++-- 13 | doc/flatpak-metadata.xml | 7 +++++++ 14 | doc/flatpak-override.xml | 4 ++-- 15 | doc/flatpak-run.xml | 4 ++-- 16 | 8 files changed, 24 insertions(+), 8 deletions(-) 17 | 18 | diff --git a/common/flatpak-context-private.h b/common/flatpak-context-private.h 19 | index 48995b497..41b5f952d 100644 20 | --- a/common/flatpak-context-private.h 21 | +++ b/common/flatpak-context-private.h 22 | @@ -50,6 +50,7 @@ typedef enum { 23 | FLATPAK_CONTEXT_DEVICE_ALL = 1 << 1, 24 | FLATPAK_CONTEXT_DEVICE_KVM = 1 << 2, 25 | FLATPAK_CONTEXT_DEVICE_SHM = 1 << 3, 26 | + FLATPAK_CONTEXT_DEVICE_SND = 1 << 4, 27 | } FlatpakContextDevices; 28 | 29 | typedef enum { 30 | diff --git a/common/flatpak-context.c b/common/flatpak-context.c 31 | index 58cee2a74..3c227f86e 100644 32 | --- a/common/flatpak-context.c 33 | +++ b/common/flatpak-context.c 34 | @@ -70,6 +70,7 @@ const char *flatpak_context_devices[] = { 35 | "all", 36 | "kvm", 37 | "shm", 38 | + "snd", 39 | NULL 40 | }; 41 | 42 | diff --git a/common/flatpak-run.c b/common/flatpak-run.c 43 | index 24ec48e43..1108cf62e 100644 44 | --- a/common/flatpak-run.c 45 | +++ b/common/flatpak-run.c 46 | @@ -1272,6 +1272,13 @@ flatpak_run_add_environment_args (FlatpakBwrap *bwrap, 47 | if (real_dev_shm != NULL) 48 | flatpak_bwrap_add_args (bwrap, "--bind", real_dev_shm, "/dev/shm", NULL); 49 | } 50 | + 51 | + if (context->devices & FLATPAK_CONTEXT_DEVICE_SND) 52 | + { 53 | + g_debug ("Allowing snd access"); 54 | + if (g_file_test ("/dev/snd", G_FILE_TEST_IS_DIR)) 55 | + flatpak_bwrap_add_args (bwrap, "--dev-bind", "/dev/snd", "/dev/snd", NULL); 56 | + } 57 | } 58 | 59 | flatpak_context_append_bwrap_filesystem (context, bwrap, app_id, app_id_dir, previous_app_id_dirs, &exports); 60 | diff --git a/doc/flatpak-build-finish.xml b/doc/flatpak-build-finish.xml 61 | index d92eeb4de..2c8f64ba2 100644 62 | --- a/doc/flatpak-build-finish.xml 63 | +++ b/doc/flatpak-build-finish.xml 64 | @@ -162,7 +162,7 @@ 65 | 66 | Expose a device to the application. This updates 67 | the [Context] group in the metadata. 68 | - DEVICE must be one of: dri, kvm, shm, all. 69 | + DEVICE must be one of: dri, kvm, shm, snd, all. 70 | This option can be used multiple times. 71 | 72 | 73 | @@ -173,7 +173,7 @@ 74 | 75 | Don't expose a device to the application. This updates 76 | the [Context] group in the metadata. 77 | - DEVICE must be one of: dri, kvm, shm, all. 78 | + DEVICE must be one of: dri, kvm, shm, snd, all. 79 | This option can be used multiple times. 80 | 81 | 82 | diff --git a/doc/flatpak-build.xml b/doc/flatpak-build.xml 83 | index 55e3ec89e..51ffb007b 100644 84 | --- a/doc/flatpak-build.xml 85 | +++ b/doc/flatpak-build.xml 86 | @@ -172,7 +172,7 @@ 87 | 88 | Expose a device to the application. This overrides to 89 | the Context section from the application metadata. 90 | - DEVICE must be one of: dri, kvm, shm, all. 91 | + DEVICE must be one of: dri, kvm, shm, snd, all. 92 | This option can be used multiple times. 93 | 94 | 95 | @@ -183,7 +183,7 @@ 96 | 97 | Don't expose a device to the application. This overrides to 98 | the Context section from the application metadata. 99 | - DEVICE must be one of: dri, kvm, shm, all. 100 | + DEVICE must be one of: dri, kvm, shm, snd, all. 101 | This option can be used multiple times. 102 | 103 | 104 | diff --git a/doc/flatpak-metadata.xml b/doc/flatpak-metadata.xml 105 | index 7e445ac1d..a1610a6ba 100644 106 | --- a/doc/flatpak-metadata.xml 107 | +++ b/doc/flatpak-metadata.xml 108 | @@ -180,6 +180,13 @@ 109 | Available since 0.6.12. 110 | 111 | 112 | + 113 | + 114 | + Sound 115 | + (/dev/snd). 116 | + Available since 1.6.2. 117 | + 118 | + 119 | 120 | 121 | All device nodes in /dev, but not /dev/shm (which is separately specified). 122 | diff --git a/doc/flatpak-override.xml b/doc/flatpak-override.xml 123 | index 8f1315756..7826456c0 100644 124 | --- a/doc/flatpak-override.xml 125 | +++ b/doc/flatpak-override.xml 126 | @@ -154,7 +154,7 @@ 127 | 128 | Expose a device to the application. This overrides to 129 | the Context section from the application metadata. 130 | - DEVICE must be one of: dri, kvm, shm, all. 131 | + DEVICE must be one of: dri, kvm, shm, snd, all. 132 | This option can be used multiple times. 133 | 134 | 135 | @@ -165,7 +165,7 @@ 136 | 137 | Don't expose a device to the application. This overrides to 138 | the Context section from the application metadata. 139 | - DEVICE must be one of: dri, kvm, shm, all. 140 | + DEVICE must be one of: dri, kvm, shm, snd, all. 141 | This option can be used multiple times. 142 | 143 | 144 | diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml 145 | index 5077c1a9c..828c176a8 100644 146 | --- a/doc/flatpak-run.xml 147 | +++ b/doc/flatpak-run.xml 148 | @@ -294,7 +294,7 @@ 149 | 150 | Expose a device to the application. This overrides to 151 | the Context section from the application metadata. 152 | - DEVICE must be one of: dri, kvm, shm, all. 153 | + DEVICE must be one of: dri, kvm, shm, snd, all. 154 | This option can be used multiple times. 155 | 156 | 157 | @@ -305,7 +305,7 @@ 158 | 159 | Don't expose a device to the application. This overrides to 160 | the Context section from the application metadata. 161 | - DEVICE must be one of: dri, kvm, shm, all. 162 | + DEVICE must be one of: dri, kvm, shm, snd, all. 163 | This option can be used multiple times. 164 | 165 | 166 | -------------------------------------------------------------------------------- /flatpak/flatpak/patches/no-libcap.patch: -------------------------------------------------------------------------------- 1 | diff --git a/app/flatpak-builtins-enter.c b/app/flatpak-builtins-enter.c 2 | index 4a7c51d..3cd365f 100644 3 | --- a/app/flatpak-builtins-enter.c 4 | +++ b/app/flatpak-builtins-enter.c 5 | @@ -36,21 +36,11 @@ 6 | #include "flatpak-dbus-generated.h" 7 | #include "flatpak-run-private.h" 8 | #include "flatpak-instance.h" 9 | -#include 10 | 11 | static GOptionEntry options[] = { 12 | { NULL } 13 | }; 14 | 15 | -static void 16 | -drop_all_caps (void) 17 | -{ 18 | - struct __user_cap_header_struct hdr = { _LINUX_CAPABILITY_VERSION_3, 0 }; 19 | - struct __user_cap_data_struct data[2] = { { 0 } }; 20 | - 21 | - capset (&hdr, data); 22 | -} 23 | - 24 | gboolean 25 | flatpak_builtin_enter (int argc, 26 | char **argv, 27 | @@ -226,8 +216,6 @@ flatpak_builtin_enter (int argc, 28 | if (setuid (uid)) 29 | return flatpak_fail (error, _("Can't switch uid")); 30 | 31 | - drop_all_caps (); 32 | - 33 | envp_array = g_ptr_array_new_with_free_func (g_free); 34 | for (e = environment; e < environment + environment_len; e = e + strlen (e) + 1) 35 | { 36 | diff --git a/bubblewrap/bubblewrap.c b/bubblewrap/bubblewrap.c 37 | index b3d52bc..59b0076 100644 38 | --- a/bubblewrap/bubblewrap.c 39 | +++ b/bubblewrap/bubblewrap.c 40 | @@ -28,7 +28,6 @@ 41 | #include 42 | #include 43 | #include 44 | -#include 45 | #include 46 | #include 47 | #include 48 | @@ -586,70 +585,17 @@ static uint32_t requested_caps[2] = {0, 0}; 49 | static void 50 | set_required_caps (void) 51 | { 52 | - struct __user_cap_header_struct hdr = { _LINUX_CAPABILITY_VERSION_3, 0 }; 53 | - struct __user_cap_data_struct data[2] = { { 0 } }; 54 | - 55 | - /* Drop all non-require capabilities */ 56 | - data[0].effective = REQUIRED_CAPS_0; 57 | - data[0].permitted = REQUIRED_CAPS_0; 58 | - data[0].inheritable = 0; 59 | - data[1].effective = REQUIRED_CAPS_1; 60 | - data[1].permitted = REQUIRED_CAPS_1; 61 | - data[1].inheritable = 0; 62 | - if (capset (&hdr, data) < 0) 63 | - die_with_error ("capset failed"); 64 | } 65 | 66 | static void 67 | drop_all_caps (bool keep_requested_caps) 68 | { 69 | - struct __user_cap_header_struct hdr = { _LINUX_CAPABILITY_VERSION_3, 0 }; 70 | - struct __user_cap_data_struct data[2] = { { 0 } }; 71 | - 72 | - if (keep_requested_caps) 73 | - { 74 | - /* Avoid calling capset() unless we need to; currently 75 | - * systemd-nspawn at least is known to install a seccomp 76 | - * policy denying capset() for dubious reasons. 77 | - * 78 | - */ 79 | - if (!opt_cap_add_or_drop_used && real_uid == 0) 80 | - { 81 | - assert (!is_privileged); 82 | - return; 83 | - } 84 | - data[0].effective = requested_caps[0]; 85 | - data[0].permitted = requested_caps[0]; 86 | - data[0].inheritable = requested_caps[0]; 87 | - data[1].effective = requested_caps[1]; 88 | - data[1].permitted = requested_caps[1]; 89 | - data[1].inheritable = requested_caps[1]; 90 | - } 91 | - 92 | - if (capset (&hdr, data) < 0) 93 | - { 94 | - /* While the above logic ensures we don't call capset() for the primary 95 | - * process unless configured to do so, we still try to drop privileges for 96 | - * the init process unconditionally. Since due to the systemd seccomp 97 | - * filter that will fail, let's just ignore it. 98 | - */ 99 | - if (errno == EPERM && real_uid == 0 && !is_privileged) 100 | - return; 101 | - else 102 | - die_with_error ("capset failed"); 103 | - } 104 | } 105 | 106 | static bool 107 | has_caps (void) 108 | { 109 | - struct __user_cap_header_struct hdr = { _LINUX_CAPABILITY_VERSION_3, 0 }; 110 | - struct __user_cap_data_struct data[2] = { { 0 } }; 111 | - 112 | - if (capget (&hdr, data) < 0) 113 | - die_with_error ("capget failed"); 114 | - 115 | - return data[0].permitted != 0 || data[1].permitted != 0; 116 | + return 0; 117 | } 118 | 119 | /* Most of the code here is used both to add caps to the ambient capabilities 120 | @@ -659,49 +605,6 @@ has_caps (void) 121 | static void 122 | prctl_caps (uint32_t *caps, bool do_cap_bounding, bool do_set_ambient) 123 | { 124 | - unsigned long cap; 125 | - 126 | - /* We ignore both EINVAL and EPERM, as we are actually relying 127 | - * on PR_SET_NO_NEW_PRIVS to ensure the right capabilities are 128 | - * available. EPERM in particular can happen with old, buggy 129 | - * kernels. See: 130 | - * https://github.com/projectatomic/bubblewrap/pull/175#issuecomment-278051373 131 | - * https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/commoncap.c?id=160da84dbb39443fdade7151bc63a88f8e953077 132 | - */ 133 | - for (cap = 0; cap <= CAP_LAST_CAP; cap++) 134 | - { 135 | - bool keep = FALSE; 136 | - if (cap < 32) 137 | - { 138 | - if (CAP_TO_MASK_0 (cap) & caps[0]) 139 | - keep = TRUE; 140 | - } 141 | - else 142 | - { 143 | - if (CAP_TO_MASK_1 (cap) & caps[1]) 144 | - keep = TRUE; 145 | - } 146 | - 147 | - if (keep && do_set_ambient) 148 | - { 149 | -#ifdef PR_CAP_AMBIENT 150 | - int res = prctl (PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0); 151 | - if (res == -1 && !(errno == EINVAL || errno == EPERM)) 152 | - die_with_error ("Adding ambient capability %ld", cap); 153 | -#else 154 | - /* We ignore the EINVAL that results from not having PR_CAP_AMBIENT 155 | - * in the current kernel at runtime, so also ignore not having it 156 | - * in the current kernel headers at compile-time */ 157 | -#endif 158 | - } 159 | - 160 | - if (!keep && do_cap_bounding) 161 | - { 162 | - int res = prctl (PR_CAPBSET_DROP, cap, 0, 0, 0); 163 | - if (res == -1 && !(errno == EINVAL || errno == EPERM)) 164 | - die_with_error ("Dropping capability %ld from bounds", cap); 165 | - } 166 | - } 167 | } 168 | 169 | static void 170 | @@ -748,10 +651,6 @@ acquire_privs (void) 171 | /* Are we setuid ? */ 172 | if (real_uid != euid) 173 | { 174 | - if (euid != 0) 175 | - die ("Unexpected setuid user %d, should be 0", euid); 176 | - 177 | - is_privileged = TRUE; 178 | /* We want to keep running as euid=0 until at the clone() 179 | * operation because doing so will make the user namespace be 180 | * owned by root, which makes it not ptrace:able by the user as 181 | @@ -763,19 +662,7 @@ acquire_privs (void) 182 | * escalated filesystem access before the clone(), so we set 183 | * fsuid to the uid. 184 | */ 185 | - if (setfsuid (real_uid) < 0) 186 | - die_with_error ("Unable to set fsuid"); 187 | - 188 | - /* setfsuid can't properly report errors, check that it worked (as per manpage) */ 189 | - new_fsuid = setfsuid (-1); 190 | - if (new_fsuid != real_uid) 191 | - die ("Unable to set fsuid (was %d)", (int)new_fsuid); 192 | - 193 | - /* We never need capabilities after execve(), so lets drop everything from the bounding set */ 194 | - drop_cap_bounding_set (TRUE); 195 | - 196 | - /* Keep only the required capabilities for setup */ 197 | - set_required_caps (); 198 | + die_with_error ("suid disabled, enable user namespaces in the kernel."); 199 | } 200 | else if (real_uid != 0 && has_caps ()) 201 | { 202 | @@ -786,18 +673,6 @@ acquire_privs (void) 203 | } 204 | else if (real_uid == 0) 205 | { 206 | - /* If our uid is 0, default to inheriting all caps; the caller 207 | - * can drop them via --cap-drop. This is used by at least rpm-ostree. 208 | - * Note this needs to happen before the argument parsing of --cap-drop. 209 | - */ 210 | - struct __user_cap_header_struct hdr = { _LINUX_CAPABILITY_VERSION_3, 0 }; 211 | - struct __user_cap_data_struct data[2] = { { 0 } }; 212 | - 213 | - if (capget (&hdr, data) < 0) 214 | - die_with_error ("capget (for uid == 0) failed"); 215 | - 216 | - requested_caps[0] = data[0].effective; 217 | - requested_caps[1] = data[1].effective; 218 | } 219 | 220 | /* Else, we try unprivileged user namespaces */ 221 | @@ -2043,52 +1918,16 @@ parse_args_recurse (int *argcp, 222 | } 223 | else if (strcmp (arg, "--cap-add") == 0) 224 | { 225 | - cap_value_t cap; 226 | if (argc < 2) 227 | die ("--cap-add takes an argument"); 228 | 229 | - opt_cap_add_or_drop_used = TRUE; 230 | - 231 | - if (strcasecmp (argv[1], "ALL") == 0) 232 | - { 233 | - requested_caps[0] = requested_caps[1] = 0xFFFFFFFF; 234 | - } 235 | - else 236 | - { 237 | - if (cap_from_name (argv[1], &cap) < 0) 238 | - die ("unknown cap: %s", argv[1]); 239 | - 240 | - if (cap < 32) 241 | - requested_caps[0] |= CAP_TO_MASK_0 (cap); 242 | - else 243 | - requested_caps[1] |= CAP_TO_MASK_1 (cap - 32); 244 | - } 245 | - 246 | argv += 1; 247 | argc -= 1; 248 | } 249 | else if (strcmp (arg, "--cap-drop") == 0) 250 | { 251 | - cap_value_t cap; 252 | if (argc < 2) 253 | - die ("--cap-drop takes an argument"); 254 | - 255 | - opt_cap_add_or_drop_used = TRUE; 256 | - 257 | - if (strcasecmp (argv[1], "ALL") == 0) 258 | - { 259 | - requested_caps[0] = requested_caps[1] = 0; 260 | - } 261 | - else 262 | - { 263 | - if (cap_from_name (argv[1], &cap) < 0) 264 | - die ("unknown cap: %s", argv[1]); 265 | - 266 | - if (cap < 32) 267 | - requested_caps[0] &= ~CAP_TO_MASK_0 (cap); 268 | - else 269 | - requested_caps[1] &= ~CAP_TO_MASK_1 (cap - 32); 270 | - } 271 | + die ("--cap-add takes an argument"); 272 | 273 | argv += 1; 274 | argc -= 1; 275 | --------------------------------------------------------------------------------