d-two/operating-system
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Bump buildroot to 2020.11-rc1 (#985)

Browse Source 
* Update buildroot-patches for 2020.11-rc1 buildroot

* Update buildroot to 2020.11-rc1

Signed-off-by: Stefan Agner <stefan@agner.ch>

* Don't rely on sfdisk --list-free output

The --list-free (-F) argument does not allow machine readable mode. And
it seems that the output format changes over time (different spacing,
using size postfixes instead of raw blocks).

Use sfdisk json output and calculate free partition space ourselfs. This
works for 2.35 and 2.36 and is more robust since we rely on output which
is meant for scripts to parse.

* Migrate defconfigs for Buildroot 2020.11-rc1

In particular, rename BR2_TARGET_UBOOT_BOOT_SCRIPT(_SOURCE) to
BR2_PACKAGE_HOST_UBOOT_TOOLS_BOOT_SCRIPT(_SOURCE).

* Rebase/remove systemd patches for systemd 246

* Drop apparmor/libapparmor from buildroot-external

* hassos-persists: use /run as directory for lockfiles

The U-Boot tools use /var/lock by default which is not created any more
by systemd by default (it is under tmpfiles legacy.conf, which we no
longer install).

* Disable systemd-update-done.service

The service is not suited for pure read-only systems. In particular the
service needs to be able to write a file in /etc and /var. Remove the
service. Note: This is a static service and cannot be removed using
systemd-preset.

* Disable apparmor.service for now

The service loads all default profiles. Some might actually cause
problems. E.g. the profile for ping seems not to match our setup for
/etc/resolv.conf:
[85503.634653] audit: type=1400 audit(1605286002.684:236): apparmor="DENIED" operation="open" profile="ping" name="/run/resolv.conf" pid=27585 comm="ping" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
This commit is contained in:
Stefan Agner
2020-11-13 18:25:44 +01:00
committed by GitHub
parent 25a0dd3082
commit a0871be6c0
4024 changed files with 68095 additions and 47900 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
buildroot/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
View File

@@ -1,46 +0,0 @@
From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Wed, 2 Jan 2019 17:13:27 +0100
Subject: [PATCH] admin: Prevent access if any authentication agent isn't
available
The backend currently allows to access and modify files without prompting
for password if any polkit authentication agent isn't available. This seems
isn't usually problem, because polkit agents are integral parts of
graphical environments / linux distributions. The agents can't be simply
disabled without root permissions and are automatically respawned. However,
this might be a problem in some non-standard cases.
This affects only users which belong to wheel group (i.e. those who are
already allowed to use sudo). It doesn't allow privilege escalation for
users, who don't belong to that group.
Let's return permission denied error also when the subject can't be
authorized by any polkit agent to prevent this behavior.
Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355
[Retrieved from:
https://gitlab.gnome.org/GNOME/gvfs/commit/d8d0c8c40049cfd824b2b90d0cd47914052b9811]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
daemon/gvfsbackendadmin.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
index ec0f2392..0f849008 100644
--- a/daemon/gvfsbackendadmin.c
+++ b/daemon/gvfsbackendadmin.c
@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self,
return FALSE;
}
- is_authorized = polkit_authorization_result_get_is_authorized (result) ||
- polkit_authorization_result_get_is_challenge (result);
+ is_authorized = polkit_authorization_result_get_is_authorized (result);
g_object_unref (result);
--
2.24.1

78
buildroot/package/gvfs/0001-meson.build-fix-linking-with-libmetadata.patch Normal file
View File

@@ -0,0 +1,78 @@
From 731256d7517f0d9cf0b999bb22f864080d5e8690 Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Date: Sat, 18 Jul 2020 10:00:50 +0200
Subject: [PATCH] meson.build: fix linking with libmetadata
libmetadata is built as a static library and depends on libgvfscommon so
change the dependencies order to put libgvfscommon_dep after
libmetadata_dep or gvfsd-metadata will fail to link on:
FAILED: metadata/gvfsd-metadata
/home/naourr/work/instance-3/output-1/host/bin/arm-none-linux-gnueabi-gcc -o metadata/gvfsd-metadata 'metadata/45447b7@@gvfsd-metadata@exe/meta-daemon.c.o' -Wl,--as-needed -Wl,--no-undefined -Wl,-O1 -Wl,--start-group common/libgvfscommon.so metadata/libmetadata.a /home/naourr/work/instance-3/output-1/host/arm-buildroot-linux-gnueabi/sysroot/usr/lib/libgio-2.0.so /home/naourr/work/instance-3/output-1/host/arm-buildroot-linux-gnueabi/sysroot/usr/lib/libgobject-2.0.so /home/naourr/work/instance-3/output-1/host/arm-buildroot-linux-gnueabi/sysroot/usr/lib/libglib-2.0.so -Wl,--end-group '-Wl,-rpath,$ORIGIN/../common:$ORIGIN/' -Wl,-rpath-link,/home/naourr/work/instance-3/output-1/build/gvfs-1.44.1/build/common -Wl,-rpath-link,/home/naourr/work/instance-3/output-1/build/gvfs-1.44.1/build/metadata
metadata/libmetadata.a(metatree.c.o): In function `safe_open':
metatree.c:(.text+0x9c8): undefined reference to `gvfs_randomize_string'
collect2: error: ld returned 1 exit status
Apply this change in the whole source code and not only for
gvfsd-metadata to avoid any other build failures.
Fixes:
- http://autobuild.buildroot.org/results//fa892c41b6b9285839a0164b000e37fb04dcc194
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Upstream status:
https://gitlab.gnome.org/GNOME/gvfs/-/merge_requests/92]
---
client/meson.build | 2 +-
metadata/meson.build | 5 +++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/client/meson.build b/client/meson.build
index 8f57d0d3..1d251481 100644
--- a/client/meson.build
+++ b/client/meson.build
@@ -33,8 +33,8 @@ sources = uri_parser_sources + uri_utils + files(
deps = [
gio_unix_dep,
- libgvfscommon_dep,
libmetadata_dep,
+ libgvfscommon_dep,
]
cflags = [
diff --git a/metadata/meson.build b/metadata/meson.build
index 4e120d18..5699e6f2 100644
--- a/metadata/meson.build
+++ b/metadata/meson.build
@@ -72,8 +72,8 @@ libmetadata_dep = declare_dependency(
)
deps = [
- libgvfscommon_dep,
libmetadata_dep,
+ libgvfscommon_dep,
]
if enable_gudev
@@ -105,8 +105,8 @@ if enable_devel_utils
app + '.c',
include_directories: top_inc,
dependencies: [
- libgvfscommon_dep,
libmetadata_dep,
+ libgvfscommon_dep,
],
c_args: cflags,
)
@@ -119,6 +119,7 @@ if enable_devel_utils
include_directories: top_inc,
dependencies: [
libmetadata_dep,
+ libgvfscommon_dep,
libxml_dep,
],
c_args: cflags,
--
2.27.0

131
buildroot/package/gvfs/0002-admin-Add-query_info_on_read-write-functionality.patch
View File

@@ -1,131 +0,0 @@
From 5cd76d627f4d1982b6e77a0e271ef9301732d09e Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Thu, 23 May 2019 10:24:36 +0200
Subject: [PATCH] admin: Add query_info_on_read/write functionality
Admin backend doesn't implement query_info_on_read/write which might
potentially lead to some race conditions which aren't really wanted
especially in case of admin backend. Let's add this missing functionality.
[Retrieved fom:
https://gitlab.gnome.org/GNOME/gvfs/commit/5cd76d627f4d1982b6e77a0e271ef9301732d09e]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
daemon/gvfsbackendadmin.c | 79 +++++++++++++++++++++++++++++++++------
1 file changed, 67 insertions(+), 12 deletions(-)
diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
index 65a979e7..23d16f16 100644
--- a/daemon/gvfsbackendadmin.c
+++ b/daemon/gvfsbackendadmin.c
@@ -42,6 +42,8 @@
#include "gvfsjobopenforwrite.h"
#include "gvfsjobqueryattributes.h"
#include "gvfsjobqueryinfo.h"
+#include "gvfsjobqueryinforead.h"
+#include "gvfsjobqueryinfowrite.h"
#include "gvfsjobread.h"
#include "gvfsjobseekread.h"
#include "gvfsjobseekwrite.h"
@@ -155,6 +157,19 @@ complete_job (GVfsJob *job,
g_vfs_job_succeeded (job);
}
+static void
+fix_file_info (GFileInfo *info)
+{
+ /* Override read/write flags, since the above call will use access()
+ * to determine permissions, which does not honor our privileged
+ * capabilities.
+ */
+ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE);
+ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE);
+ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE);
+ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE);
+}
+
static void
do_query_info (GVfsBackend *backend,
GVfsJobQueryInfo *query_info_job,
@@ -180,19 +195,57 @@ do_query_info (GVfsBackend *backend,
if (error != NULL)
goto out;
- /* Override read/write flags, since the above call will use access()
- * to determine permissions, which does not honor our privileged
- * capabilities.
- */
- g_file_info_set_attribute_boolean (real_info,
- G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE);
- g_file_info_set_attribute_boolean (real_info,
- G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE);
- g_file_info_set_attribute_boolean (real_info,
- G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE);
- g_file_info_set_attribute_boolean (real_info,
- G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE);
+ fix_file_info (real_info);
+ g_file_info_copy_into (real_info, info);
+ g_object_unref (real_info);
+
+ out:
+ complete_job (job, error);
+}
+
+static void
+do_query_info_on_read (GVfsBackend *backend,
+ GVfsJobQueryInfoRead *query_info_job,
+ GVfsBackendHandle handle,
+ GFileInfo *info,
+ GFileAttributeMatcher *matcher)
+{
+ GVfsJob *job = G_VFS_JOB (query_info_job);
+ GFileInputStream *stream = handle;
+ GError *error = NULL;
+ GFileInfo *real_info;
+
+ real_info = g_file_input_stream_query_info (stream, query_info_job->attributes,
+ job->cancellable, &error);
+ if (error != NULL)
+ goto out;
+
+ fix_file_info (real_info);
+ g_file_info_copy_into (real_info, info);
+ g_object_unref (real_info);
+
+ out:
+ complete_job (job, error);
+}
+
+static void
+do_query_info_on_write (GVfsBackend *backend,
+ GVfsJobQueryInfoWrite *query_info_job,
+ GVfsBackendHandle handle,
+ GFileInfo *info,
+ GFileAttributeMatcher *matcher)
+{
+ GVfsJob *job = G_VFS_JOB (query_info_job);
+ GFileOutputStream *stream = handle;
+ GError *error = NULL;
+ GFileInfo *real_info;
+
+ real_info = g_file_output_stream_query_info (stream, query_info_job->attributes,
+ job->cancellable, &error);
+ if (error != NULL)
+ goto out;
+ fix_file_info (real_info);
g_file_info_copy_into (real_info, info);
g_object_unref (real_info);
@@ -868,6 +921,8 @@ g_vfs_backend_admin_class_init (GVfsBackendAdminClass * klass)
backend_class->mount = do_mount;
backend_class->open_for_read = do_open_for_read;
backend_class->query_info = do_query_info;
+ backend_class->query_info_on_read = do_query_info_on_read;
+ backend_class->query_info_on_write = do_query_info_on_write;
backend_class->read = do_read;
backend_class->create = do_create;
backend_class->append_to = do_append_to;
--
2.24.1

34
buildroot/package/gvfs/0003-admin-Allow-changing-file-owner.patch
View File

@@ -1,34 +0,0 @@
From daf1163aba229afcfddf0f925aef7e97047e8959 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Thu, 23 May 2019 10:29:08 +0200
Subject: [PATCH] admin: Allow changing file owner
CAP_CHOWN is dropped together with other privilages and thus the backend
can't change file owner. This might be probably e.g. in case of copy
operation when G_FILE_COPY_ALL_METADATA is used. Let's keep CAP_CHOWN
to fix this.
[Retrieved from:
https://gitlab.gnome.org/GNOME/gvfs/commit/daf1163aba229afcfddf0f925aef7e97047e8959]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
daemon/gvfsbackendadmin.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
index 23d16f16..a74d09cf 100644
--- a/daemon/gvfsbackendadmin.c
+++ b/daemon/gvfsbackendadmin.c
@@ -968,7 +968,8 @@ g_vfs_backend_admin_init (GVfsBackendAdmin *self)
#define REQUIRED_CAPS (CAP_TO_MASK(CAP_FOWNER) | \
CAP_TO_MASK(CAP_DAC_OVERRIDE) | \
- CAP_TO_MASK(CAP_DAC_READ_SEARCH))
+ CAP_TO_MASK(CAP_DAC_READ_SEARCH) | \
+ CAP_TO_MASK(CAP_CHOWN))
static void
acquire_caps (uid_t uid)
--
2.24.1

91
buildroot/package/gvfs/0004-admin-Use-fsuid-to-ensure-correct-file-ownership.patch
View File

@@ -1,91 +0,0 @@
From 3895e09d784ebec0fbc4614d5c37068736120e1d Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Thu, 23 May 2019 10:33:30 +0200
Subject: [PATCH] admin: Use fsuid to ensure correct file ownership
Files created over admin backend should be owned by root, but they are
owned by the user itself. This is because the daemon drops the uid to
make dbus connection work. Use fsuid and euid to fix this issue.
Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/21
[Retrieved from:
https://gitlab.gnome.org/GNOME/gvfs/commit/3895e09d784ebec0fbc4614d5c37068736120e1d]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
daemon/gvfsbackendadmin.c | 29 +++++++----------------------
1 file changed, 7 insertions(+), 22 deletions(-)
diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
index a74d09cf..32b51b1a 100644
--- a/daemon/gvfsbackendadmin.c
+++ b/daemon/gvfsbackendadmin.c
@@ -157,19 +157,6 @@ complete_job (GVfsJob *job,
g_vfs_job_succeeded (job);
}
-static void
-fix_file_info (GFileInfo *info)
-{
- /* Override read/write flags, since the above call will use access()
- * to determine permissions, which does not honor our privileged
- * capabilities.
- */
- g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE);
- g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE);
- g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE);
- g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE);
-}
-
static void
do_query_info (GVfsBackend *backend,
GVfsJobQueryInfo *query_info_job,
@@ -195,7 +182,6 @@ do_query_info (GVfsBackend *backend,
if (error != NULL)
goto out;
- fix_file_info (real_info);
g_file_info_copy_into (real_info, info);
g_object_unref (real_info);
@@ -220,7 +206,6 @@ do_query_info_on_read (GVfsBackend *backend,
if (error != NULL)
goto out;
- fix_file_info (real_info);
g_file_info_copy_into (real_info, info);
g_object_unref (real_info);
@@ -245,7 +230,6 @@ do_query_info_on_write (GVfsBackend *backend,
if (error != NULL)
goto out;
- fix_file_info (real_info);
g_file_info_copy_into (real_info, info);
g_object_unref (real_info);
@@ -977,14 +961,15 @@ acquire_caps (uid_t uid)
struct __user_cap_header_struct hdr;
struct __user_cap_data_struct data;
- /* Tell kernel not clear capabilities when dropping root */
- if (prctl (PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0)
- g_error ("prctl(PR_SET_KEEPCAPS) failed");
-
- /* Drop root uid, but retain the required permitted caps */
- if (setuid (uid) < 0)
+ /* Set euid to user to make dbus work */
+ if (seteuid (uid) < 0)
g_error ("unable to drop privs");
+ /* Set fsuid to still behave like root when working with files */
+ setfsuid (0);
+ if (setfsuid (-1) != 0)
+ g_error ("setfsuid failed");
+
memset (&hdr, 0, sizeof(hdr));
hdr.version = _LINUX_CAPABILITY_VERSION;
--
2.24.1

84
buildroot/package/gvfs/0005-admin-Ensure-correct-ownership-when-moving-to-file-uri.patch
View File

@@ -1,84 +0,0 @@
From d5dfd823c94045488aef8727c553f1e0f7666b90 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Fri, 24 May 2019 09:43:43 +0200
Subject: [PATCH] admin: Ensure correct ownership when moving to file:// uri
User and group is not restored properly when moving (or copying with
G_FILE_COPY_ALL_METADATA) from admin:// to file://, because it is handled
by GIO fallback code, which doesn't run with root permissions. Let's
handle this case with pull method to ensure correct ownership.
[Retrieved from:
https://gitlab.gnome.org/GNOME/gvfs/commit/d5dfd823c94045488aef8727c553f1e0f7666b90]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
daemon/gvfsbackendadmin.c | 46 +++++++++++++++++++++++++++++++++++++++
1 file changed, 46 insertions(+)
diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
index 32b51b1a..9a7e8295 100644
--- a/daemon/gvfsbackendadmin.c
+++ b/daemon/gvfsbackendadmin.c
@@ -807,6 +807,51 @@ do_move (GVfsBackend *backend,
complete_job (job, error);
}
+static void
+do_pull (GVfsBackend *backend,
+ GVfsJobPull *pull_job,
+ const char *source,
+ const char *local_path,
+ GFileCopyFlags flags,
+ gboolean remove_source,
+ GFileProgressCallback progress_callback,
+ gpointer progress_callback_data)
+{
+ GVfsBackendAdmin *self = G_VFS_BACKEND_ADMIN (backend);
+ GVfsJob *job = G_VFS_JOB (pull_job);
+ GError *error = NULL;
+ GFile *src_file, *dst_file;
+
+ /* Pull method is necessary when user/group needs to be restored, return
+ * G_IO_ERROR_NOT_SUPPORTED in other cases to proceed with the fallback code.
+ */
+ if (!(flags & G_FILE_COPY_ALL_METADATA))
+ {
+ g_vfs_job_failed_literal (G_VFS_JOB (job), G_IO_ERROR,
+ G_IO_ERROR_NOT_SUPPORTED,
+ _("Operation not supported"));
+ return;
+ }
+
+ if (!check_permission (self, job))
+ return;
+
+ src_file = g_file_new_for_path (source);
+ dst_file = g_file_new_for_path (local_path);
+
+ if (remove_source)
+ g_file_move (src_file, dst_file, flags, job->cancellable,
+ progress_callback, progress_callback_data, &error);
+ else
+ g_file_copy (src_file, dst_file, flags, job->cancellable,
+ progress_callback, progress_callback_data, &error);
+
+ g_object_unref (src_file);
+ g_object_unref (dst_file);
+
+ complete_job (job, error);
+}
+
static void
do_query_settable_attributes (GVfsBackend *backend,
GVfsJobQueryAttributes *query_job,
@@ -927,6 +972,7 @@ g_vfs_backend_admin_class_init (GVfsBackendAdminClass * klass)
backend_class->set_attribute = do_set_attribute;
backend_class->delete = do_delete;
backend_class->move = do_move;
+ backend_class->pull = do_pull;
backend_class->query_settable_attributes = do_query_settable_attributes;
backend_class->query_writable_namespaces = do_query_writable_namespaces;
}
--
2.24.1

96
buildroot/package/gvfs/0006-gvfsdaemon-Check-that-the-connecting-client-is-the-same-user.patch
View File

@@ -1,96 +0,0 @@
From 70dbfc68a79faac49bd3423e079cb6902522082a Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 5 Jun 2019 13:33:38 +0100
Subject: [PATCH] gvfsdaemon: Check that the connecting client is the same user
Otherwise, an attacker who learns the abstract socket address from
netstat(8) or similar could connect to it and issue D-Bus method
calls.
Signed-off-by: Simon McVittie <smcv@collabora.com>
[Retrieved from:
https://gitlab.gnome.org/GNOME/gvfs/commit/70dbfc68a79faac49bd3423e079cb6902522082a]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
daemon/gvfsdaemon.c | 36 +++++++++++++++++++++++++++++++++++-
1 file changed, 35 insertions(+), 1 deletion(-)
diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c
index 406d4f8e..be148a7b 100644
--- a/daemon/gvfsdaemon.c
+++ b/daemon/gvfsdaemon.c
@@ -79,6 +79,7 @@ struct _GVfsDaemon
gint mount_counter;
+ GDBusAuthObserver *auth_observer;
GDBusConnection *conn;
GVfsDBusDaemon *daemon_skeleton;
GVfsDBusMountable *mountable_skeleton;
@@ -171,6 +172,8 @@ g_vfs_daemon_finalize (GObject *object)
}
if (daemon->conn != NULL)
g_object_unref (daemon->conn);
+ if (daemon->auth_observer != NULL)
+ g_object_unref (daemon->auth_observer);
g_hash_table_destroy (daemon->registered_paths);
g_hash_table_destroy (daemon->client_connections);
@@ -236,6 +239,35 @@ name_vanished_handler (GDBusConnection *connection,
daemon->lost_main_daemon = TRUE;
}
+/*
+ * Authentication observer signal handler that authorizes connections
+ * from the same uid as this process. This matches the behaviour of a
+ * libdbus DBusServer/DBusConnection when no DBusAllowUnixUserFunction
+ * has been set, but is not the default in GDBus.
+ */
+static gboolean
+authorize_authenticated_peer_cb (GDBusAuthObserver *observer,
+ G_GNUC_UNUSED GIOStream *stream,
+ GCredentials *credentials,
+ G_GNUC_UNUSED gpointer user_data)
+{
+ gboolean authorized = FALSE;
+
+ if (credentials != NULL)
+ {
+ GCredentials *own_credentials;
+
+ own_credentials = g_credentials_new ();
+
+ if (g_credentials_is_same_user (credentials, own_credentials, NULL))
+ authorized = TRUE;
+
+ g_object_unref (own_credentials);
+ }
+
+ return authorized;
+}
+
static void
g_vfs_daemon_init (GVfsDaemon *daemon)
{
@@ -265,6 +297,8 @@ g_vfs_daemon_init (GVfsDaemon *daemon)
daemon->conn = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL);
g_assert (daemon->conn != NULL);
+ daemon->auth_observer = g_dbus_auth_observer_new ();
+ g_signal_connect (daemon->auth_observer, "authorize-authenticated-peer", G_CALLBACK (authorize_authenticated_peer_cb), NULL);
daemon->daemon_skeleton = gvfs_dbus_daemon_skeleton_new ();
g_signal_connect (daemon->daemon_skeleton, "handle-get-connection", G_CALLBACK (handle_get_connection), daemon);
@@ -876,7 +910,7 @@ handle_get_connection (GVfsDBusDaemon *object,
server = g_dbus_server_new_sync (address1,
G_DBUS_SERVER_FLAGS_NONE,
guid,
- NULL, /* GDBusAuthObserver */
+ daemon->auth_observer,
NULL, /* GCancellable */
&error);
g_free (guid);
--
2.24.1

7
buildroot/package/gvfs/Config.in
View File

@@ -3,6 +3,8 @@ config BR2_PACKAGE_GVFS
depends on BR2_USE_WCHAR # glib2
depends on BR2_USE_MMU # dbus, glib2
depends on BR2_TOOLCHAIN_HAS_THREADS # dbus, glib2
depends on !BR2_STATIC_LIBS
select BR2_PACKAGE_GSETTINGS_DESKTOP_SCHEMAS
select BR2_PACKAGE_LIBGLIB2
select BR2_PACKAGE_DBUS
select BR2_PACKAGE_SHARED_MIME_INFO
@@ -15,6 +17,7 @@ config BR2_PACKAGE_GVFS
https://wiki.gnome.org/action/show/Projects/gvfs
comment "gvfs needs a toolchain w/ wchar, threads"
comment "gvfs needs a toolchain w/ wchar, threads, dynamic library"
depends on BR2_USE_MMU
depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS || \
!BR2_STATIC_LIBS

6
buildroot/package/gvfs/gvfs.hash
View File

@@ -1,5 +1,5 @@
# From http://ftp.gnome.org/pub/GNOME/sources/gvfs/1.31/gvfs-1.31.4.sha256sum
sha256 55244d447d040884dfb335fde638274cb6f2794285ada7fa84bcbbd34f06be04 gvfs-1.31.4.tar.xz
# From http://ftp.gnome.org/pub/GNOME/sources/gvfs/1.44/gvfs-1.44.1.sha256sum
sha256 50ef3245d1b03666a40455109169a2a1bd51419fd2d51f9fa6cfd4f89f04fb46 gvfs-1.44.1.tar.xz
# Hash for license file
sha256 45cf336e2e48176993babc5aabf44437390f40e6a86a472c6abfc7ce9c035db4 COPYING
sha256 45cf336e2e48176993babc5aabf44437390f40e6a86a472c6abfc7ce9c035db4 COPYING

143
buildroot/package/gvfs/gvfs.mk
View File

@@ -4,60 +4,45 @@
#
################################################################################
GVFS_VERSION_MAJOR = 1.31
GVFS_VERSION = $(GVFS_VERSION_MAJOR).4
GVFS_VERSION_MAJOR = 1.44
GVFS_VERSION = $(GVFS_VERSION_MAJOR).1
GVFS_SOURCE = gvfs-$(GVFS_VERSION).tar.xz
GVFS_SITE = http://ftp.gnome.org/pub/GNOME/sources/gvfs/$(GVFS_VERSION_MAJOR)
GVFS_INSTALL_STAGING = YES
GVFS_DEPENDENCIES = host-pkgconf host-libglib2 libglib2 dbus shared-mime-info \
GVFS_DEPENDENCIES = \
host-pkgconf \
host-libglib2 \
dbus \
gsettings-desktop-schemas \
libglib2 \
shared-mime-info \
$(TARGET_NLS_DEPENDENCIES)
GVFS_LICENSE = LGPL-2.0+
GVFS_LICENSE_FILES = COPYING
GVFS_LIBS = $(TARGET_NLS_LIBS)
# 0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
GVFS_IGNORE_CVES += CVE-2019-3827
# package/gvfs/0002-admin-Add-query_info_on_read-write-functionality.patch
GVFS_IGNORE_CVES += CVE-2019-12448
# 0003-admin-Allow-changing-file-owner.patch
# 0004-admin-Use-fsuid-to-ensure-correct-file-ownership.patch
GVFS_IGNORE_CVES += CVE-2019-12447
# 0005-admin-Ensure-correct-ownership-when-moving-to-file-uri.patch
GVFS_IGNORE_CVES += CVE-2019-12449
# 0006-gvfsdaemon-Check-that-the-connecting-client-is-the-same-user.patch
GVFS_IGNORE_CVES += CVE-2019-12795
# Export ac_cv_path_LIBGCRYPT_CONFIG unconditionally to prevent
# build system from searching the host paths.
GVFS_CONF_ENV = \
ac_cv_path_LIBGCRYPT_CONFIG=$(STAGING_DIR)/usr/bin/libgcrypt-config \
LIBS="$(GVFS_LIBS)"
GVFS_LDFLAGS = $(TARGET_LDFLAGS) $(TARGET_NLS_LIBS)
# Most of these are missing library support
GVFS_CONF_OPTS = \
--disable-afc \
--disable-gdu \
--disable-goa \
--disable-google \
--disable-libmtp \
--disable-udisks2
-Dafc=false \
-Dgoa=false \
-Dgoogle=false \
-Dmtp=false \
-Dsftp=false \
-Dudisks2=false
ifeq ($(BR2_PACKAGE_AVAHI),y)
GVFS_DEPENDENCIES += avahi
GVFS_CONF_OPTS += --enable-avahi
GVFS_CONF_OPTS += -Ddnssd=true
else
GVFS_CONF_OPTS += --disable-avahi
GVFS_CONF_OPTS += -Ddnssd=false
endif
ifeq ($(BR2_PACKAGE_GCR),y)
GVFS_DEPENDENCIES += gcr
GVFS_CONF_OPTS += --enable-gcr
GVFS_CONF_OPTS += -Dgcr=true
else
GVFS_CONF_OPTS += --disable-gcr
GVFS_CONF_OPTS += -Dgcr=false
endif
ifeq ($(BR2_PACKAGE_HAS_UDEV),y)
@@ -66,121 +51,110 @@ endif
ifeq ($(BR2_PACKAGE_LIBGUDEV),y)
GVFS_DEPENDENCIES += libgudev
GVFS_CONF_OPTS += --enable-gudev
GVFS_CONF_OPTS += -Dgudev=true
else
GVFS_CONF_OPTS += --disable-gudev
GVFS_CONF_OPTS += -Dgudev=false
endif
ifeq ($(BR2_PACKAGE_LIBARCHIVE),y)
GVFS_DEPENDENCIES += libarchive
GVFS_CONF_OPTS += \
--enable-archive \
--with-archive-includes=$(STAGING_DIR)/usr \
--with-archive-libs=$(STAGING_DIR)/usr
GVFS_LIBS += `$(PKG_CONFIG_HOST_BINARY) --libs libarchive`
GVFS_CONF_OPTS += -Darchive=true
else
GVFS_CONF_OPTS += --disable-archive
GVFS_CONF_OPTS += -Darchive=false
endif
ifeq ($(BR2_PACKAGE_LIBBLURAY),y)
GVFS_DEPENDENCIES += libbluray
GVFS_CONF_OPTS += --enable-bluray
GVFS_CONF_OPTS += -Dbluray=true
else
GVFS_CONF_OPTS += --disable-bluray
GVFS_CONF_OPTS += -Dbluray=false
endif
ifeq ($(BR2_PACKAGE_LIBCAP)$(BR2_PACKAGE_POLKIT),yy)
GVFS_DEPENDENCIES += libcap polkit
GVFS_CONF_OPTS += --enable-admin
GVFS_CONF_OPTS += -Dadmin=true
else
GVFS_CONF_OPTS += --disable-admin
GVFS_CONF_OPTS += -Dadmin=false
endif
ifeq ($(BR2_PACKAGE_LIBCDIO_PARANOIA)$(BR2_PACKAGE_LIBGUDEV),yy)
GVFS_DEPENDENCIES += libcdio-paranoia libgudev
GVFS_CONF_OPTS += --enable-cdda
GVFS_CONF_OPTS += -Dcdda=true
else
GVFS_CONF_OPTS += --disable-cdda
GVFS_CONF_OPTS += -Dcdda=false
endif
ifeq ($(BR2_PACKAGE_LIBFUSE),y)
GVFS_DEPENDENCIES += libfuse
GVFS_CONF_OPTS += --enable-fuse
ifeq ($(BR2_PACKAGE_LIBFUSE3),y)
GVFS_DEPENDENCIES += libfuse3
GVFS_CONF_OPTS += -Dfuse=true
else
GVFS_CONF_OPTS += --disable-fuse
GVFS_CONF_OPTS += -Dfuse=false
endif
# AFP support is anon-only without libgcrypt which isn't very useful
ifeq ($(BR2_PACKAGE_LIBGCRYPT),y)
GVFS_CONF_OPTS += --enable-afp
GVFS_CONF_OPTS += \
-Dafp=true \
-Dgcrypt=true
GVFS_DEPENDENCIES += libgcrypt
else
GVFS_CONF_OPTS += --disable-afp
GVFS_CONF_OPTS += \
-Dafp=false \
-Dgcrypt=false
endif
ifeq ($(BR2_PACKAGE_LIBGPHOTO2)$(BR2_PACKAGE_LIBGUDEV),yy)
GVFS_DEPENDENCIES += libgphoto2 libgudev
GVFS_CONF_OPTS += --enable-gphoto2
GVFS_CONF_OPTS += -Dgphoto2=true
else
GVFS_CONF_OPTS += --disable-gphoto2
endif
ifeq ($(BR2_PACKAGE_LIBGTK3),y)
GVFS_CONF_OPTS += --enable-gtk
GVFS_DEPENDENCIES += libgtk3
else
GVFS_CONF_OPTS += --disable-gtk
GVFS_CONF_OPTS += -Dgphoto2=false
endif
ifeq ($(BR2_PACKAGE_LIBNFS),y)
GVFS_CONF_OPTS += --enable-nfs
GVFS_CONF_OPTS += -Dnfs=true
GVFS_DEPENDENCIES += libnfs
else
GVFS_CONF_OPTS += --disable-nfs
GVFS_CONF_OPTS += -Dnfs=false
endif
ifeq ($(BR2_PACKAGE_LIBSECRET),y)
GVFS_DEPENDENCIES += libsecret
GVFS_CONF_OPTS += --enable-keyring
GVFS_CONF_OPTS += -Dkeyring=true
else
GVFS_CONF_OPTS += --disable-keyring
GVFS_CONF_OPTS += -Dkeyring=false
endif
ifeq ($(BR2_PACKAGE_LIBSOUP)$(BR2_PACKAGE_LIBXML2),yy)
GVFS_DEPENDENCIES += libsoup libxml2
GVFS_CONF_OPTS += --enable-http
GVFS_CONF_OPTS += -Dhttp=true
else
GVFS_CONF_OPTS += --disable-http
GVFS_CONF_OPTS += -Dhttp=false
endif
ifeq ($(BR2_PACKAGE_LIBUSB),y)
GVFS_DEPENDENCIES += libusb
GVFS_CONF_OPTS += --enable-libusb
GVFS_CONF_OPTS += -Dlibusb=true
else
GVFS_CONF_OPTS += --disable-libusb
GVFS_CONF_OPTS += -Dlibusb=false
endif
ifeq ($(BR2_PACKAGE_SAMBA4),y)
GVFS_DEPENDENCIES += samba4
GVFS_CONF_OPTS += \
--enable-samba \
--with-samba-includes=$(STAGING_DIR)/usr/include/samba-4.0 \
--with-samba-libs=$(STAGING_DIR)/usr/lib \
ac_cv_lib_smbclient_smbc_option_get=yes
GVFS_CONF_OPTS += -Dsmb=true
else
GVFS_CONF_OPTS += --disable-samba
GVFS_CONF_OPTS += -Dsmb=false
endif
ifeq ($(BR2_PACKAGE_SYSTEMD),y)
GVFS_DEPENDENCIES += systemd
GVFS_CONF_OPTS += -Dlogind=true
else
GVFS_CONF_OPTS += --disable-libsystemd-login
GVFS_CONF_OPTS += \
-Dlogind=false \
-Dsystemduserunitdir=no \
-Dtmpfilesdir=no
endif
define GVFS_REMOVE_USELESS_BINARY
rm $(TARGET_DIR)/usr/bin/gvfs-less
endef
define GVFS_REMOVE_TARGET_SCHEMAS
rm $(TARGET_DIR)/usr/share/glib-2.0/schemas/*.xml
endef
@@ -190,8 +164,7 @@ define GVFS_COMPILE_SCHEMAS
endef
GVFS_POST_INSTALL_TARGET_HOOKS += \
GVFS_REMOVE_USELESS_BINARY \
GVFS_REMOVE_TARGET_SCHEMAS \
GVFS_COMPILE_SCHEMAS
$(eval $(autotools-package))
$(eval $(meson-package))