rpms
/
chromium
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix flatpak build

Browse Source 
This adds patches from Flathub to use the Flatpak sandbox (as the GUID
sandbox is not compatible with Flatpak's own), removes dependencies on host
services, and uses automatic detection of dependency locations (since
dependencies are not necessarily found in /app even when building therein,
as the buildroot is still in /usr).
epel9
Yaakov Selkowitz 2 months ago committed by yselkowitz
parent 1e146bce28
commit b73d675e71
4 changed files with 1771 additions and 11 deletions
Show Stats Download Patch File Download Diff File

45
chromium.spec
Unescape View File

@ -37,12 +37,18 @@
# enable|disable chromedriver # enable|disable chromedriver
%global build_chromedriver 1 %global build_chromedriver 1
%if 0%{?flatpak}
%global build_chromedriver 0
%endif
# enable|disable headless client build # enable|disable headless client build
%global build_headless 1 %global build_headless 1
%ifarch ppc64le %ifarch ppc64le
%global build_headless 0 %global build_headless 0
%endif %endif
%if 0%{?flatpak}
%global build_headless 0
%endif
# enable|disable chrome-remote-desktop build # enable|disable chrome-remote-desktop build
%global build_remoting 0 %global build_remoting 0
@ -442,6 +448,12 @@ Patch413: fix-unknown-warning-option-messages.diff
Patch414: cargo-add-ppc64.diff Patch414: cargo-add-ppc64.diff
Patch415: add-ppc64-pthread-stack-size.patch Patch415: add-ppc64-pthread-stack-size.patch
# flatpak sandbox patches from
# https://github.com/flathub/org.chromium.Chromium/tree/master/patches/chromium
Patch416: flatpak-Add-initial-sandbox-support.patch
Patch417: flatpak-Adjust-paths-for-the-sandbox.patch
Patch418: flatpak-Expose-Widevine-into-the-sandbox.patch
# upstream patches # upstream patches
# Use chromium-latest.py to generate clean tarball from released build tarballs, found here: # Use chromium-latest.py to generate clean tarball from released build tarballs, found here:
@ -666,7 +678,7 @@ BuildRequires: libXNVCtrl-devel
%endif %endif
# One of the python scripts invokes git to look for a hash. So helpful. # One of the python scripts invokes git to look for a hash. So helpful.
BuildRequires: /usr/bin/git BuildRequires: git-core
BuildRequires: hwdata BuildRequires: hwdata
BuildRequires: kernel-headers BuildRequires: kernel-headers
%if ! %{bundlelibevent} %if ! %{bundlelibevent}
@ -782,7 +794,7 @@ Requires: nss-mdns%{_isa}
# GTK modules it expects to find for some reason. # GTK modules it expects to find for some reason.
Requires: libcanberra-gtk3%{_isa} Requires: libcanberra-gtk3%{_isa}
%if 0%{?fedora} %if 0%{?fedora} && %{undefined flatpak}
# This enables support for u2f tokens # This enables support for u2f tokens
Requires: u2f-hidraw-policy Requires: u2f-hidraw-policy
%endif %endif
@ -923,9 +935,11 @@ Provides: bundled(xdg-mime)
Provides: bundled(xdg-user-dirs) Provides: bundled(xdg-user-dirs)
# Provides: bundled(zlib) = 1.2.11 # Provides: bundled(zlib) = 1.2.11
%if %{undefined flatpak}
# For selinux scriptlet # For selinux scriptlet
Requires(post): /usr/sbin/semanage Requires(post): /usr/sbin/semanage
Requires(post): /usr/sbin/restorecon Requires(post): /usr/sbin/restorecon
%endif
%description %description
Chromium is an open-source web browser, powered by WebKit (Blink). Chromium is an open-source web browser, powered by WebKit (Blink).
@ -1135,6 +1149,12 @@ Qt6 UI for chromium.
%patch -P415 -p1 -b .add-ppc64-pthread-stack-size %patch -P415 -p1 -b .add-ppc64-pthread-stack-size
%endif %endif
%if 0%{?flatpak}
%patch -P416 -p1 -b .flatpak-initial-sandbox
%patch -P417 -p1 -b .flatpak-sandbox-paths
%patch -P418 -p1 -b .flatpak-widevine
%endif
# Change shebang in all relevant files in this directory and all subdirectories # Change shebang in all relevant files in this directory and all subdirectories
# See `man find` for how the `-exec command {} +` syntax works # See `man find` for how the `-exec command {} +` syntax works
find -type f \( -iname "*.py" \) -exec sed -i '1s=^#! */usr/bin/\(python\|env python\)[23]\?=#!%{chromium_pybin}=' {} + find -type f \( -iname "*.py" \) -exec sed -i '1s=^#! */usr/bin/\(python\|env python\)[23]\?=#!%{chromium_pybin}=' {} +
@ -1155,12 +1175,12 @@ find -type f \( -iname "*.py" \) -exec sed -i '1s=^#! */usr/bin/\(python\|env py
popd popd
%else %else
mkdir -p third_party/node/linux/node-linux-x64/bin mkdir -p third_party/node/linux/node-linux-x64/bin
ln -s %{_bindir}/node third_party/node/linux/node-linux-x64/bin/node ln -s $(which node) third_party/node/linux/node-linux-x64/bin/node
%endif %endif
# Get rid of the bundled esbuild # Get rid of the bundled esbuild
%if 0%{?fedora} %if 0%{?fedora}
ln -sf %{_bindir}/esbuild third_party/devtools-frontend/src/third_party/esbuild/esbuild ln -sf $(which esbuild) third_party/devtools-frontend/src/third_party/esbuild/esbuild
%else %else
%ifarch x86_64 %ifarch x86_64
tar -zxf %{SOURCE14} --directory %{_tmppath} tar -zxf %{SOURCE14} --directory %{_tmppath}
@ -1175,7 +1195,7 @@ popd
rm -rf buildtools/third_party/eu-strip/bin/eu-strip rm -rf buildtools/third_party/eu-strip/bin/eu-strip
# Replace it with a symlink to the Fedora copy # Replace it with a symlink to the Fedora copy
ln -s %{_bindir}/eu-strip buildtools/third_party/eu-strip/bin/eu-strip ln -s $(which eu-strip) buildtools/third_party/eu-strip/bin/eu-strip
%if %{bundlelibusbx} %if %{bundlelibusbx}
# no hackity hack hack # no hackity hack hack
@ -1183,7 +1203,7 @@ ln -s %{_bindir}/eu-strip buildtools/third_party/eu-strip/bin/eu-strip
# hackity hack hack # hackity hack hack
rm -rf third_party/libusb/src/libusb/libusb.h rm -rf third_party/libusb/src/libusb/libusb.h
# we _shouldn't need to do this, but it looks like we do. # we _shouldn't need to do this, but it looks like we do.
cp -a %{_includedir}/libusb-1.0/libusb.h third_party/libusb/src/libusb/libusb.h cp -a $(pkg-config --variable=includedir libusb-1.0)/libusb-1.0/libusb.h third_party/libusb/src/libusb/libusb.h
%endif %endif
# Hard code extra version # Hard code extra version
@ -1247,7 +1267,8 @@ export RUSTC_BOOTSTRAP=1
# set rustc version # set rustc version
rustc_version="$(rustc --version)" rustc_version="$(rustc --version)"
# set rust bindgen root # set rust bindgen root
rust_bindgen_root="%{_prefix}" rust_bindgen_root="$(which bindgen | sed 's#/bin/.*##')"
rust_sysroot_absolute="$(rustc --print sysroot)"
# set clang version # set clang version
clang_version="$(clang --version | sed -n 's/clang version //p' | cut -d. -f1)" clang_version="$(clang --version | sed -n 's/clang version //p' | cut -d. -f1)"
@ -1291,7 +1312,7 @@ CHROMIUM_CORE_GN_DEFINES+=' clang_use_chrome_plugins=false'
CHROMIUM_CORE_GN_DEFINES+=' use_lld=true' CHROMIUM_CORE_GN_DEFINES+=' use_lld=true'
# enable system rust # enable system rust
CHROMIUM_CORE_GN_DEFINES+=' rust_sysroot_absolute="%{_prefix}"' CHROMIUM_CORE_GN_DEFINES+=" rust_sysroot_absolute=\"$rust_sysroot_absolute\""
CHROMIUM_CORE_GN_DEFINES+=" rust_bindgen_root=\"$rust_bindgen_root\"" CHROMIUM_CORE_GN_DEFINES+=" rust_bindgen_root=\"$rust_bindgen_root\""
CHROMIUM_CORE_GN_DEFINES+=" rustc_version=\"$rustc_version\"" CHROMIUM_CORE_GN_DEFINES+=" rustc_version=\"$rustc_version\""
@ -1343,13 +1364,13 @@ CHROMIUM_BROWSER_GN_DEFINES+=' rtc_use_h264=false'
CHROMIUM_BROWSER_GN_DEFINES+=' use_kerberos=true' CHROMIUM_BROWSER_GN_DEFINES+=' use_kerberos=true'
%if %{use_qt} %if %{use_qt}
CHROMIUM_BROWSER_GN_DEFINES+=' use_qt=true moc_qt5_path="%{_libdir}/qt5/bin/"' CHROMIUM_BROWSER_GN_DEFINES+=" use_qt=true moc_qt5_path=\"$(%{_qt5_qmake} -query QT_HOST_BINS)\""
%else %else
CHROMIUM_BROWSER_GN_DEFINES+=' use_qt=false' CHROMIUM_BROWSER_GN_DEFINES+=' use_qt=false'
%endif %endif
%if %{use_qt6} %if %{use_qt6}
CHROMIUM_BROWSER_GN_DEFINES+=' use_qt6=true moc_qt6_path="%{_libdir}/qt6/libexec/"' CHROMIUM_BROWSER_GN_DEFINES+=" use_qt6=true moc_qt6_path=\"$(%{_qt6_qmake} -query QT_HOST_LIBEXECS)\""
%else %else
CHROMIUM_BROWSER_GN_DEFINES+=' use_qt6=false' CHROMIUM_BROWSER_GN_DEFINES+=' use_qt6=false'
%endif %endif
@ -1518,7 +1539,7 @@ fi
%if %{bootstrap} %if %{bootstrap}
tools/gn/bootstrap/bootstrap.py --gn-gen-args="$CHROMIUM_CORE_GN_DEFINES $CHROMIUM_BROWSER_GN_DEFINES" tools/gn/bootstrap/bootstrap.py --gn-gen-args="$CHROMIUM_CORE_GN_DEFINES $CHROMIUM_BROWSER_GN_DEFINES"
%else %else
mkdir -p %{chromebuilddir} && cp -a %{_bindir}/gn %{chromebuilddir}/ mkdir -p %{chromebuilddir} && cp -a $(which gn) %{chromebuilddir}/
%endif %endif
%{chromebuilddir}/gn --script-executable=%{chromium_pybin} gen --args="$CHROMIUM_CORE_GN_DEFINES $CHROMIUM_BROWSER_GN_DEFINES" %{chromebuilddir} %{chromebuilddir}/gn --script-executable=%{chromium_pybin} gen --args="$CHROMIUM_CORE_GN_DEFINES $CHROMIUM_BROWSER_GN_DEFINES" %{chromebuilddir}
@ -1742,6 +1763,7 @@ cp -a %{SOURCE9} %{buildroot}%{_datadir}/gnome-control-center/default-apps/
# README.fedora # README.fedora
cp %{SOURCE1} . cp %{SOURCE1} .
%if %{undefined flatpak}
%post %post
# Set SELinux labels - semanage itself will adjust the lib directory naming # Set SELinux labels - semanage itself will adjust the lib directory naming
# But only do it when selinux is enabled, otherwise, it gets noisy. # But only do it when selinux is enabled, otherwise, it gets noisy.
@ -1751,6 +1773,7 @@ if selinuxenabled; then
semanage fcontext -a -t chrome_sandbox_exec_t /usr/lib/chrome-sandbox &>/dev/null || : semanage fcontext -a -t chrome_sandbox_exec_t /usr/lib/chrome-sandbox &>/dev/null || :
restorecon -R -v %{chromium_path}/%{chromium_browser_channel} &>/dev/null || : restorecon -R -v %{chromium_path}/%{chromium_browser_channel} &>/dev/null || :
fi fi
%endif
%if %{build_remoting} %if %{build_remoting}
%pretrans -n chrome-remote-desktop -p <lua> %pretrans -n chrome-remote-desktop -p <lua>

1325
flatpak-Add-initial-sandbox-support.patch
View File

File diff suppressed because it is too large Load Diff

86
flatpak-Adjust-paths-for-the-sandbox.patch
Unescape View File

@ -0,0 +1,86 @@
From 997c9dc4160c468f26acb851eb65408f41e2a091 Mon Sep 17 00:00:00 2001
From: Ryan Gonzalez <rymg19@gmail.com>
Date: Tue, 25 Aug 2020 19:26:07 -0500
Subject: [PATCH] flatpak: Adjust paths for the sandbox
---
chrome/common/BUILD.gn | 4 ++++
chrome/common/chrome_paths.cc | 26 +++++++++++++++++++++++++-
2 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/chrome/common/BUILD.gn b/chrome/common/BUILD.gn
index 76cf6a5985990..4044c87b656c4 100644
--- a/chrome/common/BUILD.gn
+++ b/chrome/common/BUILD.gn
@@ -642,6 +642,10 @@ static_library("constants") {
"//third_party/widevine/cdm:headers",
]
}
+
+ if (is_linux) {
+ deps += [ "//sandbox/linux:sandbox_services" ]
+ }
}
# Use a static library here because many test binaries depend on this but don't
diff --git a/chrome/common/chrome_paths.cc b/chrome/common/chrome_paths.cc
index ec09803ffabcf..ecbc300b99e1d 100644
--- a/chrome/common/chrome_paths.cc
+++ b/chrome/common/chrome_paths.cc
@@ -38,6 +38,10 @@
#include "base/win/registry.h"
#endif
+#if BUILDFLAG(IS_LINUX)
+#include "sandbox/linux/services/flatpak_sandbox.h"
+#endif
+
#if BUILDFLAG(ENABLE_WIDEVINE)
#include "third_party/widevine/cdm/widevine_cdm_common.h" // nogncheck
#endif
@@ -537,6 +541,14 @@ bool PathProvider(int key, base::FilePath* result) {
break;
#if BUILDFLAG(IS_POSIX) && !BUILDFLAG(IS_MAC) && !BUILDFLAG(IS_OPENBSD)
case chrome::DIR_POLICY_FILES: {
+#if defined(OS_LINUX)
+ if (sandbox::FlatpakSandbox::GetInstance()->GetSandboxLevel() >
+ sandbox::FlatpakSandbox::SandboxLevel::kNone) {
+ cur = base::FilePath(
+ FILE_PATH_LITERAL("/app/chromium/extensions/policies"));
+ break;
+ }
+#endif
cur = base::FilePath(policy::kPolicyPath);
break;
}
@@ -557,7 +569,13 @@ bool PathProvider(int key, base::FilePath* result) {
#endif
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
case chrome::DIR_STANDALONE_EXTERNAL_EXTENSIONS: {
- cur = base::FilePath(kFilepathSinglePrefExtensions);
+ if (sandbox::FlatpakSandbox::GetInstance()->GetSandboxLevel() >
+ sandbox::FlatpakSandbox::SandboxLevel::kNone) {
+ cur = base::FilePath(
+ FILE_PATH_LITERAL("/app/chromium/extensions/extensions"));
+ } else {
+ cur = base::FilePath(kFilepathSinglePrefExtensions);
+ }
break;
}
#endif
@@ -604,6 +622,12 @@ bool PathProvider(int key, base::FilePath* result) {
"/Library/Application Support/Chromium/NativeMessagingHosts"));
#endif
#else // BUILDFLAG(IS_MAC)
+ if (sandbox::FlatpakSandbox::GetInstance()->GetSandboxLevel() >
+ sandbox::FlatpakSandbox::SandboxLevel::kNone) {
+ cur = base::FilePath(FILE_PATH_LITERAL(
+ "/app/chromium/extensions/native-messaging-hosts"));
+ break;
+ }
#if BUILDFLAG(GOOGLE_CHROME_BRANDING)
cur = base::FilePath(
FILE_PATH_LITERAL("/etc/opt/chrome/native-messaging-hosts"));
--
2.46.1

326
flatpak-Expose-Widevine-into-the-sandbox.patch
Unescape View File

@ -0,0 +1,326 @@
From 0446b3432c90bbab893c7bde22a5e664e14753af Mon Sep 17 00:00:00 2001
From: Ryan Gonzalez <rymg19@gmail.com>
Date: Tue, 17 Nov 2020 13:00:39 -0600
Subject: [PATCH] flatpak: Expose Widevine into the sandbox
---
.../zygote_host/zygote_host_impl_linux.cc | 54 +++++++++++++-
sandbox/linux/services/flatpak_sandbox.cc | 74 ++++++++++++++-----
sandbox/linux/services/flatpak_sandbox.h | 27 ++++++-
3 files changed, 131 insertions(+), 24 deletions(-)
diff --git a/content/browser/zygote_host/zygote_host_impl_linux.cc b/content/browser/zygote_host/zygote_host_impl_linux.cc
index 1703fb6ade044..3e8eb87981230 100644
--- a/content/browser/zygote_host/zygote_host_impl_linux.cc
+++ b/content/browser/zygote_host/zygote_host_impl_linux.cc
@@ -9,7 +9,10 @@
#include <sys/types.h>
#include "base/files/file_enumerator.h"
+#include "base/files/file_util.h"
#include "base/logging.h"
+#include "base/nix/xdg_util.h"
+#include "base/path_service.h"
#include "base/posix/unix_domain_socket.h"
#include "base/process/kill.h"
#include "base/process/launch.h"
@@ -18,9 +21,12 @@
#include "base/types/fixed_array.h"
#include "build/build_config.h"
#include "build/chromeos_buildflags.h"
+#include "chrome/common/chrome_paths.h" // nogncheck
#include "content/common/zygote/zygote_commands_linux.h"
#include "content/common/zygote/zygote_communication_linux.h"
#include "content/common/zygote/zygote_handle_impl_linux.h"
+#include "content/public/common/cdm_info.h"
+#include "content/public/common/content_client.h"
#include "content/public/common/zygote/zygote_handle.h"
#include "sandbox/linux/services/credentials.h"
#include "sandbox/linux/services/flatpak_sandbox.h"
@@ -29,6 +35,7 @@
#include "sandbox/linux/suid/common/sandbox.h"
#include "sandbox/policy/linux/sandbox_linux.h"
#include "sandbox/policy/switches.h"
+#include "third_party/widevine/cdm/buildflags.h" // nogncheck
#if BUILDFLAG(IS_CHROMEOS)
#include "content/common/zygote/zygote_communication_linux.h"
@@ -193,8 +200,51 @@ pid_t ZygoteHostImpl::LaunchZygote(
if (is_sandboxed_zygote && use_namespace_sandbox_) {
process = sandbox::NamespaceSandbox::LaunchProcess(*cmd_line, options);
} else if (is_sandboxed_zygote && use_flatpak_sandbox_) {
- process = sandbox::FlatpakSandbox::GetInstance()->LaunchProcess(*cmd_line,
- options);
+ sandbox::FlatpakSandbox::SpawnOptions spawn_options;
+
+#if BUILDFLAG(ENABLE_LIBRARY_CDMS)
+ // Expose the CDM paths into the sandbox. This is similar to PreSandboxInit
+ // in content_main_runner_impl.cc.
+ std::vector<CdmInfo> cdms;
+ GetContentClient()->AddContentDecryptionModules(&cdms, nullptr);
+ for (const auto& cdm : cdms) {
+ if (!spawn_options.ExposePathRo(cdm.path)) {
+ LOG(ERROR) << "Failed to expose CDM module";
+ }
+ }
+#endif
+
+#if BUILDFLAG(ENABLE_WIDEVINE_CDM_COMPONENT)
+ // Make sure we also expose the full Widevine CDM folder so it can be
+ // detected.
+ // TODO: Remove the explicit dependencies on chrome::.
+ base::FilePath widevine_cdm_path;
+ if (!base::PathService::Get(chrome::DIR_COMPONENT_UPDATED_WIDEVINE_CDM,
+ &widevine_cdm_path)) {
+ LOG(ERROR) << "Failed to get Widevine CDM folder for sandbox forwarding";
+ }
+
+ LOG(INFO) << "Widevine CDM path IS: " << widevine_cdm_path;
+
+ if (!widevine_cdm_path.empty() && base::PathExists(widevine_cdm_path)) {
+ if (!spawn_options.ExposePathRo(widevine_cdm_path)) {
+ LOG(ERROR) << "Failed to expose updated Widevine CDM path";
+ }
+ }
+
+ // The Widevine data is found relative to $XDG_CONFIG_HOME, which is not set
+ // by default when running a sandboxed process.
+ auto env = base::Environment::Create();
+ base::FilePath xdgConfigHome = base::nix::GetXDGDirectory(
+ env.get(), base::nix::kXdgConfigHomeEnvVar, nullptr);
+ if (!xdgConfigHome.empty()) {
+ options.environment[base::nix::kXdgConfigHomeEnvVar] =
+ xdgConfigHome.value();
+ }
+#endif
+
+ process = sandbox::FlatpakSandbox::GetInstance()->LaunchProcess(
+ *cmd_line, options, spawn_options);
} else {
process = base::LaunchProcess(*cmd_line, options);
}
diff --git a/sandbox/linux/services/flatpak_sandbox.cc b/sandbox/linux/services/flatpak_sandbox.cc
index 2a915a5b9fa11..ed8d4c0556f63 100644
--- a/sandbox/linux/services/flatpak_sandbox.cc
+++ b/sandbox/linux/services/flatpak_sandbox.cc
@@ -4,6 +4,7 @@
#include "sandbox/linux/services/flatpak_sandbox.h"
+#include <fcntl.h>
#include <signal.h>
#include <sstream>
#include <string>
@@ -92,6 +93,18 @@ enum FlatpakSpawnSandboxFlags {
kFlatpakSpawnSandbox_ShareA11yBus = 1 << 4,
};
+bool FlatpakSandbox::SpawnOptions::ExposePathRo(base::FilePath path) {
+ base::ScopedFD fd(
+ HANDLE_EINTR(open(path.value().c_str(), O_PATH | O_NOFOLLOW)));
+ if (!fd.is_valid()) {
+ PLOG(ERROR) << "Failed to expose path " << path;
+ return false;
+ }
+
+ sandbox_expose_ro.push_back(std::move(fd));
+ return true;
+}
+
FlatpakSandbox::FlatpakSandbox()
: bus_thread_("FlatpakPortalBus"), process_info_cv_(&process_info_lock_) {}
@@ -168,8 +181,9 @@ bool FlatpakSandbox::IsPidSandboxed(base::ProcessId relative_pid) {
base::Process FlatpakSandbox::LaunchProcess(
const base::CommandLine& cmdline,
- const base::LaunchOptions& launch_options) {
- base::ProcessId external_pid = Spawn(cmdline, launch_options);
+ const base::LaunchOptions& launch_options,
+ const SpawnOptions& spawn_options /*= {}*/) {
+ base::ProcessId external_pid = Spawn(cmdline, launch_options, spawn_options);
if (external_pid == base::kNullProcessId) {
return base::Process();
}
@@ -363,9 +377,9 @@ void FlatpakSandbox::OnSpawnExitedSignal(dbus::Signal* signal) {
process_info_cv_.Broadcast();
}
-base::ProcessId FlatpakSandbox::Spawn(
- const base::CommandLine& cmdline,
- const base::LaunchOptions& launch_options) {
+base::ProcessId FlatpakSandbox::Spawn(const base::CommandLine& cmdline,
+ const base::LaunchOptions& launch_options,
+ const SpawnOptions& spawn_options) {
base::ScopedBlockingCall scoped_blocking_call(FROM_HERE,
base::BlockingType::MAY_BLOCK);
base::ScopedAllowBaseSyncPrimitives allow_wait;
@@ -391,24 +405,26 @@ base::ProcessId FlatpakSandbox::Spawn(
FROM_HERE,
base::BindOnce(&FlatpakSandbox::SpawnOnBusThread, base::Unretained(this),
base::Unretained(&external_pid), base::Unretained(&event),
- cmdline, launch_options));
+ base::Unretained(&cmdline),
+ base::Unretained(&launch_options),
+ base::Unretained(&spawn_options)));
event.Wait();
return external_pid;
}
-void FlatpakSandbox::SpawnOnBusThread(
- base::ProcessId* out_external_pid,
- base::WaitableEvent* event,
- const base::CommandLine& cmdline,
- const base::LaunchOptions& launch_options) {
+void FlatpakSandbox::SpawnOnBusThread(base::ProcessId* out_external_pid,
+ base::WaitableEvent* event,
+ const base::CommandLine* cmdline,
+ const base::LaunchOptions* launch_options,
+ const SpawnOptions* spawn_options) {
dbus::ObjectProxy* object_proxy = GetPortalObjectProxy();
dbus::MethodCall method_call(kFlatpakPortalInterfaceName, "Spawn");
dbus::MessageWriter writer(&method_call);
const base::FilePath& current_directory =
- !launch_options.current_directory.empty()
- ? launch_options.current_directory
+ !launch_options->current_directory.empty()
+ ? launch_options->current_directory
// Change to /app since it's guaranteed to always be present in
// the sandbox.
: kFlatpakAppPath;
@@ -417,7 +433,7 @@ void FlatpakSandbox::SpawnOnBusThread(
dbus::MessageWriter argv_writer(nullptr);
writer.OpenArray("ay", &argv_writer);
- for (const std::string& arg : cmdline.argv()) {
+ for (const std::string& arg : cmdline->argv()) {
WriteStringAsByteArray(&argv_writer, arg);
}
@@ -439,7 +455,7 @@ void FlatpakSandbox::SpawnOnBusThread(
WriteFdPairMap(&fds_writer, STDOUT_FILENO, STDOUT_FILENO);
WriteFdPairMap(&fds_writer, STDERR_FILENO, STDERR_FILENO);
- for (const auto& pair : launch_options.fds_to_remap) {
+ for (const auto& pair : launch_options->fds_to_remap) {
WriteFdPairMap(&fds_writer, pair.first, pair.second);
}
@@ -448,7 +464,7 @@ void FlatpakSandbox::SpawnOnBusThread(
dbus::MessageWriter env_writer(nullptr);
writer.OpenArray("{ss}", &env_writer);
- for (const auto& pair : launch_options.environment) {
+ for (const auto& pair : launch_options->environment) {
dbus::MessageWriter entry_writer(nullptr);
env_writer.OpenDictEntry(&entry_writer);
@@ -472,11 +488,11 @@ void FlatpakSandbox::SpawnOnBusThread(
#else
#endif
- if (launch_options.clear_environment) {
+ if (launch_options->clear_environment) {
spawn_flags |= kFlatpakSpawn_ClearEnvironment;
}
- if (launch_options.kill_on_parent_death) {
+ if (launch_options->kill_on_parent_death) {
spawn_flags |= kFlatpakSpawn_WatchBus;
}
@@ -485,6 +501,28 @@ void FlatpakSandbox::SpawnOnBusThread(
dbus::MessageWriter options_writer(nullptr);
writer.OpenArray("{sv}", &options_writer);
+ if (!spawn_options->sandbox_expose_ro.empty()) {
+ dbus::MessageWriter entry_writer(nullptr);
+ options_writer.OpenDictEntry(&entry_writer);
+
+ entry_writer.AppendString("sandbox-expose-fd-ro");
+
+ dbus::MessageWriter variant_writer(nullptr);
+ entry_writer.OpenVariant("ah", &variant_writer);
+
+ dbus::MessageWriter fds_writer(nullptr);
+ variant_writer.OpenArray("h", &fds_writer);
+
+ for (const base::ScopedFD& fd : spawn_options->sandbox_expose_ro) {
+ CHECK(fd.is_valid()) << "Invalid spawn expose fd";
+ fds_writer.AppendFileDescriptor(fd.get());
+ }
+
+ variant_writer.CloseContainer(&fds_writer);
+ entry_writer.CloseContainer(&variant_writer);
+ options_writer.CloseContainer(&entry_writer);
+ }
+
if (sandbox_flags != 0) {
dbus::MessageWriter entry_writer(nullptr);
options_writer.OpenDictEntry(&entry_writer);
diff --git a/sandbox/linux/services/flatpak_sandbox.h b/sandbox/linux/services/flatpak_sandbox.h
index 167bbc85945ad..de8e7165b4573 100644
--- a/sandbox/linux/services/flatpak_sandbox.h
+++ b/sandbox/linux/services/flatpak_sandbox.h
@@ -9,6 +9,8 @@
#include "base/compiler_specific.h"
#include "base/containers/flat_map.h"
#include "base/containers/flat_set.h"
+#include "base/files/file_path.h"
+#include "base/files/scoped_file.h"
#include "base/no_destructor.h"
#include "base/process/kill.h"
#include "base/process/launch.h"
@@ -34,6 +36,20 @@ namespace sandbox {
// it is known inside the sandbox's PID namespace.
class SANDBOX_EXPORT FlatpakSandbox {
public:
+ class SpawnOptions {
+ public:
+ SpawnOptions() = default;
+ SpawnOptions(const SpawnOptions& other) = delete;
+ SpawnOptions(SpawnOptions&& other) = delete;
+
+ bool ExposePathRo(base::FilePath path);
+
+ private:
+ friend class FlatpakSandbox;
+
+ std::vector<base::ScopedFD> sandbox_expose_ro;
+ };
+
static FlatpakSandbox* GetInstance();
// Represents the level of sandboxing inside a Flatpak. kNone means this is
@@ -55,7 +71,8 @@ class SANDBOX_EXPORT FlatpakSandbox {
// GetRelativePid. This is the reason why a vanilla ProcessId is returned
// rather than a base::Process instance.
base::Process LaunchProcess(const base::CommandLine& cmdline,
- const base::LaunchOptions& launch_options);
+ const base::LaunchOptions& launch_options,
+ const SpawnOptions& spawn_options = {});
// Indefinitely waits for the given process and fills the exit code pointer
// if given and non-null. Returns false on wait failure.
@@ -84,11 +101,13 @@ class SANDBOX_EXPORT FlatpakSandbox {
void OnSpawnExitedSignal(dbus::Signal* signal);
base::ProcessId Spawn(const base::CommandLine& cmdline,
- const base::LaunchOptions& launch_options);
+ const base::LaunchOptions& launch_options,
+ const SpawnOptions& spawn_options);
void SpawnOnBusThread(base::ProcessId* out_external_pid,
base::WaitableEvent* event,
- const base::CommandLine& cmdline,
- const base::LaunchOptions& launch_options);
+ const base::CommandLine* cmdline,
+ const base::LaunchOptions* launch_options,
+ const SpawnOptions* spawn_options);
void OnSpawnResponse(base::ProcessId* out_external_pid,
base::WaitableEvent* event,
dbus::Response* response,
--
2.46.1
Write Preview
Loading…
Cancel
Save