diff --git a/SOURCES/0001-extensionSystem-Support-locking-down-extension-insta.patch b/SOURCES/0001-extensionSystem-Support-locking-down-extension-insta.patch new file mode 100644 index 0000000..9993f7a --- /dev/null +++ b/SOURCES/0001-extensionSystem-Support-locking-down-extension-insta.patch @@ -0,0 +1,92 @@ +From 91449e6a19af63eebaf5f97f85ba44f69259075a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Florian=20M=C3=BCllner?= +Date: Sat, 10 Feb 2024 00:58:27 +0100 +Subject: [PATCH] extensionSystem: Support locking down extension installation + +Currently extensions can only be locked down completely by +restricting the `enabled-extensions` key via dconf. + +This is too restrictive for environments that want to allow users +to customize their system with extensions, while still limiting +the set of possible extensions. + +To fill that gap, add a new `allow-extension-installation` setting, +which restricts extensions to system extensions when disabled. + +As the setting is mainly intended for locking down by system +administrators, there is no attempt to load/unload extensions +on settings changes. +--- + data/org.gnome.shell.gschema.xml.in | 11 +++++++++++ + js/ui/extensionDownloader.js | 6 ++++++ + js/ui/extensionSystem.js | 8 ++++++-- + 3 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/data/org.gnome.shell.gschema.xml.in b/data/org.gnome.shell.gschema.xml.in +index 6f1c424bad..b5921983cd 100644 +--- a/data/org.gnome.shell.gschema.xml.in ++++ b/data/org.gnome.shell.gschema.xml.in +@@ -40,6 +40,17 @@ + the “enabled-extension” setting. + + ++ ++ true ++ Allow extension installation ++ ++ Allow users to install extensions in their home folder. If disabled, ++ the InstallRemoteExtension D-Bus method will fail, and extensions ++ are only loaded from system directories on startup. ++ It does not affect extensions that are already loaded, so a change ++ only takes full effect on the next login. ++ ++ + + false + Disables the validation of extension version compatibility +diff --git a/js/ui/extensionDownloader.js b/js/ui/extensionDownloader.js +index 471ddab147..01ed165c01 100644 +--- a/js/ui/extensionDownloader.js ++++ b/js/ui/extensionDownloader.js +@@ -17,6 +17,12 @@ var REPOSITORY_URL_UPDATE = 'https://extensions.gnome.org/update-info/'; + let _httpSession; + + function installExtension(uuid, invocation) { ++ if (!global.settings.get_boolean('allow-extension-installation')) { ++ invocation.return_dbus_error('org.gnome.Shell.InstallError', ++ 'Extension installation is not allowed'); ++ return; ++ } ++ + const oldExt = Main.extensionManager.lookup(uuid); + if (oldExt && oldExt.type === ExtensionUtils.ExtensionType.SYSTEM) { + log('extensionDownloader: Trying to replace system extension %s'.format(uuid)); +diff --git a/js/ui/extensionSystem.js b/js/ui/extensionSystem.js +index 937f861994..528d9ea450 100644 +--- a/js/ui/extensionSystem.js ++++ b/js/ui/extensionSystem.js +@@ -64,7 +64,10 @@ var ExtensionManager = class { + + get updatesSupported() { + const appSys = Shell.AppSystem.get_default(); +- return appSys.lookup_app('org.gnome.Extensions.desktop') !== null; ++ const hasUpdatesApp = ++ appSys.lookup_app('org.gnome.Extensions.desktop') !== null; ++ const allowed = global.settings.get_boolean('allow-extension-installation'); ++ return allowed && hasUpdatesApp; + } + + lookup(uuid) { +@@ -595,7 +598,8 @@ var ExtensionManager = class { + this._enabledExtensions = this._getEnabledExtensions(); + + let perUserDir = Gio.File.new_for_path(global.userdatadir); +- FileUtils.collectFromDatadirs('extensions', true, (dir, info) => { ++ const includeUserDir = global.settings.get_boolean('allow-extension-installation'); ++ FileUtils.collectFromDatadirs('extensions', includeUserDir, (dir, info) => { + let fileType = info.get_file_type(); + if (fileType != Gio.FileType.DIRECTORY) + return; +-- +2.43.0 + diff --git a/SPECS/gnome-shell.spec b/SPECS/gnome-shell.spec index 50ed56d..327a3fe 100644 --- a/SPECS/gnome-shell.spec +++ b/SPECS/gnome-shell.spec @@ -2,7 +2,7 @@ Name: gnome-shell Version: 40.10 -Release: 13%{?dist} +Release: 14%{?dist} Summary: Window management and application launching for GNOME License: GPLv2+ @@ -56,6 +56,7 @@ Patch52: 0001-osk-layouts-Replace-SS-extra-key-with.patch Patch53: 0001-po-Update-translations.patch Patch54: 0001-st-icon-Only-get-resource-scale-after-peeking-theme-.patch Patch55: 0001-window-tracker-Only-emit-tracked-windows-changed-on-.patch +Patch56: 0001-extensionSystem-Support-locking-down-extension-insta.patch %define eds_version 3.33.1 %define gnome_desktop_version 3.35.91 @@ -275,6 +276,10 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/evolution-calendar.de %{_mandir}/man1/gnome-shell.1* %changelog +* Wed Feb 14 2024 Florian Müllner - 40.10-14 +- Allow restricting extension installation + Resolves: RHEL-25201 + * Mon May 15 2023 Ray Strode - 40.10-13 - Don't reset smartcard conversation twice when smartcard is inserted. Resolves: #2140898