49 lines
1.8 KiB
Diff
49 lines
1.8 KiB
Diff
From ce6a6e593310d42f7aecddb88d98e759f22ab6db Mon Sep 17 00:00:00 2001
|
|
From: Simon McVittie <smcv@collabora.com>
|
|
Date: Tue, 12 Jan 2021 12:25:59 +0000
|
|
Subject: [PATCH] portal: Convert --env in extra-args into --env-fd
|
|
|
|
This hides overridden variables from the command-line, which means
|
|
processes running under other uids can't see them in /proc/*/cmdline,
|
|
which might be important if they contain secrets.
|
|
|
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
|
|
---
|
|
portal/Makefile.am.inc | 4 ++-
|
|
portal/flatpak-portal.c | 65 ++++++++++++++++++++++++++++++++++++++++-
|
|
2 files changed, 67 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/portal/Makefile.am.inc b/portal/Makefile.am.inc
|
|
index dc45969..e5e57ba 100644
|
|
--- a/portal/Makefile.am.inc
|
|
+++ b/portal/Makefile.am.inc
|
|
@@ -46,6 +46,8 @@ flatpak_portal_SOURCES = \
|
|
portal/portal-impl.h \
|
|
common/flatpak-portal-error.c \
|
|
common/flatpak-portal-error.h \
|
|
+ common/flatpak-utils-memfd.c \
|
|
+ common/flatpak-utils-memfd-private.h \
|
|
$(NULL)
|
|
|
|
BUILT_SOURCES += $(nodist_flatpak_portal_SOURCES)
|
|
diff --git a/portal/flatpak-portal.c b/portal/flatpak-portal.c
|
|
index 7887c57..40a8ce7 100644
|
|
--- a/portal/flatpak-portal.c
|
|
+++ b/portal/flatpak-portal.c
|
|
@@ -46,6 +46,14 @@
|
|
#include "flatpak-instance-private.h"
|
|
#include "flatpak-portal-app-info.h"
|
|
#include "flatpak-portal-error.h"
|
|
+#include "flatpak-utils-memfd-private.h"
|
|
+
|
|
+/* Syntactic sugar added in newer GLib, which makes the error paths more
|
|
+ * clearly correct */
|
|
+#ifndef G_DBUS_METHOD_INVOCATION_HANDLED
|
|
+# define G_DBUS_METHOD_INVOCATION_HANDLED TRUE
|
|
+# define G_DBUS_METHOD_INVOCATION_UNHANDLED FALSE
|
|
+#endif
|
|
#include "flatpak-utils-base-private.h"
|
|
#include "portal-impl.h"
|
|
#include "flatpak-permission-dbus.h"
|