From patchwork Sun Apr 12 12:57:47 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabrice Fontaine X-Patchwork-Id: 1269436 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=St7jAVEe; dkim-atps=neutral Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 490Wwv4BzJz9sSk for ; Sun, 12 Apr 2020 22:57:02 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id D02392046C; Sun, 12 Apr 2020 12:56:57 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hr9eBB0N8g-g; Sun, 12 Apr 2020 12:56:51 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id 90BE62042E; Sun, 12 Apr 2020 12:56:51 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 11D9D1BF59F for ; Sun, 12 Apr 2020 12:56:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 0D7FF873E3 for ; Sun, 12 Apr 2020 12:56:50 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ntt4pRtxQDpn for ; Sun, 12 Apr 2020 12:56:47 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wr1-f66.google.com (mail-wr1-f66.google.com [209.85.221.66]) by hemlock.osuosl.org (Postfix) with ESMTPS id D9FA7873CE for ; Sun, 12 Apr 2020 12:56:46 +0000 (UTC) Received: by mail-wr1-f66.google.com with SMTP id d17so642975wrg.11 for ; Sun, 12 Apr 2020 05:56:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=SuEbl2bc1MPGd8FsqzRoVZh+POjhvJGUqzTpVd0ePH0=; b=St7jAVEepXcpwKNs71SB2900gUd4As3DgrScS6FLz19n+j+E8ikye+ZaRMjUYyndJ9 sg70UE52cFvaVkzEm65tauaQ8RrOFN92Ywkko478Q1vGmr6c54t+L4736yOUSPyG118G lmAr5Vs3AIkw5RpHCNcjPnzuK59PXXvdiunY4lrhLZlWLrqe/zycRb4RDWticfFLBx/d cX5UaQw62eqYinOrOrbRAABBYOuvM6pbF5LJjiXZTv42HGpxoqkzbF/9brQSP+Lr9wst 0eukQnal8+FrvkWOUd3MYCwEbqVBezGxdMcyJcuWrgLMiWg/wYK185Ch37ozAU6o6ckt mDpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=SuEbl2bc1MPGd8FsqzRoVZh+POjhvJGUqzTpVd0ePH0=; b=CZigXdcZf7DtCmVZwRyDYg0rPfzn98d3LyxOjoeCVhjjQtH2g9V1ujlGUCFZg0H+LG B1VAJJ8PVIKwW8C94dK7Rmykdm5qvzTII2oCYmKNbZoofwvGw+NMWueQyFJDOUsBUs+G MyrUjxNse2kQNwOPPP5JziZavn2yvs/y9nnuy2fEZtfpOofFrqORFllII5HoYnp8ygBn sD/atXXfZDhbndouf8ctHF8cCH9rc761QT/ZAtVh6wteMX4008s4vvARo8E+TGiJ1SJ3 TCWsHlL+DIGIWr6WKAqtCaZkhmm55G3DUyDGXV+Izy6GuBUvIdt+L/iGb4HFJmL6Hm1V yL5g== X-Gm-Message-State: AGi0PuYjInzuLHpYHEhmDmisa6/SlYHNvB0KRLR7oZuUhPvBpY7xhaNn H3yLqLEduqcVRI8LXOEPZZjRf20D X-Google-Smtp-Source: APiQypL755ewYpdUdgOzn+SfqpZfv+MVXo/WKzlGREAEn676EeQntI/RcPa/AVsinKzbTg82lsUtUw== X-Received: by 2002:adf:9022:: with SMTP id h31mr13827442wrh.223.1586696204482; Sun, 12 Apr 2020 05:56:44 -0700 (PDT) Received: from kali.home (lfbn-ren-1-403-35.w2-10.abo.wanadoo.fr. [2.10.23.35]) by smtp.gmail.com with ESMTPSA id m1sm5443301wro.64.2020.04.12.05.56.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Apr 2020 05:56:43 -0700 (PDT) From: Fabrice Fontaine To: buildroot@buildroot.org Date: Sun, 12 Apr 2020 14:57:47 +0200 Message-Id: <20200412125747.1073025-1-fontaine.fabrice@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Subject: [Buildroot] [PATCH 1/1] package/gvfs: bump to version 1.44.1 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fabrice Fontaine Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" - Remove all patches (already in version) - Move to meson-package - Add new gsettings-desktop-schemas mandatory dependency - gdu option doesn't exist anymore: https://gitlab.gnome.org/GNOME/gvfs/-/commit/1db029df72bcd50dd877d388c2e0934d8ed3d321 - Use new gcrypt otion - systemd-login option has been replaced by logind option - avahi option has been replaced by dnsd option - gtk3 optional dependency has been removed since https://gitlab.gnome.org/GNOME/gvfs/-/commit/dff13283c943c8b10265bd3925d86f17cdc4be6f - Disable new sftp backend: https://gitlab.gnome.org/GNOME/gvfs/-/commit/44d45dca5d1ab2369fa7e5c2789b31c51e44f985 - Disable fuse (depends on fuse3 which is not available on buildroot) - Remove gvfs-less workaround (not installed anymore) - Update indentation of hash file Signed-off-by: Fabrice Fontaine --- ...authentication-agent-isn-t-available.patch | 46 ------ ...ery_info_on_read-write-functionality.patch | 131 ---------------- ...0003-admin-Allow-changing-file-owner.patch | 34 ----- ...uid-to-ensure-correct-file-ownership.patch | 91 ----------- ...ct-ownership-when-moving-to-file-uri.patch | 84 ---------- ...e-connecting-client-is-the-same-user.patch | 96 ------------ package/gvfs/Config.in | 1 + package/gvfs/gvfs.hash | 6 +- package/gvfs/gvfs.mk | 143 +++++++----------- 9 files changed, 59 insertions(+), 573 deletions(-) delete mode 100644 package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch delete mode 100644 package/gvfs/0002-admin-Add-query_info_on_read-write-functionality.patch delete mode 100644 package/gvfs/0003-admin-Allow-changing-file-owner.patch delete mode 100644 package/gvfs/0004-admin-Use-fsuid-to-ensure-correct-file-ownership.patch delete mode 100644 package/gvfs/0005-admin-Ensure-correct-ownership-when-moving-to-file-uri.patch delete mode 100644 package/gvfs/0006-gvfsdaemon-Check-that-the-connecting-client-is-the-same-user.patch diff --git a/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch b/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch deleted file mode 100644 index b5a6d024cc..0000000000 --- a/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch +++ /dev/null @@ -1,46 +0,0 @@ -From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001 -From: Ondrej Holy -Date: Wed, 2 Jan 2019 17:13:27 +0100 -Subject: [PATCH] admin: Prevent access if any authentication agent isn't - available - -The backend currently allows to access and modify files without prompting -for password if any polkit authentication agent isn't available. This seems -isn't usually problem, because polkit agents are integral parts of -graphical environments / linux distributions. The agents can't be simply -disabled without root permissions and are automatically respawned. However, -this might be a problem in some non-standard cases. - -This affects only users which belong to wheel group (i.e. those who are -already allowed to use sudo). It doesn't allow privilege escalation for -users, who don't belong to that group. - -Let's return permission denied error also when the subject can't be -authorized by any polkit agent to prevent this behavior. - -Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355 - -[Retrieved from: -https://gitlab.gnome.org/GNOME/gvfs/commit/d8d0c8c40049cfd824b2b90d0cd47914052b9811] -Signed-off-by: Fabrice Fontaine ---- - daemon/gvfsbackendadmin.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c -index ec0f2392..0f849008 100644 ---- a/daemon/gvfsbackendadmin.c -+++ b/daemon/gvfsbackendadmin.c -@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self, - return FALSE; - } - -- is_authorized = polkit_authorization_result_get_is_authorized (result) || -- polkit_authorization_result_get_is_challenge (result); -+ is_authorized = polkit_authorization_result_get_is_authorized (result); - - g_object_unref (result); - --- -2.24.1 - diff --git a/package/gvfs/0002-admin-Add-query_info_on_read-write-functionality.patch b/package/gvfs/0002-admin-Add-query_info_on_read-write-functionality.patch deleted file mode 100644 index 42174153d2..0000000000 --- a/package/gvfs/0002-admin-Add-query_info_on_read-write-functionality.patch +++ /dev/null @@ -1,131 +0,0 @@ -From 5cd76d627f4d1982b6e77a0e271ef9301732d09e Mon Sep 17 00:00:00 2001 -From: Ondrej Holy -Date: Thu, 23 May 2019 10:24:36 +0200 -Subject: [PATCH] admin: Add query_info_on_read/write functionality - -Admin backend doesn't implement query_info_on_read/write which might -potentially lead to some race conditions which aren't really wanted -especially in case of admin backend. Let's add this missing functionality. - -[Retrieved fom: -https://gitlab.gnome.org/GNOME/gvfs/commit/5cd76d627f4d1982b6e77a0e271ef9301732d09e] -Signed-off-by: Fabrice Fontaine ---- - daemon/gvfsbackendadmin.c | 79 +++++++++++++++++++++++++++++++++------ - 1 file changed, 67 insertions(+), 12 deletions(-) - -diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c -index 65a979e7..23d16f16 100644 ---- a/daemon/gvfsbackendadmin.c -+++ b/daemon/gvfsbackendadmin.c -@@ -42,6 +42,8 @@ - #include "gvfsjobopenforwrite.h" - #include "gvfsjobqueryattributes.h" - #include "gvfsjobqueryinfo.h" -+#include "gvfsjobqueryinforead.h" -+#include "gvfsjobqueryinfowrite.h" - #include "gvfsjobread.h" - #include "gvfsjobseekread.h" - #include "gvfsjobseekwrite.h" -@@ -155,6 +157,19 @@ complete_job (GVfsJob *job, - g_vfs_job_succeeded (job); - } - -+static void -+fix_file_info (GFileInfo *info) -+{ -+ /* Override read/write flags, since the above call will use access() -+ * to determine permissions, which does not honor our privileged -+ * capabilities. -+ */ -+ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE); -+ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE); -+ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE); -+ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE); -+} -+ - static void - do_query_info (GVfsBackend *backend, - GVfsJobQueryInfo *query_info_job, -@@ -180,19 +195,57 @@ do_query_info (GVfsBackend *backend, - if (error != NULL) - goto out; - -- /* Override read/write flags, since the above call will use access() -- * to determine permissions, which does not honor our privileged -- * capabilities. -- */ -- g_file_info_set_attribute_boolean (real_info, -- G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE); -- g_file_info_set_attribute_boolean (real_info, -- G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE); -- g_file_info_set_attribute_boolean (real_info, -- G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE); -- g_file_info_set_attribute_boolean (real_info, -- G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE); -+ fix_file_info (real_info); -+ g_file_info_copy_into (real_info, info); -+ g_object_unref (real_info); -+ -+ out: -+ complete_job (job, error); -+} -+ -+static void -+do_query_info_on_read (GVfsBackend *backend, -+ GVfsJobQueryInfoRead *query_info_job, -+ GVfsBackendHandle handle, -+ GFileInfo *info, -+ GFileAttributeMatcher *matcher) -+{ -+ GVfsJob *job = G_VFS_JOB (query_info_job); -+ GFileInputStream *stream = handle; -+ GError *error = NULL; -+ GFileInfo *real_info; -+ -+ real_info = g_file_input_stream_query_info (stream, query_info_job->attributes, -+ job->cancellable, &error); -+ if (error != NULL) -+ goto out; -+ -+ fix_file_info (real_info); -+ g_file_info_copy_into (real_info, info); -+ g_object_unref (real_info); -+ -+ out: -+ complete_job (job, error); -+} -+ -+static void -+do_query_info_on_write (GVfsBackend *backend, -+ GVfsJobQueryInfoWrite *query_info_job, -+ GVfsBackendHandle handle, -+ GFileInfo *info, -+ GFileAttributeMatcher *matcher) -+{ -+ GVfsJob *job = G_VFS_JOB (query_info_job); -+ GFileOutputStream *stream = handle; -+ GError *error = NULL; -+ GFileInfo *real_info; -+ -+ real_info = g_file_output_stream_query_info (stream, query_info_job->attributes, -+ job->cancellable, &error); -+ if (error != NULL) -+ goto out; - -+ fix_file_info (real_info); - g_file_info_copy_into (real_info, info); - g_object_unref (real_info); - -@@ -868,6 +921,8 @@ g_vfs_backend_admin_class_init (GVfsBackendAdminClass * klass) - backend_class->mount = do_mount; - backend_class->open_for_read = do_open_for_read; - backend_class->query_info = do_query_info; -+ backend_class->query_info_on_read = do_query_info_on_read; -+ backend_class->query_info_on_write = do_query_info_on_write; - backend_class->read = do_read; - backend_class->create = do_create; - backend_class->append_to = do_append_to; --- -2.24.1 - diff --git a/package/gvfs/0003-admin-Allow-changing-file-owner.patch b/package/gvfs/0003-admin-Allow-changing-file-owner.patch deleted file mode 100644 index 04138b3957..0000000000 --- a/package/gvfs/0003-admin-Allow-changing-file-owner.patch +++ /dev/null @@ -1,34 +0,0 @@ -From daf1163aba229afcfddf0f925aef7e97047e8959 Mon Sep 17 00:00:00 2001 -From: Ondrej Holy -Date: Thu, 23 May 2019 10:29:08 +0200 -Subject: [PATCH] admin: Allow changing file owner - -CAP_CHOWN is dropped together with other privilages and thus the backend -can't change file owner. This might be probably e.g. in case of copy -operation when G_FILE_COPY_ALL_METADATA is used. Let's keep CAP_CHOWN -to fix this. - -[Retrieved from: -https://gitlab.gnome.org/GNOME/gvfs/commit/daf1163aba229afcfddf0f925aef7e97047e8959] -Signed-off-by: Fabrice Fontaine ---- - daemon/gvfsbackendadmin.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c -index 23d16f16..a74d09cf 100644 ---- a/daemon/gvfsbackendadmin.c -+++ b/daemon/gvfsbackendadmin.c -@@ -968,7 +968,8 @@ g_vfs_backend_admin_init (GVfsBackendAdmin *self) - - #define REQUIRED_CAPS (CAP_TO_MASK(CAP_FOWNER) | \ - CAP_TO_MASK(CAP_DAC_OVERRIDE) | \ -- CAP_TO_MASK(CAP_DAC_READ_SEARCH)) -+ CAP_TO_MASK(CAP_DAC_READ_SEARCH) | \ -+ CAP_TO_MASK(CAP_CHOWN)) - - static void - acquire_caps (uid_t uid) --- -2.24.1 - diff --git a/package/gvfs/0004-admin-Use-fsuid-to-ensure-correct-file-ownership.patch b/package/gvfs/0004-admin-Use-fsuid-to-ensure-correct-file-ownership.patch deleted file mode 100644 index 22fe57002f..0000000000 --- a/package/gvfs/0004-admin-Use-fsuid-to-ensure-correct-file-ownership.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 3895e09d784ebec0fbc4614d5c37068736120e1d Mon Sep 17 00:00:00 2001 -From: Ondrej Holy -Date: Thu, 23 May 2019 10:33:30 +0200 -Subject: [PATCH] admin: Use fsuid to ensure correct file ownership - -Files created over admin backend should be owned by root, but they are -owned by the user itself. This is because the daemon drops the uid to -make dbus connection work. Use fsuid and euid to fix this issue. - -Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/21 - -[Retrieved from: -https://gitlab.gnome.org/GNOME/gvfs/commit/3895e09d784ebec0fbc4614d5c37068736120e1d] -Signed-off-by: Fabrice Fontaine ---- - daemon/gvfsbackendadmin.c | 29 +++++++---------------------- - 1 file changed, 7 insertions(+), 22 deletions(-) - -diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c -index a74d09cf..32b51b1a 100644 ---- a/daemon/gvfsbackendadmin.c -+++ b/daemon/gvfsbackendadmin.c -@@ -157,19 +157,6 @@ complete_job (GVfsJob *job, - g_vfs_job_succeeded (job); - } - --static void --fix_file_info (GFileInfo *info) --{ -- /* Override read/write flags, since the above call will use access() -- * to determine permissions, which does not honor our privileged -- * capabilities. -- */ -- g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE); -- g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE); -- g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE); -- g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE); --} -- - static void - do_query_info (GVfsBackend *backend, - GVfsJobQueryInfo *query_info_job, -@@ -195,7 +182,6 @@ do_query_info (GVfsBackend *backend, - if (error != NULL) - goto out; - -- fix_file_info (real_info); - g_file_info_copy_into (real_info, info); - g_object_unref (real_info); - -@@ -220,7 +206,6 @@ do_query_info_on_read (GVfsBackend *backend, - if (error != NULL) - goto out; - -- fix_file_info (real_info); - g_file_info_copy_into (real_info, info); - g_object_unref (real_info); - -@@ -245,7 +230,6 @@ do_query_info_on_write (GVfsBackend *backend, - if (error != NULL) - goto out; - -- fix_file_info (real_info); - g_file_info_copy_into (real_info, info); - g_object_unref (real_info); - -@@ -977,14 +961,15 @@ acquire_caps (uid_t uid) - struct __user_cap_header_struct hdr; - struct __user_cap_data_struct data; - -- /* Tell kernel not clear capabilities when dropping root */ -- if (prctl (PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) -- g_error ("prctl(PR_SET_KEEPCAPS) failed"); -- -- /* Drop root uid, but retain the required permitted caps */ -- if (setuid (uid) < 0) -+ /* Set euid to user to make dbus work */ -+ if (seteuid (uid) < 0) - g_error ("unable to drop privs"); - -+ /* Set fsuid to still behave like root when working with files */ -+ setfsuid (0); -+ if (setfsuid (-1) != 0) -+ g_error ("setfsuid failed"); -+ - memset (&hdr, 0, sizeof(hdr)); - hdr.version = _LINUX_CAPABILITY_VERSION; - --- -2.24.1 - diff --git a/package/gvfs/0005-admin-Ensure-correct-ownership-when-moving-to-file-uri.patch b/package/gvfs/0005-admin-Ensure-correct-ownership-when-moving-to-file-uri.patch deleted file mode 100644 index 29f7573a65..0000000000 --- a/package/gvfs/0005-admin-Ensure-correct-ownership-when-moving-to-file-uri.patch +++ /dev/null @@ -1,84 +0,0 @@ -From d5dfd823c94045488aef8727c553f1e0f7666b90 Mon Sep 17 00:00:00 2001 -From: Ondrej Holy -Date: Fri, 24 May 2019 09:43:43 +0200 -Subject: [PATCH] admin: Ensure correct ownership when moving to file:// uri - -User and group is not restored properly when moving (or copying with -G_FILE_COPY_ALL_METADATA) from admin:// to file://, because it is handled -by GIO fallback code, which doesn't run with root permissions. Let's -handle this case with pull method to ensure correct ownership. - -[Retrieved from: -https://gitlab.gnome.org/GNOME/gvfs/commit/d5dfd823c94045488aef8727c553f1e0f7666b90] -Signed-off-by: Fabrice Fontaine ---- - daemon/gvfsbackendadmin.c | 46 +++++++++++++++++++++++++++++++++++++++ - 1 file changed, 46 insertions(+) - -diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c -index 32b51b1a..9a7e8295 100644 ---- a/daemon/gvfsbackendadmin.c -+++ b/daemon/gvfsbackendadmin.c -@@ -807,6 +807,51 @@ do_move (GVfsBackend *backend, - complete_job (job, error); - } - -+static void -+do_pull (GVfsBackend *backend, -+ GVfsJobPull *pull_job, -+ const char *source, -+ const char *local_path, -+ GFileCopyFlags flags, -+ gboolean remove_source, -+ GFileProgressCallback progress_callback, -+ gpointer progress_callback_data) -+{ -+ GVfsBackendAdmin *self = G_VFS_BACKEND_ADMIN (backend); -+ GVfsJob *job = G_VFS_JOB (pull_job); -+ GError *error = NULL; -+ GFile *src_file, *dst_file; -+ -+ /* Pull method is necessary when user/group needs to be restored, return -+ * G_IO_ERROR_NOT_SUPPORTED in other cases to proceed with the fallback code. -+ */ -+ if (!(flags & G_FILE_COPY_ALL_METADATA)) -+ { -+ g_vfs_job_failed_literal (G_VFS_JOB (job), G_IO_ERROR, -+ G_IO_ERROR_NOT_SUPPORTED, -+ _("Operation not supported")); -+ return; -+ } -+ -+ if (!check_permission (self, job)) -+ return; -+ -+ src_file = g_file_new_for_path (source); -+ dst_file = g_file_new_for_path (local_path); -+ -+ if (remove_source) -+ g_file_move (src_file, dst_file, flags, job->cancellable, -+ progress_callback, progress_callback_data, &error); -+ else -+ g_file_copy (src_file, dst_file, flags, job->cancellable, -+ progress_callback, progress_callback_data, &error); -+ -+ g_object_unref (src_file); -+ g_object_unref (dst_file); -+ -+ complete_job (job, error); -+} -+ - static void - do_query_settable_attributes (GVfsBackend *backend, - GVfsJobQueryAttributes *query_job, -@@ -927,6 +972,7 @@ g_vfs_backend_admin_class_init (GVfsBackendAdminClass * klass) - backend_class->set_attribute = do_set_attribute; - backend_class->delete = do_delete; - backend_class->move = do_move; -+ backend_class->pull = do_pull; - backend_class->query_settable_attributes = do_query_settable_attributes; - backend_class->query_writable_namespaces = do_query_writable_namespaces; - } --- -2.24.1 - diff --git a/package/gvfs/0006-gvfsdaemon-Check-that-the-connecting-client-is-the-same-user.patch b/package/gvfs/0006-gvfsdaemon-Check-that-the-connecting-client-is-the-same-user.patch deleted file mode 100644 index 56bef26b0f..0000000000 --- a/package/gvfs/0006-gvfsdaemon-Check-that-the-connecting-client-is-the-same-user.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 70dbfc68a79faac49bd3423e079cb6902522082a Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 5 Jun 2019 13:33:38 +0100 -Subject: [PATCH] gvfsdaemon: Check that the connecting client is the same user - -Otherwise, an attacker who learns the abstract socket address from -netstat(8) or similar could connect to it and issue D-Bus method -calls. - -Signed-off-by: Simon McVittie - -[Retrieved from: -https://gitlab.gnome.org/GNOME/gvfs/commit/70dbfc68a79faac49bd3423e079cb6902522082a] -Signed-off-by: Fabrice Fontaine ---- - daemon/gvfsdaemon.c | 36 +++++++++++++++++++++++++++++++++++- - 1 file changed, 35 insertions(+), 1 deletion(-) - -diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c -index 406d4f8e..be148a7b 100644 ---- a/daemon/gvfsdaemon.c -+++ b/daemon/gvfsdaemon.c -@@ -79,6 +79,7 @@ struct _GVfsDaemon - - gint mount_counter; - -+ GDBusAuthObserver *auth_observer; - GDBusConnection *conn; - GVfsDBusDaemon *daemon_skeleton; - GVfsDBusMountable *mountable_skeleton; -@@ -171,6 +172,8 @@ g_vfs_daemon_finalize (GObject *object) - } - if (daemon->conn != NULL) - g_object_unref (daemon->conn); -+ if (daemon->auth_observer != NULL) -+ g_object_unref (daemon->auth_observer); - - g_hash_table_destroy (daemon->registered_paths); - g_hash_table_destroy (daemon->client_connections); -@@ -236,6 +239,35 @@ name_vanished_handler (GDBusConnection *connection, - daemon->lost_main_daemon = TRUE; - } - -+/* -+ * Authentication observer signal handler that authorizes connections -+ * from the same uid as this process. This matches the behaviour of a -+ * libdbus DBusServer/DBusConnection when no DBusAllowUnixUserFunction -+ * has been set, but is not the default in GDBus. -+ */ -+static gboolean -+authorize_authenticated_peer_cb (GDBusAuthObserver *observer, -+ G_GNUC_UNUSED GIOStream *stream, -+ GCredentials *credentials, -+ G_GNUC_UNUSED gpointer user_data) -+{ -+ gboolean authorized = FALSE; -+ -+ if (credentials != NULL) -+ { -+ GCredentials *own_credentials; -+ -+ own_credentials = g_credentials_new (); -+ -+ if (g_credentials_is_same_user (credentials, own_credentials, NULL)) -+ authorized = TRUE; -+ -+ g_object_unref (own_credentials); -+ } -+ -+ return authorized; -+} -+ - static void - g_vfs_daemon_init (GVfsDaemon *daemon) - { -@@ -265,6 +297,8 @@ g_vfs_daemon_init (GVfsDaemon *daemon) - - daemon->conn = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL); - g_assert (daemon->conn != NULL); -+ daemon->auth_observer = g_dbus_auth_observer_new (); -+ g_signal_connect (daemon->auth_observer, "authorize-authenticated-peer", G_CALLBACK (authorize_authenticated_peer_cb), NULL); - - daemon->daemon_skeleton = gvfs_dbus_daemon_skeleton_new (); - g_signal_connect (daemon->daemon_skeleton, "handle-get-connection", G_CALLBACK (handle_get_connection), daemon); -@@ -876,7 +910,7 @@ handle_get_connection (GVfsDBusDaemon *object, - server = g_dbus_server_new_sync (address1, - G_DBUS_SERVER_FLAGS_NONE, - guid, -- NULL, /* GDBusAuthObserver */ -+ daemon->auth_observer, - NULL, /* GCancellable */ - &error); - g_free (guid); --- -2.24.1 - diff --git a/package/gvfs/Config.in b/package/gvfs/Config.in index 44a75210e5..78280f80e0 100644 --- a/package/gvfs/Config.in +++ b/package/gvfs/Config.in @@ -3,6 +3,7 @@ config BR2_PACKAGE_GVFS depends on BR2_USE_WCHAR # glib2 depends on BR2_USE_MMU # dbus, glib2 depends on BR2_TOOLCHAIN_HAS_THREADS # dbus, glib2 + select BR2_PACKAGE_GSETTINGS_DESKTOP_SCHEMAS select BR2_PACKAGE_LIBGLIB2 select BR2_PACKAGE_DBUS select BR2_PACKAGE_SHARED_MIME_INFO diff --git a/package/gvfs/gvfs.hash b/package/gvfs/gvfs.hash index 6b7403ffa4..2ee945e710 100644 --- a/package/gvfs/gvfs.hash +++ b/package/gvfs/gvfs.hash @@ -1,5 +1,5 @@ -# From http://ftp.gnome.org/pub/GNOME/sources/gvfs/1.31/gvfs-1.31.4.sha256sum -sha256 55244d447d040884dfb335fde638274cb6f2794285ada7fa84bcbbd34f06be04 gvfs-1.31.4.tar.xz +# From http://ftp.gnome.org/pub/GNOME/sources/gvfs/1.44/gvfs-1.44.1.sha256sum +sha256 50ef3245d1b03666a40455109169a2a1bd51419fd2d51f9fa6cfd4f89f04fb46 gvfs-1.44.1.tar.xz # Hash for license file -sha256 45cf336e2e48176993babc5aabf44437390f40e6a86a472c6abfc7ce9c035db4 COPYING +sha256 45cf336e2e48176993babc5aabf44437390f40e6a86a472c6abfc7ce9c035db4 COPYING diff --git a/package/gvfs/gvfs.mk b/package/gvfs/gvfs.mk index b3b18a3482..d3c052587e 100644 --- a/package/gvfs/gvfs.mk +++ b/package/gvfs/gvfs.mk @@ -4,60 +4,46 @@ # ################################################################################ -GVFS_VERSION_MAJOR = 1.31 -GVFS_VERSION = $(GVFS_VERSION_MAJOR).4 +GVFS_VERSION_MAJOR = 1.44 +GVFS_VERSION = $(GVFS_VERSION_MAJOR).1 GVFS_SOURCE = gvfs-$(GVFS_VERSION).tar.xz GVFS_SITE = http://ftp.gnome.org/pub/GNOME/sources/gvfs/$(GVFS_VERSION_MAJOR) GVFS_INSTALL_STAGING = YES -GVFS_DEPENDENCIES = host-pkgconf host-libglib2 libglib2 dbus shared-mime-info \ +GVFS_DEPENDENCIES = \ + host-pkgconf \ + host-libglib2 \ + dbus \ + gsettings-desktop-schemas \ + libglib2 \ + shared-mime-info \ $(TARGET_NLS_DEPENDENCIES) GVFS_LICENSE = LGPL-2.0+ GVFS_LICENSE_FILES = COPYING -GVFS_LIBS = $(TARGET_NLS_LIBS) -# 0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch -GVFS_IGNORE_CVES += CVE-2019-3827 - -# package/gvfs/0002-admin-Add-query_info_on_read-write-functionality.patch -GVFS_IGNORE_CVES += CVE-2019-12448 - -# 0003-admin-Allow-changing-file-owner.patch -# 0004-admin-Use-fsuid-to-ensure-correct-file-ownership.patch -GVFS_IGNORE_CVES += CVE-2019-12447 - -# 0005-admin-Ensure-correct-ownership-when-moving-to-file-uri.patch -GVFS_IGNORE_CVES += CVE-2019-12449 - -# 0006-gvfsdaemon-Check-that-the-connecting-client-is-the-same-user.patch -GVFS_IGNORE_CVES += CVE-2019-12795 - -# Export ac_cv_path_LIBGCRYPT_CONFIG unconditionally to prevent -# build system from searching the host paths. -GVFS_CONF_ENV = \ - ac_cv_path_LIBGCRYPT_CONFIG=$(STAGING_DIR)/usr/bin/libgcrypt-config \ - LIBS="$(GVFS_LIBS)" +GVFS_CONF_ENV = LIBS="$(TARGET_NLS_LIBS)" # Most of these are missing library support GVFS_CONF_OPTS = \ - --disable-afc \ - --disable-gdu \ - --disable-goa \ - --disable-google \ - --disable-libmtp \ - --disable-udisks2 + -Dafc=false \ + -Dfuse=false \ + -Dgoa=false \ + -Dgoogle=false \ + -Dmtp=false \ + -Dsftp=false \ + -Dudisks2=false ifeq ($(BR2_PACKAGE_AVAHI),y) GVFS_DEPENDENCIES += avahi -GVFS_CONF_OPTS += --enable-avahi +GVFS_CONF_OPTS += -Ddnssd=true else -GVFS_CONF_OPTS += --disable-avahi +GVFS_CONF_OPTS += -Ddnssd=false endif ifeq ($(BR2_PACKAGE_GCR),y) GVFS_DEPENDENCIES += gcr -GVFS_CONF_OPTS += --enable-gcr +GVFS_CONF_OPTS += -Dgcr=true else -GVFS_CONF_OPTS += --disable-gcr +GVFS_CONF_OPTS += -Dgcr=false endif ifeq ($(BR2_PACKAGE_HAS_UDEV),y) @@ -66,121 +52,103 @@ endif ifeq ($(BR2_PACKAGE_LIBGUDEV),y) GVFS_DEPENDENCIES += libgudev -GVFS_CONF_OPTS += --enable-gudev +GVFS_CONF_OPTS += -Dgudev=true else -GVFS_CONF_OPTS += --disable-gudev +GVFS_CONF_OPTS += -Dgudev=false endif ifeq ($(BR2_PACKAGE_LIBARCHIVE),y) GVFS_DEPENDENCIES += libarchive -GVFS_CONF_OPTS += \ - --enable-archive \ - --with-archive-includes=$(STAGING_DIR)/usr \ - --with-archive-libs=$(STAGING_DIR)/usr -GVFS_LIBS += `$(PKG_CONFIG_HOST_BINARY) --libs libarchive` +GVFS_CONF_OPTS += -Darchive=true else -GVFS_CONF_OPTS += --disable-archive +GVFS_CONF_OPTS += -Darchive=false endif ifeq ($(BR2_PACKAGE_LIBBLURAY),y) GVFS_DEPENDENCIES += libbluray -GVFS_CONF_OPTS += --enable-bluray +GVFS_CONF_OPTS += -Dbluray=true else -GVFS_CONF_OPTS += --disable-bluray +GVFS_CONF_OPTS += -Dbluray=false endif ifeq ($(BR2_PACKAGE_LIBCAP)$(BR2_PACKAGE_POLKIT),yy) GVFS_DEPENDENCIES += libcap polkit -GVFS_CONF_OPTS += --enable-admin +GVFS_CONF_OPTS += -Dadmin=true else -GVFS_CONF_OPTS += --disable-admin +GVFS_CONF_OPTS += -Dadmin=false endif ifeq ($(BR2_PACKAGE_LIBCDIO_PARANOIA)$(BR2_PACKAGE_LIBGUDEV),yy) GVFS_DEPENDENCIES += libcdio-paranoia libgudev -GVFS_CONF_OPTS += --enable-cdda -else -GVFS_CONF_OPTS += --disable-cdda -endif - -ifeq ($(BR2_PACKAGE_LIBFUSE),y) -GVFS_DEPENDENCIES += libfuse -GVFS_CONF_OPTS += --enable-fuse +GVFS_CONF_OPTS += -Dcdda=true else -GVFS_CONF_OPTS += --disable-fuse +GVFS_CONF_OPTS += -Dcdda=false endif # AFP support is anon-only without libgcrypt which isn't very useful ifeq ($(BR2_PACKAGE_LIBGCRYPT),y) -GVFS_CONF_OPTS += --enable-afp +GVFS_CONF_OPTS += \ + -Dafp=true \ + -Dgcrypt=true GVFS_DEPENDENCIES += libgcrypt else -GVFS_CONF_OPTS += --disable-afp +GVFS_CONF_OPTS += \ + -Dafp=false \ + -Dgcrypt=false endif ifeq ($(BR2_PACKAGE_LIBGPHOTO2)$(BR2_PACKAGE_LIBGUDEV),yy) GVFS_DEPENDENCIES += libgphoto2 libgudev -GVFS_CONF_OPTS += --enable-gphoto2 -else -GVFS_CONF_OPTS += --disable-gphoto2 -endif - -ifeq ($(BR2_PACKAGE_LIBGTK3),y) -GVFS_CONF_OPTS += --enable-gtk -GVFS_DEPENDENCIES += libgtk3 +GVFS_CONF_OPTS += -Dgphoto2=true else -GVFS_CONF_OPTS += --disable-gtk +GVFS_CONF_OPTS += -Dgphoto2=false endif ifeq ($(BR2_PACKAGE_LIBNFS),y) -GVFS_CONF_OPTS += --enable-nfs +GVFS_CONF_OPTS += -Dnfs=true GVFS_DEPENDENCIES += libnfs else -GVFS_CONF_OPTS += --disable-nfs +GVFS_CONF_OPTS += -Dnfs=false endif ifeq ($(BR2_PACKAGE_LIBSECRET),y) GVFS_DEPENDENCIES += libsecret -GVFS_CONF_OPTS += --enable-keyring +GVFS_CONF_OPTS += -Dkeyring=true else -GVFS_CONF_OPTS += --disable-keyring +GVFS_CONF_OPTS += -Dkeyring=false endif ifeq ($(BR2_PACKAGE_LIBSOUP)$(BR2_PACKAGE_LIBXML2),yy) GVFS_DEPENDENCIES += libsoup libxml2 -GVFS_CONF_OPTS += --enable-http +GVFS_CONF_OPTS += -Dhttp=true else -GVFS_CONF_OPTS += --disable-http +GVFS_CONF_OPTS += -Dhttp=false endif ifeq ($(BR2_PACKAGE_LIBUSB),y) GVFS_DEPENDENCIES += libusb -GVFS_CONF_OPTS += --enable-libusb +GVFS_CONF_OPTS += -Dlibusb=true else -GVFS_CONF_OPTS += --disable-libusb +GVFS_CONF_OPTS += -Dlibusb=false endif ifeq ($(BR2_PACKAGE_SAMBA4),y) GVFS_DEPENDENCIES += samba4 -GVFS_CONF_OPTS += \ - --enable-samba \ - --with-samba-includes=$(STAGING_DIR)/usr/include/samba-4.0 \ - --with-samba-libs=$(STAGING_DIR)/usr/lib \ - ac_cv_lib_smbclient_smbc_option_get=yes +GVFS_CONF_OPTS += -Dsmb=true else -GVFS_CONF_OPTS += --disable-samba +GVFS_CONF_OPTS += -Dsmb=false endif ifeq ($(BR2_PACKAGE_SYSTEMD),y) GVFS_DEPENDENCIES += systemd +GVFS_CONF_OPTS += -Dlogind=true else -GVFS_CONF_OPTS += --disable-libsystemd-login +GVFS_CONF_OPTS += \ + -Dlogind=false \ + -Dsystemduserunitdir=no \ + -Dtmpfilesdir=no endif -define GVFS_REMOVE_USELESS_BINARY - rm $(TARGET_DIR)/usr/bin/gvfs-less -endef - define GVFS_REMOVE_TARGET_SCHEMAS rm $(TARGET_DIR)/usr/share/glib-2.0/schemas/*.xml endef @@ -190,8 +158,7 @@ define GVFS_COMPILE_SCHEMAS endef GVFS_POST_INSTALL_TARGET_HOOKS += \ - GVFS_REMOVE_USELESS_BINARY \ GVFS_REMOVE_TARGET_SCHEMAS \ GVFS_COMPILE_SCHEMAS -$(eval $(autotools-package)) +$(eval $(meson-package))