mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-29 09:04:17 +00:00
a69e7fd7f4
Merge the two patches and prevent symlinking `/usr` subdirs and binding `/run/current-system` paths. The `wrapGAppsHook` already sets the `GDK_PIXBUF_MODULE_FILE` environment variable pointing to a hermetic store path. When we re-exec the wrapped program (obtained from `/proc/self/exe`) in a sandbox, we need to pass the environment variable through. Also introduce a test for the icon validator to prevent future breakage. Expose the patch in passthru so that we can re-use it in xdg-desktop-portal.
32 lines
1.4 KiB
Diff
32 lines
1.4 KiB
Diff
--- a/icon-validator/validate-icon.c
|
|
+++ b/icon-validator/validate-icon.c
|
|
@@ -163,7 +163,7 @@ rerun_in_sandbox (const char *arg_width,
|
|
const char *arg_height,
|
|
const char *filename)
|
|
{
|
|
- const char * const usrmerged_dirs[] = { "bin", "lib32", "lib64", "lib", "sbin" };
|
|
+ const char * const usrmerged_dirs[] = { };
|
|
int i;
|
|
g_autoptr(GPtrArray) args = g_ptr_array_new_with_free_func (g_free);
|
|
char validate_icon[PATH_MAX + 1];
|
|
@@ -183,8 +183,7 @@ rerun_in_sandbox (const char *arg_width,
|
|
"--unshare-ipc",
|
|
"--unshare-net",
|
|
"--unshare-pid",
|
|
- "--ro-bind", "/usr", "/usr",
|
|
- "--ro-bind-try", "/etc/ld.so.cache", "/etc/ld.so.cache",
|
|
+ "--ro-bind", "@storeDir@", "@storeDir@",
|
|
"--ro-bind", validate_icon, validate_icon,
|
|
NULL);
|
|
|
|
@@ -227,6 +226,9 @@ rerun_in_sandbox (const char *arg_width,
|
|
add_args (args, "--setenv", "G_MESSAGES_DEBUG", g_getenv ("G_MESSAGES_DEBUG"), NULL);
|
|
if (g_getenv ("G_MESSAGES_PREFIXED"))
|
|
add_args (args, "--setenv", "G_MESSAGES_PREFIXED", g_getenv ("G_MESSAGES_PREFIXED"), NULL);
|
|
+ if (g_getenv ("GDK_PIXBUF_MODULE_FILE"))
|
|
+ add_args (args, "--setenv", "GDK_PIXBUF_MODULE_FILE", g_getenv ("GDK_PIXBUF_MODULE_FILE"), NULL);
|
|
+
|
|
|
|
add_args (args, validate_icon, arg_width, arg_height, filename, NULL);
|
|
g_ptr_array_add (args, NULL);
|