diff options
Diffstat (limited to 'source/l/polkit/0005-data-Set-GIO_USE_VFS-local-in-the-environment.patch')
| -rw-r--r-- | source/l/polkit/0005-data-Set-GIO_USE_VFS-local-in-the-environment.patch | 127 |
1 files changed, 127 insertions, 0 deletions
diff --git a/source/l/polkit/0005-data-Set-GIO_USE_VFS-local-in-the-environment.patch b/source/l/polkit/0005-data-Set-GIO_USE_VFS-local-in-the-environment.patch new file mode 100644 index 000000000..b5d8ae0fe --- /dev/null +++ b/source/l/polkit/0005-data-Set-GIO_USE_VFS-local-in-the-environment.patch @@ -0,0 +1,127 @@ +From daf3d5c2d15466a267221fcb099c59c870098e03 Mon Sep 17 00:00:00 2001 +From: Philip Withnall <philip.withnall@collabora.co.uk> +Date: Thu, 19 May 2016 10:08:08 +0100 +Subject: [PATCH 05/16] data: Set GIO_USE_VFS=local in the environment + +There is no need for polkit to ever use GVFS to load files from +non-local sources, so it's best to avoid loading GVFS code, and to just +rely on the local implementation in GIO instead. This reduces the attack +surface of polkit. + +Implemented for the daemon, pkaction, pkcheck, pkexec and pkttyagent, +because none of them need remote file access. + +https://bugs.freedesktop.org/show_bug.cgi?id=95487 +--- + src/polkitbackend/polkitd.c | 4 ++++ + src/programs/pkaction.c | 4 ++++ + src/programs/pkcheck.c | 4 ++++ + src/programs/pkexec.c | 3 +++ + src/programs/pkttyagent.c | 4 ++++ + 5 files changed, 19 insertions(+) + +diff --git a/src/polkitbackend/polkitd.c b/src/polkitbackend/polkitd.c +index d1527fb..8d54ed7 100644 +--- a/src/polkitbackend/polkitd.c ++++ b/src/polkitbackend/polkitd.c +@@ -22,6 +22,7 @@ + #include "config.h" + + #include <signal.h> ++#include <stdlib.h> + + #include <glib-unix.h> + +@@ -169,6 +170,9 @@ main (int argc, + sigint_id = 0; + registration_id = NULL; + ++ /* Disable remote file access from GIO. */ ++ setenv ("GIO_USE_VFS", "local", 1); ++ + g_type_init (); + + opt_context = g_option_context_new ("polkit system daemon"); +diff --git a/src/programs/pkaction.c b/src/programs/pkaction.c +index f17a7dc..221662a 100644 +--- a/src/programs/pkaction.c ++++ b/src/programs/pkaction.c +@@ -24,6 +24,7 @@ + #endif + + #include <stdio.h> ++#include <stdlib.h> + #include <glib/gi18n.h> + #include <polkit/polkit.h> + +@@ -121,6 +122,9 @@ main (int argc, char *argv[]) + actions = NULL; + ret = 1; + ++ /* Disable remote file access from GIO. */ ++ setenv ("GIO_USE_VFS", "local", 1); ++ + g_type_init (); + + opt_show_version = FALSE; +diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c +index 5781893..33db128 100644 +--- a/src/programs/pkcheck.c ++++ b/src/programs/pkcheck.c +@@ -24,6 +24,7 @@ + #endif + + #include <stdio.h> ++#include <stdlib.h> + #include <glib/gi18n.h> + #include <polkit/polkit.h> + #define POLKIT_AGENT_I_KNOW_API_IS_SUBJECT_TO_CHANGE +@@ -362,6 +363,9 @@ main (int argc, char *argv[]) + local_agent_handle = NULL; + ret = 126; + ++ /* Disable remote file access from GIO. */ ++ setenv ("GIO_USE_VFS", "local", 1); ++ + g_type_init (); + + details = polkit_details_new (); +diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c +index 50de92c..3b29b24 100644 +--- a/src/programs/pkexec.c ++++ b/src/programs/pkexec.c +@@ -503,6 +503,9 @@ main (int argc, char *argv[]) + opt_user = NULL; + local_agent_handle = NULL; + ++ /* Disable remote file access from GIO. */ ++ setenv ("GIO_USE_VFS", "local", 1); ++ + /* check for correct invocation */ + if (geteuid () != 0) + { +diff --git a/src/programs/pkttyagent.c b/src/programs/pkttyagent.c +index 423b728..8aac7dd 100644 +--- a/src/programs/pkttyagent.c ++++ b/src/programs/pkttyagent.c +@@ -24,6 +24,7 @@ + #endif + + #include <stdio.h> ++#include <stdlib.h> + #include <glib/gi18n.h> + #include <polkit/polkit.h> + #define POLKIT_AGENT_I_KNOW_API_IS_SUBJECT_TO_CHANGE +@@ -74,6 +75,9 @@ main (int argc, char *argv[]) + guint ret = 126; + GVariantBuilder builder; + ++ /* Disable remote file access from GIO. */ ++ setenv ("GIO_USE_VFS", "local", 1); ++ + g_type_init (); + + error = NULL; +-- +2.13.0 + |