gnu: flatpak: Do not leak GDK_PIXBUF_MODULE_FILE into the sandbox.

Fixes <https://issues.guix.gnu.org/54784>. * gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch: New file. * gnu/local.mk (dist_patch_DATA): Add corresponding entry. * gnu/packages/package-management.scm (flatpak)[source]: Use patch. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
2022-04-23 10:39:32 +08:00 · 2022-04-23 10:39:32 +08:00 · f785299af1
commit f785299af1
parent b01622f57d
3 changed files with 23 additions and 1 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -1070,6 +1070,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/findutils-localstatedir.patch		\
  %D%/packages/patches/flann-cmake-3.11.patch			\
  %D%/packages/patches/flatpak-fix-path.patch			\
+  %D%/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch	\
  %D%/packages/patches/fontconfig-cache-ignore-mtime.patch	\
  %D%/packages/patches/foobillard++-pkg-config.patch		\
  %D%/packages/patches/foomatic-filters-CVE-2015-8327.patch	\
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@ -1807,7 +1807,9 @@ (define-public flatpak
                           version "/flatpak-" version ".tar.xz"))
       (sha256
        (base32 "05lkpbjiwp69q924i1jfyk5frcqbdbv9kyzbqwm2hy723i9jmdbd"))
-       (patches (search-patches "flatpak-fix-path.patch"))))
+       (patches
+        (search-patches "flatpak-fix-path.patch"
+                        "flatpak-unset-gdk-pixbuf-for-sandbox.patch"))))

    ;; Wrap 'flatpak' so that GIO_EXTRA_MODULES is set, thereby allowing GIO to
    ;; find the TLS backend in glib-networking.
--- a/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch
+++ b/gnu/packages/patches/flatpak-unset-gdk-pixbuf-for-sandbox.patch
@ -0,0 +1,19 @@
+Most Guix system setup with desktop evironment will install GDK_PIXBUF_MODULE_FILE
+environment variable in the system profile, and it'll be leaked into the sandbox
+environment of flatpak, so the applications in sandbox may fail to find correct
+GdkPixbuf loaders.
+
+This patch unset the GDK_PIXBUF_MODULE_FILE environment variable before running
+the sandboxed applications, prevents it to load GdkPixbuf loaders from the path
+of host system.
+
+--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
+@@ -1853,6 +1853,7 @@ static const ExportData default_exports[] = {
+   {"GST_PTP_HELPER", NULL},
+   {"GST_PTP_HELPER_1_0", NULL},
+   {"GST_INSTALL_PLUGINS_HELPER", NULL},
+  {"GDK_PIXBUF_MODULE_FILE", NULL},
+ };
+ 
+ static const ExportData no_ld_so_cache_exports[] = {