--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package geoclue-2.0
When using an application in flatpak, that application is supposed to
be sandboxed and requests to geoclue to get the location should be
explicitly granted by the user.
[ Reason ]
With cgroups v2, the code detecting that the application is running in a
flatpak is broken and geoclue is always granting access to the location
information without prompting the user.
[ Impact ]
This is only impacting the user of applications running in flatpak
[ Tests ]
I tried to run gnome-maps (flatpak run org.gnome.Maps) without and the
with the patch and with the patch, I correctly get a dialog asking me if
I want to share the location with the application.
I also tried to run gnome-maps outside of flatpak and it is still
working as expected.
[ Risks ]
The code is pretty isolated. I didn't test geoclue on a machine with
cgroup v1 though.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
The patch has already been merged upstream in the master branch, I
cherry-picked it and it applies cleanly in the package shipped in
debian.
unblock geoclue-2.0/2.5.7-3
diff --git a/debian/changelog b/debian/changelog
index c5c1bc0..8cf8a35 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+geoclue-2.0 (2.5.7-3) unstable; urgency=medium
+
+ * Properly detect that applications are running in flatpak when using cgroup
+ v2. Thanks to Guido Günther <agx@sigxcpu.org> (Closes: #985345)
+
+ -- Laurent Bigonville <bigon@debian.org> Wed, 17 Mar 2021 15:53:13 +0100
+
geoclue-2.0 (2.5.7-2) unstable; urgency=medium
* d/p/fix-nowifi-query.patch: Fix getting a location if the computer has no
diff --git a/debian/patches/0006-client-info-Support-cgroup-v2.patch b/debian/patches/0006-client-info-Support-cgroup-v2.patch
new file mode 100644
index 0000000..2f0760b
--- /dev/null
+++ b/debian/patches/0006-client-info-Support-cgroup-v2.patch
@@ -0,0 +1,93 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Tue, 16 Mar 2021 12:22:30 +0100
+Subject: client-info: Support cgroup v2
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+For v2 cgroups the /proc/<pid>/cgroup format changed to a single line¹.
+Support this too to not misdetect flatpaks as system apps.
+
+1) See https://www.kernel.org/doc/html/v4.18/admin-guide/cgroup-v2.html#processes
+
+Signed-off-by: Guido Günther <agx@sigxcpu.org>
+---
+ src/gclue-client-info.c | 44 +++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 41 insertions(+), 3 deletions(-)
+
+diff --git a/src/gclue-client-info.c b/src/gclue-client-info.c
+index d609b34..dd403a6 100644
+--- a/src/gclue-client-info.c
++++ b/src/gclue-client-info.c
+@@ -181,6 +181,42 @@ on_name_vanished (GDBusConnection *connection,
+ 0);
+ }
+
++
++static gchar *
++parse_cgroup_v2 (GStrv lines)
++{
++ const char *unit, *name;
++ char *dash, *xdg_id;
++ g_autofree char *scope = NULL;
++
++ /* Cgroup v2 is always a single line:
++ * 0::/user.slice/user-1000.slice/user@1000.service/app.slice/app-flatpak-org.gnome.Maps-3358.scope
++ */
++ if (g_strv_length (lines) != 2)
++ return NULL;
++
++ if (!g_str_has_prefix (lines[0], "0::"))
++ return NULL;
++
++ unit = lines[0] + strlen ("0::");
++ scope = g_path_get_basename (unit);
++ if (!g_str_has_prefix (scope, "app-flatpak-") ||
++ !g_str_has_suffix (scope, ".scope"))
++ return NULL;
++
++ name = scope + strlen("app-flatpak-");
++ dash = strchr (name, '-');
++ if (dash == NULL)
++ return NULL;
++ *dash = 0;
++
++ xdg_id = g_strdup (name);
++ g_debug ("Found xdg_id %s", xdg_id);
++
++ return xdg_id;
++}
++
++
+ /* Based on got_credentials_cb() from xdg-app source code */
+ static char *
+ get_xdg_id (guint32 pid)
+@@ -188,7 +224,7 @@ get_xdg_id (guint32 pid)
+ char *xdg_id = NULL;
+ g_autofree char *path = NULL;
+ g_autofree char *content = NULL;
+- gchar **lines;
++ g_auto(GStrv) lines = NULL;
+ int i;
+
+ path = g_strdup_printf ("/proc/%u/cgroup", pid);
+@@ -197,6 +233,10 @@ get_xdg_id (guint32 pid)
+ return NULL;
+ lines = g_strsplit (content, "\n", -1);
+
++ xdg_id = parse_cgroup_v2 (lines);
++ if (xdg_id != NULL)
++ return xdg_id;
++
+ for (i = 0; lines[i] != NULL; i++) {
+ const char *unit = lines[i] + strlen ("1:name=systemd:");
+ g_autofree char *scope = NULL;
+@@ -224,8 +264,6 @@ get_xdg_id (guint32 pid)
+ xdg_id = g_strdup (name);
+ }
+
+- g_strfreev (lines);
+-
+ return xdg_id;
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index edb467d..ec78160 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@
0003-Revert-Fixed-hang-on-startup-when-client-app-is-a-sy.patch
0004-service-Stop-the-client-for-system-applications-when.patch
fix-nowifi-query.patch
+0006-client-info-Support-cgroup-v2.patch
--- End Message ---