diff --git a/0001-extensionSystem-Support-locking-down-extension-insta.patch b/0001-extensionSystem-Support-locking-down-extension-insta.patch new file mode 100644 index 0000000000000000000000000000000000000000..9993f7ac917efc2b5d59bd0a7f15654106912dd6 --- /dev/null +++ b/0001-extensionSystem-Support-locking-down-extension-insta.patch @@ -0,0 +1,92 @@ +From 91449e6a19af63eebaf5f97f85ba44f69259075a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Florian=20M=C3=BCllner?= +Date: Sat, 10 Feb 2024 00:58:27 +0100 +Subject: [PATCH] extensionSystem: Support locking down extension installation + +Currently extensions can only be locked down completely by +restricting the `enabled-extensions` key via dconf. + +This is too restrictive for environments that want to allow users +to customize their system with extensions, while still limiting +the set of possible extensions. + +To fill that gap, add a new `allow-extension-installation` setting, +which restricts extensions to system extensions when disabled. + +As the setting is mainly intended for locking down by system +administrators, there is no attempt to load/unload extensions +on settings changes. +--- + data/org.gnome.shell.gschema.xml.in | 11 +++++++++++ + js/ui/extensionDownloader.js | 6 ++++++ + js/ui/extensionSystem.js | 8 ++++++-- + 3 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/data/org.gnome.shell.gschema.xml.in b/data/org.gnome.shell.gschema.xml.in +index 6f1c424bad..b5921983cd 100644 +--- a/data/org.gnome.shell.gschema.xml.in ++++ b/data/org.gnome.shell.gschema.xml.in +@@ -40,6 +40,17 @@ + the “enabled-extension” setting. + + ++ ++ true ++ Allow extension installation ++ ++ Allow users to install extensions in their home folder. If disabled, ++ the InstallRemoteExtension D-Bus method will fail, and extensions ++ are only loaded from system directories on startup. ++ It does not affect extensions that are already loaded, so a change ++ only takes full effect on the next login. ++ ++ + + false + Disables the validation of extension version compatibility +diff --git a/js/ui/extensionDownloader.js b/js/ui/extensionDownloader.js +index 471ddab147..01ed165c01 100644 +--- a/js/ui/extensionDownloader.js ++++ b/js/ui/extensionDownloader.js +@@ -17,6 +17,12 @@ var REPOSITORY_URL_UPDATE = 'https://extensions.gnome.org/update-info/'; + let _httpSession; + + function installExtension(uuid, invocation) { ++ if (!global.settings.get_boolean('allow-extension-installation')) { ++ invocation.return_dbus_error('org.gnome.Shell.InstallError', ++ 'Extension installation is not allowed'); ++ return; ++ } ++ + const oldExt = Main.extensionManager.lookup(uuid); + if (oldExt && oldExt.type === ExtensionUtils.ExtensionType.SYSTEM) { + log('extensionDownloader: Trying to replace system extension %s'.format(uuid)); +diff --git a/js/ui/extensionSystem.js b/js/ui/extensionSystem.js +index 937f861994..528d9ea450 100644 +--- a/js/ui/extensionSystem.js ++++ b/js/ui/extensionSystem.js +@@ -64,7 +64,10 @@ var ExtensionManager = class { + + get updatesSupported() { + const appSys = Shell.AppSystem.get_default(); +- return appSys.lookup_app('org.gnome.Extensions.desktop') !== null; ++ const hasUpdatesApp = ++ appSys.lookup_app('org.gnome.Extensions.desktop') !== null; ++ const allowed = global.settings.get_boolean('allow-extension-installation'); ++ return allowed && hasUpdatesApp; + } + + lookup(uuid) { +@@ -595,7 +598,8 @@ var ExtensionManager = class { + this._enabledExtensions = this._getEnabledExtensions(); + + let perUserDir = Gio.File.new_for_path(global.userdatadir); +- FileUtils.collectFromDatadirs('extensions', true, (dir, info) => { ++ const includeUserDir = global.settings.get_boolean('allow-extension-installation'); ++ FileUtils.collectFromDatadirs('extensions', includeUserDir, (dir, info) => { + let fileType = info.get_file_type(); + if (fileType != Gio.FileType.DIRECTORY) + return; +-- +2.43.0 + diff --git a/dist b/dist index 89c1faffc18349bb12eee2371e9dc43bf419b95c..0b1f29d1996a6e51bc20a44b790adcb166a234f4 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an9 +an9_3 diff --git a/gnome-shell.spec b/gnome-shell.spec index dc02344998b9ab9cda34fdca553556b6f73735f9..6293b0e5f4a3bcc0c6bbc3231146968b2c86903f 100644 --- a/gnome-shell.spec +++ b/gnome-shell.spec @@ -3,7 +3,7 @@ Name: gnome-shell Version: 40.10 -Release: 13%{anolis_release}%{?dist} +Release: 14%{anolis_release}%{?dist} Summary: Window management and application launching for GNOME License: GPLv2+ @@ -57,6 +57,7 @@ Patch52: 0001-osk-layouts-Replace-SS-extra-key-with.patch Patch53: 0001-po-Update-translations.patch Patch54: 0001-st-icon-Only-get-resource-scale-after-peeking-theme-.patch Patch55: 0001-window-tracker-Only-emit-tracked-windows-changed-on-.patch +Patch56: 0001-extensionSystem-Support-locking-down-extension-insta.patch %define eds_version 3.33.1 %define gnome_desktop_version 3.35.91 @@ -276,9 +277,13 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/evolution-calendar.de %{_mandir}/man1/gnome-shell.1* %changelog -* Tue Dec 12 2023 pangqing - 40.10-13.0.1 +* Mon May 06 2024 pangqing - 40.10-14.0.1 - International modification +* Wed Feb 14 2024 Florian Müllner - 40.10-14 +- Allow restricting extension installation + Resolves: RHEL-25201 + * Mon May 15 2023 Ray Strode - 40.10-13 - Don't reset smartcard conversation twice when smartcard is inserted. Resolves: #2140898