File gdm-initial-setup-hardening.patch of Package gdm

Index: gdm-45.beta/daemon/gdm-display.c
===================================================================
--- gdm-45.beta.orig/daemon/gdm-display.c
+++ gdm-45.beta/daemon/gdm-display.c
@@ -1537,12 +1537,12 @@ can_create_environment (const char *sess
         return session_exists;
 }
 
-#define ALREADY_RAN_INITIAL_SETUP_ON_THIS_BOOT GDM_RUN_DIR "/gdm.ran-initial-setup"
+#define BLOCK_INITIAL_SETUP LOCALSTATEDIR "/lib/gdm/block-initial-setup"
 
 static gboolean
-already_done_initial_setup_on_this_boot (void)
+already_done_initial_setup (void)
 {
-        if (g_file_test (ALREADY_RAN_INITIAL_SETUP_ON_THIS_BOOT, G_FILE_TEST_EXISTS))
+        if (g_file_test (BLOCK_INITIAL_SETUP, G_FILE_TEST_EXISTS))
                 return TRUE;
 
         return FALSE;
@@ -1624,7 +1624,7 @@ wants_initial_setup (GdmDisplay *self)
 
         priv = gdm_display_get_instance_private (self);
 
-        if (already_done_initial_setup_on_this_boot ()) {
+        if (already_done_initial_setup ()) {
                 return FALSE;
         }
 
Index: gdm-45.beta/daemon/gdm-manager.c
===================================================================
--- gdm-45.beta.orig/daemon/gdm-manager.c
+++ gdm-45.beta/daemon/gdm-manager.c
@@ -60,7 +60,7 @@
 #define GDM_MANAGER_DISPLAYS_PATH GDM_DBUS_PATH "/Displays"
 
 #define INITIAL_SETUP_USERNAME "gnome-initial-setup"
-#define ALREADY_RAN_INITIAL_SETUP_ON_THIS_BOOT GDM_RUN_DIR "/gdm.ran-initial-setup"
+#define BLOCK_INITIAL_SETUP LOCALSTATEDIR "/lib/gdm/block-initial-setup"
 
 typedef struct
 {
@@ -1789,6 +1789,7 @@ on_start_user_session (StartUserSessionO
         gboolean doing_initial_setup = FALSE;
         GdmDisplay *display;
         const char *session_id;
+        int fd = -1;
 
         g_debug ("GdmManager: start or jump to session");
 
@@ -1815,6 +1816,15 @@ on_start_user_session (StartUserSessionO
                       "doing-initial-setup", &doing_initial_setup,
                       NULL);
 
+        fd = open(BLOCK_INITIAL_SETUP, O_RDONLY|O_CREAT|O_EXCL|O_NOFOLLOW|O_CLOEXEC, 0644);
+        if (fd == -1 && errno != EEXIST) {
+                g_warning ("GdmDisplay: Could not write initial-setup-done marker to %s: %s",
+                           BLOCK_INITIAL_SETUP,
+                           strerror(errno));
+        }
+        else {
+                close(fd);
+        }
         if (doing_initial_setup)
                 chown_initial_setup_home_dir ();
 
@@ -1835,20 +1845,9 @@ on_start_user_session (StartUserSessionO
 
                 g_object_ref (display);
                 if (doing_initial_setup) {
-                        g_autoptr(GError) error = NULL;
 
                         g_debug ("GdmManager: closing down initial setup display in background");
                         g_object_set (G_OBJECT (display), "status", GDM_DISPLAY_WAITING_TO_FINISH, NULL);
-
-                        if (!g_file_set_contents (ALREADY_RAN_INITIAL_SETUP_ON_THIS_BOOT,
-                                                  "1",
-                                                  1,
-                                                  &error)) {
-                                g_warning ("GdmDisplay: Could not write initial-setup-done marker to %s: %s",
-                                           ALREADY_RAN_INITIAL_SETUP_ON_THIS_BOOT,
-                                           error->message);
-                                g_clear_error (&error);
-                        }
                 } else {
                         g_debug ("GdmManager: session has its display server, reusing our server for another login screen");
                 }
Index: gdm-45.beta/daemon/meson.build
===================================================================
--- gdm-45.beta.orig/daemon/meson.build
+++ gdm-45.beta/daemon/meson.build
@@ -210,6 +210,7 @@ endif
 
 gdm_daemon = executable('gdm',
   [ gdm_daemon_sources, gdm_daemon_gen_sources ],
+  c_args: '-DLOCALSTATEDIR="'+get_option('localstatedir')+'"',
   dependencies: gdm_daemon_deps,
   include_directories: config_h_dir,
   install: true,
openSUSE Build Service is sponsored by