This reverts commit eac227a203.
Currently, Flatpak applications can bypass the X11 permission setting
and access the X server through abstract sockets because X11 authentication
is not enforced for the current user ID.
Fix this by always requiring X11 authentication for Xwayland. This also
means applications without XAUTHORITY set to the file with Mutter's
Xwayland credentials cannot connect to X, including apps launched from
VT or SSH.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2633>
Currently, meta_xwayland_shutdown_dnd() is called from the handler
on_x11_display_closing() triggered from the signal "x11-display-closing"
hooked up from meta_xwayland_init_display().
Once the signal has been triggered, on_x11_display_closing() removes the
signal handler, disconnecting from the signal.
As meta_xwayland_init_display() is called from meta_display_new() which
is issued only once, the signal handler is not restored again.
As a result, meta_xwayland_shutdown_dnd() is not called anymore after
Xwayland has been restarted, but meta_xwayland_init_dnd() will check and
assert that the manager's DND object is NULL.
Basically, restarting Xwayland more that once will trigger an assertion
failure in mutter. That's even more of a problem with autoclose-xwayland
where Xwayland is expected to terminate when there is no meaningful X11
client remaining, which can happen multiple times during the lifetime
of a user session.
To make sure that meta_xwayland_init_display() is called for every new
instance of Xwayland, simply keep the signal hooked in place by not
disconnecting it when triggered.
This reverts commit 9a10b8ff94.
Even though, originally, this issue was first introduced with commit
b4fe1fdd95 ("xwayland: Make setup/teardown
a bit more symmetrical") which didn't actually kept 'x11-display-setup'
and 'x11-display-closing' connected.
Closes: https://gitlab.gnome.org/GNOME/mutter/-/issues/2168
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2339>
The `ensure_x11_unix_perms` function tries to detect systems on which
/tmp/.X11-unix is owned by neither root nor ourselves because in that
case the owner can take over the socket we create (symlink races are
fixed in linux 800179c9b8a1e796e441674776d11cd4c05d61d7). This should
not be possible in the first place and systems should come with some way
to ensure that's the case (systemd-tmpfiles, polyinstantiationm …). That
check however only works if we see the root user namespace which might
not be the case when running in e.g. toolbx.
This change relaxes the requirements such that in the root user
namespace we detect and abort if a vulnerable system is detected but
unconditionally run in toolbx.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2261>
The experimental feature "autoclose-xwayland" requires a couple of
prerequisites:
1. Be able to (re)start Xwayland on demand, i.e. with systemd
2. Xwayland must support the terminate delay
Add a warning message if "autoclose-xwayland" was requested but any of
those prerequisites is not met.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2258>
Since commit 226afa24a - "Use Xwayland auto-terminate feature", the
callback function shutdown_xwayland_cb() does not check for the
autoclose-xwayland experimental feature anymore.
As a result, when running nested or outside of systemd,
gnome-shell/mutter would quit after 10 seconds unless some X11 window
was mapped.
But now that we rely on Xwayland's own terminate feature, there really is
no need to use any xserver timeout function anymore.
We do not need to keep track of X11 windows being created or unmapped, as
again, Xwayland does all that for us at the client level.
Remove all this code that we do not need anymore.
fixes: 226afa24a - Use Xwayland auto-terminate feature
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2258>
When using Xwayland-on-demand (default), if the (experimental) autoclose
features is enabled, we can rely on Xwayland's auto-terminate feature
instead of explicitly killing the Xwayland process.
With it, gone is the mechanism that was added to check the X11 clients
connected and their executable to check whether we can (safely) kill
Xwayland.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1794>
The connection to the Xserver for the X11 window manager part of mutter
even on Wayland may prevent the Xserver from shutting down.
Currently, what mutter does is to check the X11 clients still connected
to Xwayland using the XRes extension, with a list of X11 clients that
can be safely ignored (typically the GNOME XSettings daemon, the IBus
daemon, pulseaudio and even mutter window manager itself).
When there is just those known clients remaining, mutter would kill
Xwayland automatically.
But that's racy, because between the time mutter checks with Xwayland
the remaining clients and the time it actually kills the process, a new
X11 client might have come along and won't be able to connect to
Xwayland that mutter is just about to kill.
Because of that, the feature “autoclose-xwayland” is marked as an
experimental feature in mutter and not enabled by default.
Thankfully, the Xserver has all it takes to manage that already, and
is even capable of terminating itself once all X11 clients are gone (the
-terminate option on the command line).
With XFixes version 6, the X11 clients can declare themselves
"terminatable", so that the Xserver could simply ignore those X11
clients when checking the remaining clients and terminate itself
automatically.
Use that mechanism to declare mutter's own connection to the Xserver as
"terminatable" when Xwayland is started on demand so that it won't hold
Xwayland alive for the sole purpose of mutter itself.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1794>
When Xwayland was not initalized, we'd still clean things up. What this
accidentally meant was that the uninitialized display number 0 was
cleanud up, which very likely was main display of the host session.
What this meant in practice was that /tmp/.X11-unix/X0 was often
removed, causing every Flatpak X11 application to fail to start until
Xwayland was restarted nad the X0 socket file was restored.
Fix this in two ways: firstly only shutdown Xwayland if we ever started
it, i.e. if the X11 display policy was not 'disabled'. This should fix
the issue most of the times. Secondly only clean up the socket if it was
ever initialized. This should fix things if the socket creation failed,
as if it did, the name would be set.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2162>
If we were cancelled, it could mean we teared down, meaning fetching
manager instances will attempt to fetch past freed instances. Handle
this by waiting with the fetching until we know we weren't cancelled.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2140>
This will be crucial when we start to remove the global directly when an
output is removed, as that means Xwayland might have removed the output
before we managed to get our queries in.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1796>
We setup Xwayland in an early phase of the X11 display, before we had a
MetaX11Display, and teared down in a couple of places happening when
tearing down the Xwayland integration if the X server died or
terminated. It was a bit hard to follow what happened and when it
happened. Attempt to clean this up a bit, with things being structured
as follows:
* Early during X11 display connection setup, only setup the rudimentary
X11 hooks, being the libX11 error callbacks, and adding the local
user to XHost.
* Move "initialize Xwayland component" code to a new
'x11-display-setup' signal handler. Things setup here are cleaned up
in the 'x11-display-closing' handler.
* Connect to 'x11-display-setup' and 'x11-display-closing' up front,
and stay connected to these two.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1796>
This way we can initialize without having any way to retrieve it via
some global variable. This isn't needed now, but will be once Wayland
infrastructure initializiation is done in a single step.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1863>
It might not be there when shutting down, so get it from a more managed
place. Note that this isn't strictly needed right now, but eventually,
the MetaWaylandCompositor pointer will be cleared using a g_clear*()
helper, which clears the pointer before freeing the instance, which
wouldn't work here.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1863>
The callback on_displayfd_ready() would unconditionally set the return
value to TRUE, regardless of the condition.
Use the GIO condition to determine if there was data written and adjust
the return value accordingly.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1851>
We initialize, but might not start, e.g. when a test case just needs a
backend and doesn't start mutter. When cleaning up, we'll still try to
clean up Xwayland integration, and this commit handles cleaning up
without having made the mess.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1856>
MetaDisplay does a lot of things, and is a central part to anything
window management. To let Wayland units have an easier time tearing
down, make it so that the Wayland infrastructure is terminated before
MetaDisplay.
This also makes sure that X11 support is turned off, so that we don't
stumble upon Xwayland terminating due to the Wayland socket connection
being broken. Will mitigate that in a better way in a later commit.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1822>
We might not be the only entity holding on to the X11 GdkDisplay,
meaning the X11 connection will stay alive indefinitely, e.g. if the gjs
context has some reference to it.
Avoid running into issues due to X11 connection errors by setting the
libX11 handlers to no-ops, so when we are terminating; that means the
GDK X11 connection can stay "alive" until its too late, and we'll just
silently ignore any connection errors that may happen due to the
lingering GDK display reference.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1822>
For Xwayland, mutter creates the sockets in the standard /tmp/.X11-unix
directory.
Yet, if that directory already exists, it may have been created by
another user with full control over the created socket.
To avoid that issue, if the directory /tmp/.X11-unix already exists,
check that the permissions are as we expect, i.e. the directory belongs
to either root or the user herself, is writable and has the sticky bit.
Thanks to fabian@ritter-vogt.de for reporting that issue.
https://gitlab.gnome.org/GNOME/mutter/-/issues/1708
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1787>
If `meta_xwayland_start_xserver()` returned via an error path, some of
the socket FDs were leaked.
Fix that, and add `steal_fd()` calls to make it clearer that FDs passed
to `g_subprocess_launcher_take_fd()` are transferred to it. There were
no bugs with how `GSubprocessLauncher` was being used.
Spotted while working on
https://gitlab.gnome.org/GNOME/glib/-/issues/2332.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1738>
Current Xwayland has marked the command line option "-listen" as
deprecated in favor of "-listenfd".
Use the pkg-config variable "have_listenfd" (if available) from Xwayland
to determine if we should use that option, to avoid a deprecation
warning when spawning Xwayland.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1682>
Mutter listens to two display connections, one for regular X11 clients
and another one for the so called "managed services".
Once an available display number is found for the regular X11 clients,
mutter would then redo the work to find another available display number
for the managed services.
Yet, it does so starting from the same initial display, which is a waste
of time since it just tried all displays to find the first available
one, so all these, including the regular display it just took, are now
in use.
So instead of starting over from the beginning when looking for a
display available for the managed services, continue from the next
display immediately after the one we found precedently.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1680>
Some X11 servers may not always create a lock file, yet mutter uses the
lock file to find a possible display number and then tries to bind to
the socket corresponding to that display number.
If it fails to bind, it will simply bail out. As a result, if an X11
server is already listening on that display but hadn't created a lock
file, mutter won't be able to start Xwayland.
To avoid that possible issue, make mutter retry with another display
for a given number of tries when binding fails even though the display
was supposed to be available based on the lock file presence.
Closes: https://gitlab.gnome.org/GNOME/mutter/-/issues/1604
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1669>
The function choose_xdisplay() calls open_display_sockets() which calls
ensure_x11_unix_dir().
We don't need to do that from within the loop though, as the directory
/tmp/.X11-unix is the same regardless of the display number.
Move the call to ensure_x11_unix_dir() from open_display_sockets() to
choose_xdisplay() prior to enter the display loop.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1669>
In case of failure to open the display sockets, we would not propagatre
the error which can cause a crash when trying to show the error message.
Properly propagate the error to avoid the crash.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1669>
In the shutdown paths we check with the X11 display whether there's
remaining clients. However this happens in paths that happen after
the MetaX11Display vanished in the case of Xwayland crash.
Since in that situation the clients are forcibly vanishing too,
skip the client check.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1677>
Closing automatically Xwayland once all relevant X11 clients are gone is
inherently racy, if a new client comes along right at the time we're
killing Xwayland.
Fixing the possible race conditions between mutter, Xwayland and the X11
clients may take some time.
Meanwhile, make that an experimental feature "autoclose-xwayland".
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1673>
Currently, mutter checks for the presence of X11 windows to decide
whether or not Xwayland can be terminated, when Xwayland is started on
demand.
Unfortunately, not all X11 clients will map a window all the time, an
X11 client may keep the X11 connection opened after closing all its
windows. In that case, we may terminate Xwayland while there are some
X11 client connected still, and terminating Xwayland will also kill
those X11 clients.
To avoid that issue, check the X11 clients actually connected using the
XRes extension. The XRes extension provides the PID of the (local) X11
clients connected to the Xserver, so we need to match that against the
actual executable names, and compare with a list of known executables
that we can safely ignore, such as ibus-x11 or gsd-xsettings.
We also check against our own executable name, considering that the X11
window manager is also an X11 client connected to the Xserver.
Also, XRes returning the PID of local clients only is not a problem
considering that Xwayland does not listen to remote connections.
However, if the user spawns a client remotely on another system using
ssh tunneling (ssh -X), only clients which actually map a window will
be accounted for.
Closes: https://gitlab.gnome.org/GNOME/mutter/-/issues/1537
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1671>
To find XWayland output that should be the primary one, iterate through all
XWayland outputs, and compare their geometry to the geometry of the primary
logical monitor.
To avoid possible race conditions (Mutter's monitor configuration already
updated, but Xrandr not yet), set the output both after Randr notifications and
after 'monitors-changed' signal.
https://gitlab.gnome.org/GNOME/mutter/-/issues/1407
Signed-off-by: Aleksandr Mezin <mezin.alexander@gmail.com>
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1558>
When we're running under a polyinstantiated SELinux environment, we'll
likely start with an isolated and empty /tmp, meannig no /tmp/.X11-unix
directory to add things to. To make it possible to still function in
this kind of setup, make sure said directory exists.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1626>
The XIOErrorExitHandler expects (Display *, void *) whereas mutter uses
(Display *, MetaX11Display *).
That causes a warning at build time:
warning: passing argument 2 of ‘XSetIOErrorExitHandler’ from
incompatible pointer type [-Wincompatible-pointer-types]
813 | XSetIOErrorExitHandler (xdisplay, x_io_error_exit, display);
Actually, the MetaX11Display is not even used, so we can just use the
expected API and ignore the value.
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1621>
If this call is available, we can turn libX11 IO errors (fatal by definition)
into something we can recover from. Try to dispose all X11 resources and close
the display instead, so the compositor can survive the event.
https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1447