mutter

brl/mutter

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jonas Ådahl	2731f0cda4	wayland: Setup and use ownership chains As elsewhere, make sure objects that need to have a ownership up to the context, and use this ownership chain to find relevant components, such as the backend or the Wayland compositor object instance. wayland/data-device: Hook up data devices to seats They are tied to a seat - make that connection in struct fields too, so that related objects can get to the context via it. wayland: Don't get Wayland compositor via singleton getter This means via the ownership chain or equivalent. xwayland: Hook up manager to Wayland compositor Same applies to the drag-n-drop struct. xwayland: Make X11 event handling compositor instance aware This avoids finding it via singletons in the callee. xwayland: Don't get Wayland compositor from singleton xwayland: Pass manager when handling dnd event window/xwayland: Don't get Wayland compositor from singleton xwayland/grab-keyboard: Don't get backend from singleton xwayland: Don't get backend from singleton wayland: Always get the backend from the context This means traveling up the ownership chain or equivalent when necessary. wayland: Hook up data devices, offers and sources to the compositor This allows tying them to a context without going through any singletons. wayland: Don't get display from singleton xwayland: Don't get display from singleton tablet: Don't get display from singleton Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2718>	2022-12-17 15:13:48 +01:00
Sergio Costas	f894f5cc13	wayland: Add API to launch trusted clients Allowing code from inside mutter to create a child process and delegate on it some of its tasks is something very useful. This can be done easily with the g_subprocess and g_subprocess_launcher classes already available in GLib and GObject. Unfortunately, although the child process can be a graphical program, currently it is not possible for the inner code to identify the windows created by the child in a secure manner (this is: being able to ensure that a malicious program won't be able to trick the inner code into thinking it is a child process launched by it). Under X11 this is not a problem because any program has full control over their windows, but under Wayland it is a different story: a program can't neither force their window to be kept at the top (like a docker program does) or at the bottom (like a program for desktop icons does), nor hide it from the list of windows. This means that it is not possible for a "classic", non-priviledged program, to fulfill these tasks, and it can be done only from code inside mutter (like a gnome-shell extension). This is a non desirable situation, because an extension runs in the same main loop than the whole desktop itself, which means that a complex extension can need to do too much work inside the main loop, and freeze the whole desktop for too much time. Also, it is important to note that javascript doesn't have access to fork(), or threads, which means that, at most, all the parallel computing that can do is those available in the _async calls in GLib/GObject. Also, having to create an extension for any priviledged graphical element is an stopper for a lot of programmers who already know GTK+ but doesn't know Clutter. This patch wants to offer a solution to this problem, by offering a new class that allows to launch a trusted child process from inside mutter, and make it to use an specific UNIX socket to communicate with the compositor. It also allows to check whether an specific MetaWindow was created by one of this trusted child processes or not. This allows to create extensions that launch a child process, and when that process creates a window, the extension can confirm in a secure way that the window really belongs to that process launched by it, so it can give to that window "superpowers" like being kept at the bottom of the desktop, not being listed in the list of windows or shown in the Activities panel... Also, in future versions, it could easily implement protocol extensions that only could be used by these trusted child processes. Several examples of the usefulness of this are that, with it, it is possible to write programs that implements: - desktop icons - a dock - a top or bottom bar ... all in a secure manner, avoiding insecure programs to do the same. In fact, even if the same code is launched manually, it won't have those privileges, only the specific process launched from inside mutter. Since this is only needed under Wayland, it won't work under X11. Fixes https://gitlab.gnome.org/GNOME/mutter/issues/741	2020-08-04 08:42:29 +00:00

Author

SHA1

Message

Date

Jonas Ådahl

2731f0cda4

wayland: Setup and use ownership chains

As elsewhere, make sure objects that need to have a ownership up to the
context, and use this ownership chain to find relevant components, such
as the backend or the Wayland compositor object instance.

wayland/data-device: Hook up data devices to seats

They are tied to a seat - make that connection in struct fields too, so
that related objects can get to the context via it.

wayland: Don't get Wayland compositor via singleton getter

This means via the ownership chain or equivalent.

xwayland: Hook up manager to Wayland compositor

Same applies to the drag-n-drop struct.

xwayland: Make X11 event handling compositor instance aware

This avoids finding it via singletons in the callee.

xwayland: Don't get Wayland compositor from singleton

xwayland: Pass manager when handling dnd event

window/xwayland: Don't get Wayland compositor from singleton

xwayland/grab-keyboard: Don't get backend from singleton

xwayland: Don't get backend from singleton

wayland: Always get the backend from the context

This means traveling up the ownership chain or equivalent when
necessary.

wayland: Hook up data devices, offers and sources to the compositor

This allows tying them to a context without going through any
singletons.

wayland: Don't get display from singleton

xwayland: Don't get display from singleton

tablet: Don't get display from singleton

Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2718>

2022-12-17 15:13:48 +01:00

Sergio Costas

f894f5cc13

wayland: Add API to launch trusted clients

Allowing code from inside mutter to create a child process and
delegate on it some of its tasks is something very useful. This can
be done easily with the g_subprocess and g_subprocess_launcher classes
already available in GLib and GObject.

Unfortunately, although the child process can be a graphical program,
currently it is not possible for the inner code to identify the
windows created by the child in a secure manner (this is: being able
to ensure that a malicious program won't be able to trick the inner
code into thinking it is a child process launched by it).

Under X11 this is not a problem because any program has full control
over their windows, but under Wayland it is a different story: a
program can't neither force their window to be kept at the top (like a
docker program does) or at the bottom (like a program for desktop icons
does), nor hide it from the list of windows. This means that it is not
possible for a "classic", non-priviledged program, to fulfill these
tasks, and it can be done only from code inside mutter (like a
gnome-shell extension).

This is a non desirable situation, because an extension runs in the
same main loop than the whole desktop itself, which means that a
complex extension can need to do too much work inside the main loop,
and freeze the whole desktop for too much time. Also, it is important
to note that javascript doesn't have access to fork(), or threads,
which means that, at most, all the parallel computing that can do is
those available in the _async calls in GLib/GObject.

Also, having to create an extension for any priviledged graphical
element is an stopper for a lot of programmers who already know
GTK+ but doesn't know Clutter.

This patch wants to offer a solution to this problem, by offering a
new class that allows to launch a trusted child process from inside
mutter, and make it to use an specific UNIX socket to communicate
with the compositor. It also allows to check whether an specific
MetaWindow was created by one of this trusted child processes or not.

This allows to create extensions that launch a child process, and
when that process creates a window, the extension can confirm in a
secure way that the window really belongs to that process
launched by it, so it can give to that window "superpowers" like
being kept at the bottom of the desktop, not being listed in the
list of windows or shown in the Activities panel... Also, in future
versions, it could easily implement protocol extensions that only
could be used by these trusted child processes.

Several examples of the usefulness of this are that, with it, it
is possible to write programs that implements:

- desktop icons
- a dock
- a top or bottom bar
...

all in a secure manner, avoiding insecure programs to do the same.
In fact, even if the same code is launched manually, it won't have
those privileges, only the specific process launched from inside
mutter.

Since this is only needed under Wayland, it won't work under X11.

Fixes https://gitlab.gnome.org/GNOME/mutter/issues/741

2020-08-04 08:42:29 +00:00

2 Commits