mirror of
https://github.com/brl/mutter.git
synced 2024-11-29 03:20:46 -05:00
core: Drop all capabilities on initialization
Add an optional dependency on libcap-ng, if the library is detected drop all capabilities by default, in order to allow packagers/users to do "setcap CAP_SYS_NICE=+ep `which gnome-shell`" and let it set higher sched/egl priorities without preserving the capability forever. https://gitlab.gnome.org/GNOME/mutter/merge_requests/923
This commit is contained in:
parent
d8c4d78f4a
commit
6ec6ea7d3c
@ -16,7 +16,7 @@ RUN dnf -y update && dnf -y upgrade && \
|
|||||||
dnf builddep -y mutter && \
|
dnf builddep -y mutter && \
|
||||||
|
|
||||||
# Until Fedora catches up with new build-deps
|
# Until Fedora catches up with new build-deps
|
||||||
dnf install -y 'pkgconfig(graphene-gobject-1.0)' 'pkgconfig(sysprof-capture-3)' && \
|
dnf install -y 'pkgconfig(graphene-gobject-1.0)' 'pkgconfig(sysprof-capture-3)' 'pkgconfig(libcap-ng)' && \
|
||||||
|
|
||||||
# For running unit tests
|
# For running unit tests
|
||||||
dnf install -y xorg-x11-server-Xvfb mesa-dri-drivers dbus dbus-x11 '*/xvfb-run' gdm-lib accountsservice-libs gnome-control-center && \
|
dnf install -y xorg-x11-server-Xvfb mesa-dri-drivers dbus dbus-x11 '*/xvfb-run' gdm-lib accountsservice-libs gnome-control-center && \
|
||||||
|
@ -67,3 +67,6 @@
|
|||||||
/* Either <sys/random.h> or <linux/random.h> */
|
/* Either <sys/random.h> or <linux/random.h> */
|
||||||
#mesondefine HAVE_SYS_RANDOM
|
#mesondefine HAVE_SYS_RANDOM
|
||||||
#mesondefine HAVE_LINUX_RANDOM
|
#mesondefine HAVE_LINUX_RANDOM
|
||||||
|
|
||||||
|
/* Defined if libcap-ng is available */
|
||||||
|
#mesondefine HAVE_LIBCAPNG
|
||||||
|
@ -36,6 +36,7 @@ libstartup_notification_req = '>= 0.7'
|
|||||||
libcanberra_req = '>= 0.26'
|
libcanberra_req = '>= 0.26'
|
||||||
libwacom_req = '>= 0.13'
|
libwacom_req = '>= 0.13'
|
||||||
atk_req = '>= 2.5.3'
|
atk_req = '>= 2.5.3'
|
||||||
|
libcapng_req = '>= 0.7.9'
|
||||||
|
|
||||||
# optional version requirements
|
# optional version requirements
|
||||||
udev_req = '>= 228'
|
udev_req = '>= 228'
|
||||||
@ -127,6 +128,7 @@ xau_dep = dependency('xau')
|
|||||||
ice_dep = dependency('ice')
|
ice_dep = dependency('ice')
|
||||||
atk_dep = dependency('atk', version: atk_req)
|
atk_dep = dependency('atk', version: atk_req)
|
||||||
libcanberra_dep = dependency('libcanberra', version: libcanberra_req)
|
libcanberra_dep = dependency('libcanberra', version: libcanberra_req)
|
||||||
|
libcapng_dep = dependency('libcap-ng', required: get_option('libcapng'))
|
||||||
|
|
||||||
# For now always require X11 support
|
# For now always require X11 support
|
||||||
have_x11 = true
|
have_x11 = true
|
||||||
@ -258,6 +260,7 @@ have_core_tests = false
|
|||||||
have_cogl_tests = false
|
have_cogl_tests = false
|
||||||
have_clutter_tests = false
|
have_clutter_tests = false
|
||||||
have_installed_tests = false
|
have_installed_tests = false
|
||||||
|
have_libcapng = libcapng_dep.found()
|
||||||
|
|
||||||
if have_tests
|
if have_tests
|
||||||
have_core_tests = get_option('core_tests')
|
have_core_tests = get_option('core_tests')
|
||||||
@ -364,6 +367,7 @@ cdata.set('HAVE_SM', have_sm)
|
|||||||
cdata.set('HAVE_STARTUP_NOTIFICATION', have_startup_notification)
|
cdata.set('HAVE_STARTUP_NOTIFICATION', have_startup_notification)
|
||||||
cdata.set('HAVE_INTROSPECTION', have_introspection)
|
cdata.set('HAVE_INTROSPECTION', have_introspection)
|
||||||
cdata.set('HAVE_PROFILER', have_profiler)
|
cdata.set('HAVE_PROFILER', have_profiler)
|
||||||
|
cdata.set('HAVE_LIBCAPNG', have_libcapng)
|
||||||
|
|
||||||
xkb_base = xkeyboard_config_dep.get_pkgconfig_variable('xkb_base')
|
xkb_base = xkeyboard_config_dep.get_pkgconfig_variable('xkb_base')
|
||||||
cdata.set_quoted('XKB_BASE', xkb_base)
|
cdata.set_quoted('XKB_BASE', xkb_base)
|
||||||
@ -445,6 +449,7 @@ output = [
|
|||||||
' Startup notification..... ' + have_startup_notification.to_string(),
|
' Startup notification..... ' + have_startup_notification.to_string(),
|
||||||
' Introspection............ ' + have_introspection.to_string(),
|
' Introspection............ ' + have_introspection.to_string(),
|
||||||
' Profiler................. ' + have_profiler.to_string(),
|
' Profiler................. ' + have_profiler.to_string(),
|
||||||
|
' libcap-ng................ ' + have_libcapng.to_string(),
|
||||||
'',
|
'',
|
||||||
' Tests:',
|
' Tests:',
|
||||||
'',
|
'',
|
||||||
|
@ -152,3 +152,9 @@ option('xwayland_grab_default_access_rules',
|
|||||||
value: 'gnome-boxes,remote-viewer,virt-viewer,virt-manager,vinagre,vncviewer,Xephyr',
|
value: 'gnome-boxes,remote-viewer,virt-viewer,virt-manager,vinagre,vncviewer,Xephyr',
|
||||||
description: 'Comma delimited list of applications ressources or class allowed to issue X11 grabs in Xwayland'
|
description: 'Comma delimited list of applications ressources or class allowed to issue X11 grabs in Xwayland'
|
||||||
)
|
)
|
||||||
|
|
||||||
|
option('libcapng',
|
||||||
|
type: 'feature',
|
||||||
|
value: 'auto',
|
||||||
|
description: 'Enable libcap-ng support'
|
||||||
|
)
|
||||||
|
@ -66,6 +66,10 @@
|
|||||||
#include <girepository.h>
|
#include <girepository.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifdef HAVE_LIBCAPNG
|
||||||
|
#include <cap-ng.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(HAVE_NATIVE_BACKEND) && defined(HAVE_WAYLAND)
|
#if defined(HAVE_NATIVE_BACKEND) && defined(HAVE_WAYLAND)
|
||||||
#include <systemd/sd-login.h>
|
#include <systemd/sd-login.h>
|
||||||
#endif /* HAVE_WAYLAND && HAVE_NATIVE_BACKEND */
|
#endif /* HAVE_WAYLAND && HAVE_NATIVE_BACKEND */
|
||||||
@ -597,6 +601,11 @@ meta_init (void)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifdef HAVE_LIBCAPNG
|
||||||
|
capng_clear (CAPNG_SELECT_BOTH);
|
||||||
|
capng_apply (CAPNG_SELECT_BOTH);
|
||||||
|
#endif
|
||||||
|
|
||||||
g_unix_signal_add (SIGTERM, on_sigterm, NULL);
|
g_unix_signal_add (SIGTERM, on_sigterm, NULL);
|
||||||
|
|
||||||
if (g_get_home_dir ())
|
if (g_get_home_dir ())
|
||||||
|
@ -18,6 +18,7 @@ mutter_pkg_deps = [
|
|||||||
glib_dep,
|
glib_dep,
|
||||||
gsettings_desktop_schemas_dep,
|
gsettings_desktop_schemas_dep,
|
||||||
gtk3_dep,
|
gtk3_dep,
|
||||||
|
libcapng_dep,
|
||||||
pango_dep,
|
pango_dep,
|
||||||
]
|
]
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user