f894f5cc13
Allowing code from inside mutter to create a child process and delegate on it some of its tasks is something very useful. This can be done easily with the g_subprocess and g_subprocess_launcher classes already available in GLib and GObject. Unfortunately, although the child process can be a graphical program, currently it is not possible for the inner code to identify the windows created by the child in a secure manner (this is: being able to ensure that a malicious program won't be able to trick the inner code into thinking it is a child process launched by it). Under X11 this is not a problem because any program has full control over their windows, but under Wayland it is a different story: a program can't neither force their window to be kept at the top (like a docker program does) or at the bottom (like a program for desktop icons does), nor hide it from the list of windows. This means that it is not possible for a "classic", non-priviledged program, to fulfill these tasks, and it can be done only from code inside mutter (like a gnome-shell extension). This is a non desirable situation, because an extension runs in the same main loop than the whole desktop itself, which means that a complex extension can need to do too much work inside the main loop, and freeze the whole desktop for too much time. Also, it is important to note that javascript doesn't have access to fork(), or threads, which means that, at most, all the parallel computing that can do is those available in the _async calls in GLib/GObject. Also, having to create an extension for any priviledged graphical element is an stopper for a lot of programmers who already know GTK+ but doesn't know Clutter. This patch wants to offer a solution to this problem, by offering a new class that allows to launch a trusted child process from inside mutter, and make it to use an specific UNIX socket to communicate with the compositor. It also allows to check whether an specific MetaWindow was created by one of this trusted child processes or not. This allows to create extensions that launch a child process, and when that process creates a window, the extension can confirm in a secure way that the window really belongs to that process launched by it, so it can give to that window "superpowers" like being kept at the bottom of the desktop, not being listed in the list of windows or shown in the Activities panel... Also, in future versions, it could easily implement protocol extensions that only could be used by these trusted child processes. Several examples of the usefulness of this are that, with it, it is possible to write programs that implements: - desktop icons - a dock - a top or bottom bar ... all in a secure manner, avoiding insecure programs to do the same. In fact, even if the same code is launched manually, it won't have those privileges, only the specific process launched from inside mutter. Since this is only needed under Wayland, it won't work under X11. Fixes https://gitlab.gnome.org/GNOME/mutter/issues/741 |
||
|---|---|---|
| .gitlab/issue_templates | ||
| .gitlab-ci | ||
| clutter | ||
| cogl | ||
| data | ||
| doc | ||
| meson | ||
| po | ||
| src | ||
| subprojects | ||
| tools | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| config.h.meson | ||
| COPYING | ||
| meson_options.txt | ||
| meson.build | ||
| mutter.doap | ||
| NEWS | ||
| README.md | ||
Mutter
Mutter is a Wayland display server and X11 window manager and compositor library.
When used as a Wayland display server, it runs on top of KMS and libinput. It implements the compositor side of the Wayland core protocol as well as various protocol extensions. It also has functionality related to running X11 applications using Xwayland.
When used on top of Xorg it acts as a X11 window manager and compositing manager.
It contains functionality related to, among other things, window management, window compositing, focus tracking, workspace management, keybindings and monitor configuration.
Internally it uses a fork of Cogl, a hardware acceleration abstraction library used to simplify usage of OpenGL pipelines, as well as a fork af Clutter, a scene graph and user interface toolkit.
Mutter is used by, for example, GNOME Shell, the GNOME core user interface, and by Gala, elementary OS's window manager. It can also be run standalone, using the command "mutter", but just running plain mutter is only intended for debugging purposes.
Contributing
To contribute, open merge requests at https://gitlab.gnome.org/GNOME/mutter.
The coding style used is primarily the GNU flavor of the GNOME coding
style
with some minor additions such as preferring stdint.h types over GLib
fundamental types, and a soft 80 character line limit. However, in general,
look at the file you're editing for inspiration.
Commit messages should follow the GNOME commit message guidelines. We require an URL to either an issue or a merge request in each commit.
License
Mutter is distributed under the terms of the GNU General Public License, version 2 or later. See the COPYING file for detalis.