mirror of
https://github.com/niri-wm/niri.git
synced 2026-06-24 02:01:18 +07:00
Implement security-context, hide some protocols from it
This commit is contained in:
Ivan Molodetskikh
@@ -29,6 +29,7 @@ impl ServiceChannel {
|
|||||||
compositor_state: Default::default(),
|
compositor_state: Default::default(),
|
||||||
// Would be nice to thread config here but for now it's fine.
|
// Would be nice to thread config here but for now it's fine.
|
||||||
can_view_decoration_globals: false,
|
can_view_decoration_globals: false,
|
||||||
|
restricted: false,
|
||||||
});
|
});
|
||||||
self.display.insert_client(sock2, data).unwrap();
|
self.display.insert_client(sock2, data).unwrap();
|
||||||
Ok(unsafe { zbus::zvariant::OwnedFd::from_raw_fd(sock1.into_raw_fd()) })
|
Ok(unsafe { zbus::zvariant::OwnedFd::from_raw_fd(sock1.into_raw_fd()) })
|
||||||
|
|||||||
+29
-3
@@ -22,6 +22,9 @@ use smithay::wayland::compositor::{send_surface_state, with_states};
|
|||||||
use smithay::wayland::dmabuf::{DmabufGlobal, DmabufHandler, DmabufState, ImportNotifier};
|
use smithay::wayland::dmabuf::{DmabufGlobal, DmabufHandler, DmabufState, ImportNotifier};
|
||||||
use smithay::wayland::input_method::{InputMethodHandler, PopupSurface};
|
use smithay::wayland::input_method::{InputMethodHandler, PopupSurface};
|
||||||
use smithay::wayland::pointer_constraints::PointerConstraintsHandler;
|
use smithay::wayland::pointer_constraints::PointerConstraintsHandler;
|
||||||
|
use smithay::wayland::security_context::{
|
||||||
|
SecurityContext, SecurityContextHandler, SecurityContextListenerSource,
|
||||||
|
};
|
||||||
use smithay::wayland::selection::data_device::{
|
use smithay::wayland::selection::data_device::{
|
||||||
set_data_device_focus, ClientDndGrabHandler, DataDeviceHandler, DataDeviceState,
|
set_data_device_focus, ClientDndGrabHandler, DataDeviceHandler, DataDeviceState,
|
||||||
ServerDndGrabHandler,
|
ServerDndGrabHandler,
|
||||||
@@ -38,11 +41,11 @@ use smithay::{
|
|||||||
delegate_cursor_shape, delegate_data_control, delegate_data_device, delegate_dmabuf,
|
delegate_cursor_shape, delegate_data_control, delegate_data_device, delegate_dmabuf,
|
||||||
delegate_input_method_manager, delegate_output, delegate_pointer_constraints,
|
delegate_input_method_manager, delegate_output, delegate_pointer_constraints,
|
||||||
delegate_pointer_gestures, delegate_presentation, delegate_primary_selection,
|
delegate_pointer_gestures, delegate_presentation, delegate_primary_selection,
|
||||||
delegate_relative_pointer, delegate_seat, delegate_session_lock, delegate_tablet_manager,
|
delegate_relative_pointer, delegate_seat, delegate_security_context, delegate_session_lock,
|
||||||
delegate_text_input_manager, delegate_virtual_keyboard_manager,
|
delegate_tablet_manager, delegate_text_input_manager, delegate_virtual_keyboard_manager,
|
||||||
};
|
};
|
||||||
|
|
||||||
use crate::niri::State;
|
use crate::niri::{ClientState, State};
|
||||||
use crate::utils::output_size;
|
use crate::utils::output_size;
|
||||||
|
|
||||||
impl SeatHandler for State {
|
impl SeatHandler for State {
|
||||||
@@ -251,3 +254,26 @@ pub fn configure_lock_surface(surface: &LockSurface, output: &Output) {
|
|||||||
});
|
});
|
||||||
surface.send_configure();
|
surface.send_configure();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl SecurityContextHandler for State {
|
||||||
|
fn context_created(&mut self, source: SecurityContextListenerSource, context: SecurityContext) {
|
||||||
|
self.niri
|
||||||
|
.event_loop
|
||||||
|
.insert_source(source, move |client, _, state| {
|
||||||
|
let config = state.niri.config.borrow();
|
||||||
|
let data = Arc::new(ClientState {
|
||||||
|
compositor_state: Default::default(),
|
||||||
|
can_view_decoration_globals: config.prefer_no_csd,
|
||||||
|
restricted: true,
|
||||||
|
});
|
||||||
|
|
||||||
|
if let Err(err) = state.niri.display_handle.insert_client(client, data) {
|
||||||
|
error!("error inserting client: {err}");
|
||||||
|
} else {
|
||||||
|
debug!("inserted a new restricted client, context={context:?}");
|
||||||
|
}
|
||||||
|
})
|
||||||
|
.unwrap();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
delegate_security_context!(State);
|
||||||
|
|||||||
+24
-5
@@ -71,6 +71,7 @@ use smithay::wayland::pointer_constraints::{with_pointer_constraint, PointerCons
|
|||||||
use smithay::wayland::pointer_gestures::PointerGesturesState;
|
use smithay::wayland::pointer_gestures::PointerGesturesState;
|
||||||
use smithay::wayland::presentation::PresentationState;
|
use smithay::wayland::presentation::PresentationState;
|
||||||
use smithay::wayland::relative_pointer::RelativePointerManagerState;
|
use smithay::wayland::relative_pointer::RelativePointerManagerState;
|
||||||
|
use smithay::wayland::security_context::SecurityContextState;
|
||||||
use smithay::wayland::selection::data_device::{set_data_device_selection, DataDeviceState};
|
use smithay::wayland::selection::data_device::{set_data_device_selection, DataDeviceState};
|
||||||
use smithay::wayland::selection::primary_selection::PrimarySelectionState;
|
use smithay::wayland::selection::primary_selection::PrimarySelectionState;
|
||||||
use smithay::wayland::selection::wlr_data_control::DataControlState;
|
use smithay::wayland::selection::wlr_data_control::DataControlState;
|
||||||
@@ -160,6 +161,7 @@ pub struct Niri {
|
|||||||
pub popups: PopupManager,
|
pub popups: PopupManager,
|
||||||
pub popup_grab: Option<PopupGrabState>,
|
pub popup_grab: Option<PopupGrabState>,
|
||||||
pub presentation_state: PresentationState,
|
pub presentation_state: PresentationState,
|
||||||
|
pub security_context_state: SecurityContextState,
|
||||||
|
|
||||||
pub seat: Seat<State>,
|
pub seat: Seat<State>,
|
||||||
/// Scancodes of the keys to suppress.
|
/// Scancodes of the keys to suppress.
|
||||||
@@ -713,9 +715,14 @@ impl Niri {
|
|||||||
.can_view_decoration_globals
|
.can_view_decoration_globals
|
||||||
},
|
},
|
||||||
);
|
);
|
||||||
let layer_shell_state = WlrLayerShellState::new::<State>(&display_handle);
|
let layer_shell_state =
|
||||||
|
WlrLayerShellState::new_with_filter::<State, _>(&display_handle, |client| {
|
||||||
|
!client.get_data::<ClientState>().unwrap().restricted
|
||||||
|
});
|
||||||
let session_lock_state =
|
let session_lock_state =
|
||||||
SessionLockManagerState::new::<State, _>(&display_handle, |_| true);
|
SessionLockManagerState::new::<State, _>(&display_handle, |client| {
|
||||||
|
!client.get_data::<ClientState>().unwrap().restricted
|
||||||
|
});
|
||||||
let shm_state = ShmState::new::<State>(&display_handle, vec![]);
|
let shm_state = ShmState::new::<State>(&display_handle, vec![]);
|
||||||
let output_manager_state =
|
let output_manager_state =
|
||||||
OutputManagerState::new_with_xdg_output::<State>(&display_handle);
|
OutputManagerState::new_with_xdg_output::<State>(&display_handle);
|
||||||
@@ -730,16 +737,24 @@ impl Niri {
|
|||||||
let data_control_state = DataControlState::new::<State, _>(
|
let data_control_state = DataControlState::new::<State, _>(
|
||||||
&display_handle,
|
&display_handle,
|
||||||
Some(&primary_selection_state),
|
Some(&primary_selection_state),
|
||||||
|_| true,
|
|client| !client.get_data::<ClientState>().unwrap().restricted,
|
||||||
);
|
);
|
||||||
let presentation_state =
|
let presentation_state =
|
||||||
PresentationState::new::<State>(&display_handle, Monotonic::ID as u32);
|
PresentationState::new::<State>(&display_handle, Monotonic::ID as u32);
|
||||||
|
let security_context_state =
|
||||||
|
SecurityContextState::new::<State, _>(&display_handle, |client| {
|
||||||
|
!client.get_data::<ClientState>().unwrap().restricted
|
||||||
|
});
|
||||||
|
|
||||||
let text_input_state = TextInputManagerState::new::<State>(&display_handle);
|
let text_input_state = TextInputManagerState::new::<State>(&display_handle);
|
||||||
let input_method_state =
|
let input_method_state =
|
||||||
InputMethodManagerState::new::<State, _>(&display_handle, |_| true);
|
InputMethodManagerState::new::<State, _>(&display_handle, |client| {
|
||||||
|
!client.get_data::<ClientState>().unwrap().restricted
|
||||||
|
});
|
||||||
let virtual_keyboard_state =
|
let virtual_keyboard_state =
|
||||||
VirtualKeyboardManagerState::new::<State, _>(&display_handle, |_| true);
|
VirtualKeyboardManagerState::new::<State, _>(&display_handle, |client| {
|
||||||
|
!client.get_data::<ClientState>().unwrap().restricted
|
||||||
|
});
|
||||||
|
|
||||||
let mut seat: Seat<State> = seat_state.new_wl_seat(&display_handle, backend.seat_name());
|
let mut seat: Seat<State> = seat_state.new_wl_seat(&display_handle, backend.seat_name());
|
||||||
seat.add_keyboard(
|
seat.add_keyboard(
|
||||||
@@ -781,6 +796,7 @@ impl Niri {
|
|||||||
let data = Arc::new(ClientState {
|
let data = Arc::new(ClientState {
|
||||||
compositor_state: Default::default(),
|
compositor_state: Default::default(),
|
||||||
can_view_decoration_globals: config.prefer_no_csd,
|
can_view_decoration_globals: config.prefer_no_csd,
|
||||||
|
restricted: false,
|
||||||
});
|
});
|
||||||
|
|
||||||
if let Err(err) = state.niri.display_handle.insert_client(client, data) {
|
if let Err(err) = state.niri.display_handle.insert_client(client, data) {
|
||||||
@@ -851,6 +867,7 @@ impl Niri {
|
|||||||
popup_grab: None,
|
popup_grab: None,
|
||||||
suppressed_keys: HashSet::new(),
|
suppressed_keys: HashSet::new(),
|
||||||
presentation_state,
|
presentation_state,
|
||||||
|
security_context_state,
|
||||||
|
|
||||||
seat,
|
seat,
|
||||||
keyboard_focus: None,
|
keyboard_focus: None,
|
||||||
@@ -2535,6 +2552,8 @@ impl Niri {
|
|||||||
pub struct ClientState {
|
pub struct ClientState {
|
||||||
pub compositor_state: CompositorClientState,
|
pub compositor_state: CompositorClientState,
|
||||||
pub can_view_decoration_globals: bool,
|
pub can_view_decoration_globals: bool,
|
||||||
|
/// Whether this client is denied from the restricted protocols such as security-context.
|
||||||
|
pub restricted: bool,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl ClientData for ClientState {
|
impl ClientData for ClientState {
|
||||||
|
|||||||
Reference in New Issue
Block a user