From: Puck Meerburg <puck@puckipedia.com>
To: devel@spectrum-os.org
Cc: Puck Meerburg <puck@puckipedia.com>
Subject: [RFC PATCH nixpkgs 2/4] wlroots: apply security-context patches
Date: Fri, 30 Sep 2022 19:45:58 +0000 [thread overview]
Message-ID: <20220930194600.1033126-3-puck@puckipedia.com> (raw)
In-Reply-To: <20220930194600.1033126-1-puck@puckipedia.com>
Signed-off-by: Puck Meerburg <puck@puckipedia.com>
---
pkgs/development/libraries/wlroots/0.15.nix | 20 ++-
.../libraries/wlroots/security-context-v1.xml | 131 ++++++++++++++++++
2 files changed, 150 insertions(+), 1 deletion(-)
create mode 100644 pkgs/development/libraries/wlroots/security-context-v1.xml
diff --git a/pkgs/development/libraries/wlroots/0.15.nix b/pkgs/development/libraries/wlroots/0.15.nix
index 7648ebe5d25..441f2991218 100644
--- a/pkgs/development/libraries/wlroots/0.15.nix
+++ b/pkgs/development/libraries/wlroots/0.15.nix
@@ -2,7 +2,7 @@
, libGL, wayland, wayland-protocols, libinput, libxkbcommon, pixman
, xcbutilwm, libX11, libcap, xcbutilimage, xcbutilerrors, mesa
, libpng, ffmpeg_4, xcbutilrenderutil, seatd, vulkan-loader, glslang
-, nixosTests
+, nixosTests, fetchpatch
, enableXWayland ? true, xwayland ? null
}:
@@ -39,6 +39,24 @@ stdenv.mkDerivation rec {
lib.optional (!enableXWayland) "-Dxwayland=disabled"
;
+ patches = [
+ (fetchpatch {
+ url = "https://gitlab.freedesktop.org/puckipedia/wlroots/-/commit/1f2cd76e27f19d268dec60b72e2bfdcb13cff660.patch";
+ sha256 = "sha256-18/v/TTRrnDDzrGJ4ZqCsnH+wsFuAJMvgBDS+JqAjoU=";
+ })
+ (fetchpatch {
+ url = "https://gitlab.freedesktop.org/puckipedia/wlroots/-/commit/193e7dc6bb02ca379dc7d26ef407b8216e1fb503.patch";
+ sha256 = "sha256-Z+Hi+DBVH/m1MABTzlxMLUuWMe5BFg++J9UP1mxs4z8=";
+ })
+ ];
+
+ # Add the protocol here instead of in wayland-protocols for recompilation reasons
+ postPatch = ''
+ cp ${./security-context-v1.xml} protocol/security-context-v1.xml
+ substituteInPlace protocol/meson.build \
+ --replace "wl_protocol_dir / 'staging/security-context/" "'"
+ '';
+
postFixup = ''
# Install ALL example programs to $examples:
# screencopy dmabuf-capture input-inhibitor layer-shell idle-inhibit idle
diff --git a/pkgs/development/libraries/wlroots/security-context-v1.xml b/pkgs/development/libraries/wlroots/security-context-v1.xml
new file mode 100644
index 00000000000..073c0d07585
--- /dev/null
+++ b/pkgs/development/libraries/wlroots/security-context-v1.xml
@@ -0,0 +1,131 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<protocol name="security_context_v1">
+ <copyright>
+ Copyright © 2021 Simon Ser
+
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of this software and associated documentation files (the "Software"),
+ to deal in the Software without restriction, including without limitation
+ the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ and/or sell copies of the Software, and to permit persons to whom the
+ Software is furnished to do so, subject to the following conditions:
+
+ The above copyright notice and this permission notice (including the next
+ paragraph) shall be included in all copies or substantial portions of the
+ Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ DEALINGS IN THE SOFTWARE.
+ </copyright>
+
+ <interface name="wp_security_context_manager_v1" version="1">
+ <description summary="client security context manager">
+ This interface allows a client to register a new Wayland connection to
+ the compositor and attach a security context to it.
+
+ This is intended to be used by sandboxes. Sandbox engines attach a
+ security context to all connections coming from inside the sandbox. The
+ compositor can then restrict the features that the sandboxed connections
+ can use.
+
+ Warning! The protocol described in this file is experimental and
+ backward incompatible changes may be made. Backward compatible changes
+ may be added together with the corresponding interface version bump.
+ Backward incompatible changes are done by bumping the version number in
+ the protocol and interface names and resetting the interface version.
+ Once the protocol is to be declared stable, the 'z' prefix and the
+ version number in the protocol and interface names are removed and the
+ interface version number is reset.
+ </description>
+
+ <enum name="error">
+ <entry name="invalid_listen_fd" value="1"
+ summary="listening socket FD is invalid"/>
+ </enum>
+
+ <request name="destroy" type="destructor">
+ <description summary="destroy the manager object">
+ Destroy the manager. This doesn't destroy objects created with the
+ manager.
+ </description>
+ </request>
+
+ <request name="create_listener">
+ <description summary="create a new security context">
+ Creates a new security context with a socket listening FD.
+
+ The compositor will accept new client connections on listen_fd.
+ listen_fd must be ready to accept new connections when this request is
+ sent by the client. In other words, the client must call bind(2) and
+ listen(2) before sending the FD.
+
+ close_fd is a FD closed by the client when the compositor should stop
+ accepting new connections on listen_fd.
+
+ The compositor must continue to accept connections on listen_fd when
+ the Wayland client which created the security context disconnects.
+ </description>
+ <arg name="id" type="new_id" interface="wp_security_context_v1"/>
+ <arg name="listen_fd" type="fd" summary="listening socket FD"/>
+ <arg name="close_fd" type="fd" summary="FD closed when done"/>
+ </request>
+ </interface>
+
+ <interface name="wp_security_context_v1" version="1">
+ <description summary="client security context">
+ The security context allows a client to register a new client and attach
+ security context metadata to the connections.
+
+ When both are set, the application ID and the sandbox engine must
+ uniquely identify an application.
+ </description>
+
+ <enum name="error">
+ <entry name="already_used" value="1"
+ summary="security context has already been committed"/>
+ <entry name="already_set" value="2"
+ summary="metadata has already been set"/>
+ </enum>
+
+ <request name="destroy" type="destructor">
+ <description summary="destroy the security context object">
+ Destroy the security context object.
+ </description>
+ </request>
+
+ <request name="set_sandbox_engine">
+ <description summary="set the sandbox engine">
+ Attach a unique sandbox engine name to the security context.
+
+ It is a protocol error to call this request twice. The already_set
+ error is sent in this case.
+ </description>
+ <arg name="name" type="string" summary="the sandbox engine name"/>
+ </request>
+
+ <request name="set_app_id">
+ <description summary="set the application ID">
+ Attach an application ID to the security context.
+
+ It is a protocol error to call this request twice. The already_set
+ error is sent in this case.
+ </description>
+ <arg name="app_id" type="string" summary="the application ID"/>
+ </request>
+
+ <request name="commit">
+ <description summary="register the security context">
+ Atomically register the new client and attach the security context
+ metadata.
+
+ It's a protocol error to send any request other than "destroy" after
+ this request. In this case, the already_used error is sent.
+ </description>
+ </request>
+ </interface>
+</protocol>
--
2.35.1
next prev parent reply other threads:[~2022-09-30 19:48 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-30 19:45 [RFC PATCH nixpkgs 0/4] Wayland security-context support Puck Meerburg
2022-09-30 19:45 ` [RFC PATCH nixpkgs 1/4] cloud-hypervisor: workaround keymap mmap Puck Meerburg
2022-09-30 19:45 ` Puck Meerburg [this message]
2022-09-30 19:45 ` [RFC PATCH nixpkgs 3/4] sway: apply security-context patches Puck Meerburg
2022-09-30 19:46 ` [RFC PATCH nixpkgs 4/4] crosvm: " Puck Meerburg
2022-09-30 22:08 ` [RFC PATCH nixpkgs 0/4] Wayland security-context support Puck Meerburg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220930194600.1033126-3-puck@puckipedia.com \
--to=puck@puckipedia.com \
--cc=devel@spectrum-os.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://spectrum-os.org/git/crosvm
https://spectrum-os.org/git/doc
https://spectrum-os.org/git/mktuntap
https://spectrum-os.org/git/nixpkgs
https://spectrum-os.org/git/spectrum
https://spectrum-os.org/git/ucspi-vsock
https://spectrum-os.org/git/www
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).