From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2,
	SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.6
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 123A071BC8;
	Fri, 30 Sep 2022 19:48:53 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 496)
	id F321271BBA; Fri, 30 Sep 2022 19:48:50 +0000 (UTC)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com
 [64.147.123.24])
	by atuin.qyliss.net (Postfix) with ESMTPS id 8CEB671B8B
	for <devel@spectrum-os.org>; Fri, 30 Sep 2022 19:48:47 +0000 (UTC)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
	by mailout.west.internal (Postfix) with ESMTP id 2920B3200A1B;
	Fri, 30 Sep 2022 15:48:46 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
  by compute2.internal (MEProxy); Fri, 30 Sep 2022 15:48:46 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=puckipedia.com;
	 h=cc:cc:content-transfer-encoding:content-type:date:date:from
	:from:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:sender:subject:subject:to:to; s=fm3; t=1664567325; x=
	1664653725; bh=wpdYeO8YhWnIqlU+QzEkKX0EfLF+HMSBZdk1GALyzkc=; b=G
	2UracI3Y8sALvTeAImTqaZfxVRRprQjvKkq1JgOfcSuQzI7sXGwDtDEv5CL6UMxt
	+Zcqoy25kVReJNIpEHoXChwJ3dMIjXG7BZ2d8bzPzGyfHn0hvR/YPyqjCbnm8Tsp
	7fzWZmq/W6pQ1DMLG0sdyZzUiQ4O4miZBFAwv6VA/nSoI37QVLg0j4HRzmsLQXj6
	8K6FFFv0Ds/E0Zt0BB/ptsZkGcmDygDutIwD9ZEXu6Rvk7s2d5Bw4SusvLa+Mk9d
	JtQoWvOgji6IRoPSWrZ1ELW3gxXBFLjhFthcCTzBM72khRgIqmtwA0m+R3H0y3Mr
	rf5JXO+MmJ/Wrun+GWtVA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1664567325; x=
	1664653725; bh=wpdYeO8YhWnIqlU+QzEkKX0EfLF+HMSBZdk1GALyzkc=; b=x
	phP8wp4osTwRKHrbBkAs+8G+0OFaezK0NKfH3v0gcDvJJhkX489fW1pUO1UxVrRK
	Gbsicr0VYgf9REerhvVU3+K/3vagdke8GueD+1zGVovfu53PPY3TioNW7Dagdm5e
	cwmdDpVRr6cIpX/IrBivLkUrBCIxfAkQGUQi/VwdFUiejP8T34sAqHaoeegVtklq
	XK58rw0imVImExE7vXw/1p0ygmaI5arDmjjEK8A245Jq4ychAtFK16ek/ufEZQbW
	A8y3bQcWncZxsPdg42iPz+giCK/2mtJTX5VA7COslWM1gmn5RaAts2zP8ljxfcGT
	TYdVgcFpfGMMwMmHkXy9Q==
X-ME-Sender: <xms:HUg3YyG2y107YD4CG0Q4bTWFl054uQsb37yHFolBwppT0MAOBd0qiw>
    <xme:HUg3YzVOwMGHLy0igyMrbbwT_tzqtZ-3nuOoDGCM3eb72C-jrLZEW-kQwKmAZck2f
    2gp-k_UnlutM-sgLng>
X-ME-Received: 
 <xmr:HUg3Y8JCYUtVcyS0_ZGgaeK-rZ1TQ82se2X1WZDoUVZNnBOEGrov_hlLYf0sQEJLnrYLacNTjJ7Wg8yOq3aHZCSxS1s>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgedvfedrfeehvddgudegvdcutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
    necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvvefufffkofgjfhggtgfgse
    htkeertdertdejnecuhfhrohhmpefruhgtkhcuofgvvghrsghurhhguceophhutghksehp
    uhgtkhhiphgvughirgdrtghomheqnecuggftrfgrthhtvghrnhepjeejvdfhhffhueeufe
    ejudefgeegvdehfeefvdelkefggfeljeevffffleefgfffnecuffhomhgrihhnpehfrhgv
    vgguvghskhhtohhprdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpe
    hmrghilhhfrhhomhepphhutghksehpuhgtkhhiphgvughirgdrtghomh
X-ME-Proxy: <xmx:HUg3Y8EkH4ahfGiwsef302zJ8nZveiTM3Cwgy6s5S7oW9qHZgWpEzg>
    <xmx:HUg3Y4XQd5LVKQkwuJN86imq0T6YA22rZXFxZ2IA2mSuaPkf0zZY0w>
    <xmx:HUg3Y_Pi3RNEr6lwwFXM5W4ZJe9JtKzNHxBBFZeKcn_-GEaq3FfVNw>
    <xmx:HUg3Yxc2V2xF6QcViCi8bQGZXGoql9pAgUYlanuBBUREnZI8Fw7ewA>
Feedback-ID: ie69944d9:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri,
 30 Sep 2022 15:48:45 -0400 (EDT)
From: Puck Meerburg <puck@puckipedia.com>
To: devel@spectrum-os.org
Subject: [RFC PATCH nixpkgs 2/4] wlroots: apply security-context patches
Date: Fri, 30 Sep 2022 19:45:58 +0000
Message-Id: <20220930194600.1033126-3-puck@puckipedia.com>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220930194600.1033126-1-puck@puckipedia.com>
References: <20220930194600.1033126-1-puck@puckipedia.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Message-ID-Hash: U2ZY4DP3AC5OH757WLIGELJWMWHWDIQA
X-Message-ID-Hash: U2ZY4DP3AC5OH757WLIGELJWMWHWDIQA
X-MailFrom: puck@puckipedia.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Puck Meerburg <puck@puckipedia.com>
X-Mailman-Version: 3.3.5
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/U2ZY4DP3AC5OH757WLIGELJWMWHWDIQA/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

Signed-off-by: Puck Meerburg <puck@puckipedia.com>
---
 pkgs/development/libraries/wlroots/0.15.nix   |  20 ++-
 .../libraries/wlroots/security-context-v1.xml | 131 ++++++++++++++++++
 2 files changed, 150 insertions(+), 1 deletion(-)
 create mode 100644 pkgs/development/libraries/wlroots/security-context-v1.xml

diff --git a/pkgs/development/libraries/wlroots/0.15.nix b/pkgs/development/libraries/wlroots/0.15.nix
index 7648ebe5d25..441f2991218 100644
--- a/pkgs/development/libraries/wlroots/0.15.nix
+++ b/pkgs/development/libraries/wlroots/0.15.nix
@@ -2,7 +2,7 @@
 , libGL, wayland, wayland-protocols, libinput, libxkbcommon, pixman
 , xcbutilwm, libX11, libcap, xcbutilimage, xcbutilerrors, mesa
 , libpng, ffmpeg_4, xcbutilrenderutil, seatd, vulkan-loader, glslang
-, nixosTests
+, nixosTests, fetchpatch
 
 , enableXWayland ? true, xwayland ? null
 }:
@@ -39,6 +39,24 @@ stdenv.mkDerivation rec {
     lib.optional (!enableXWayland) "-Dxwayland=disabled"
   ;
 
+  patches = [
+    (fetchpatch {
+      url = "https://gitlab.freedesktop.org/puckipedia/wlroots/-/commit/1f2cd76e27f19d268dec60b72e2bfdcb13cff660.patch";
+      sha256 = "sha256-18/v/TTRrnDDzrGJ4ZqCsnH+wsFuAJMvgBDS+JqAjoU=";
+    })
+    (fetchpatch {
+      url = "https://gitlab.freedesktop.org/puckipedia/wlroots/-/commit/193e7dc6bb02ca379dc7d26ef407b8216e1fb503.patch";
+      sha256 = "sha256-Z+Hi+DBVH/m1MABTzlxMLUuWMe5BFg++J9UP1mxs4z8=";
+    })
+  ];
+
+  # Add the protocol here instead of in wayland-protocols for recompilation reasons
+  postPatch = ''
+    cp ${./security-context-v1.xml} protocol/security-context-v1.xml
+    substituteInPlace protocol/meson.build \
+      --replace "wl_protocol_dir / 'staging/security-context/" "'"
+  '';
+
   postFixup = ''
     # Install ALL example programs to $examples:
     # screencopy dmabuf-capture input-inhibitor layer-shell idle-inhibit idle
diff --git a/pkgs/development/libraries/wlroots/security-context-v1.xml b/pkgs/development/libraries/wlroots/security-context-v1.xml
new file mode 100644
index 00000000000..073c0d07585
--- /dev/null
+++ b/pkgs/development/libraries/wlroots/security-context-v1.xml
@@ -0,0 +1,131 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<protocol name="security_context_v1">
+  <copyright>
+    Copyright © 2021 Simon Ser
+
+    Permission is hereby granted, free of charge, to any person obtaining a
+    copy of this software and associated documentation files (the "Software"),
+    to deal in the Software without restriction, including without limitation
+    the rights to use, copy, modify, merge, publish, distribute, sublicense,
+    and/or sell copies of the Software, and to permit persons to whom the
+    Software is furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice (including the next
+    paragraph) shall be included in all copies or substantial portions of the
+    Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+    THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+    DEALINGS IN THE SOFTWARE.
+  </copyright>
+
+  <interface name="wp_security_context_manager_v1" version="1">
+    <description summary="client security context manager">
+      This interface allows a client to register a new Wayland connection to
+      the compositor and attach a security context to it.
+
+      This is intended to be used by sandboxes. Sandbox engines attach a
+      security context to all connections coming from inside the sandbox. The
+      compositor can then restrict the features that the sandboxed connections
+      can use.
+
+      Warning! The protocol described in this file is experimental and
+      backward incompatible changes may be made. Backward compatible changes
+      may be added together with the corresponding interface version bump.
+      Backward incompatible changes are done by bumping the version number in
+      the protocol and interface names and resetting the interface version.
+      Once the protocol is to be declared stable, the 'z' prefix and the
+      version number in the protocol and interface names are removed and the
+      interface version number is reset.
+    </description>
+
+    <enum name="error">
+      <entry name="invalid_listen_fd" value="1"
+        summary="listening socket FD is invalid"/>
+    </enum>
+
+    <request name="destroy" type="destructor">
+      <description summary="destroy the manager object">
+        Destroy the manager. This doesn't destroy objects created with the
+        manager.
+      </description>
+    </request>
+
+    <request name="create_listener">
+      <description summary="create a new security context">
+        Creates a new security context with a socket listening FD.
+
+        The compositor will accept new client connections on listen_fd.
+        listen_fd must be ready to accept new connections when this request is
+        sent by the client. In other words, the client must call bind(2) and
+        listen(2) before sending the FD.
+
+        close_fd is a FD closed by the client when the compositor should stop
+        accepting new connections on listen_fd.
+
+        The compositor must continue to accept connections on listen_fd when
+        the Wayland client which created the security context disconnects.
+      </description>
+      <arg name="id" type="new_id" interface="wp_security_context_v1"/>
+      <arg name="listen_fd" type="fd" summary="listening socket FD"/>
+      <arg name="close_fd" type="fd" summary="FD closed when done"/>
+    </request>
+  </interface>
+
+  <interface name="wp_security_context_v1" version="1">
+    <description summary="client security context">
+      The security context allows a client to register a new client and attach
+      security context metadata to the connections.
+
+      When both are set, the application ID and the sandbox engine must
+      uniquely identify an application.
+    </description>
+
+    <enum name="error">
+      <entry name="already_used" value="1"
+        summary="security context has already been committed"/>
+      <entry name="already_set" value="2"
+        summary="metadata has already been set"/>
+    </enum>
+
+    <request name="destroy" type="destructor">
+      <description summary="destroy the security context object">
+        Destroy the security context object.
+      </description>
+    </request>
+
+    <request name="set_sandbox_engine">
+      <description summary="set the sandbox engine">
+        Attach a unique sandbox engine name to the security context.
+
+        It is a protocol error to call this request twice. The already_set
+        error is sent in this case.
+      </description>
+      <arg name="name" type="string" summary="the sandbox engine name"/>
+    </request>
+
+    <request name="set_app_id">
+      <description summary="set the application ID">
+        Attach an application ID to the security context.
+
+        It is a protocol error to call this request twice. The already_set
+        error is sent in this case.
+      </description>
+      <arg name="app_id" type="string" summary="the application ID"/>
+    </request>
+
+    <request name="commit">
+      <description summary="register the security context">
+        Atomically register the new client and attach the security context
+        metadata.
+
+        It's a protocol error to send any request other than "destroy" after
+        this request. In this case, the already_used error is sent.
+      </description>
+    </request>
+  </interface>
+</protocol>
-- 
2.35.1