Signed-off-by: Puck Meerburg
---
pkgs/development/libraries/wlroots/0.15.nix | 20 ++-
.../libraries/wlroots/security-context-v1.xml | 131 ++++++++++++++++++
2 files changed, 150 insertions(+), 1 deletion(-)
create mode 100644 pkgs/development/libraries/wlroots/security-context-v1.xml
diff --git a/pkgs/development/libraries/wlroots/0.15.nix b/pkgs/development/libraries/wlroots/0.15.nix
index 7648ebe5d25..441f2991218 100644
--- a/pkgs/development/libraries/wlroots/0.15.nix
+++ b/pkgs/development/libraries/wlroots/0.15.nix
@@ -2,7 +2,7 @@
, libGL, wayland, wayland-protocols, libinput, libxkbcommon, pixman
, xcbutilwm, libX11, libcap, xcbutilimage, xcbutilerrors, mesa
, libpng, ffmpeg_4, xcbutilrenderutil, seatd, vulkan-loader, glslang
-, nixosTests
+, nixosTests, fetchpatch
, enableXWayland ? true, xwayland ? null
}:
@@ -39,6 +39,24 @@ stdenv.mkDerivation rec {
lib.optional (!enableXWayland) "-Dxwayland=disabled"
;
+ patches = [
+ (fetchpatch {
+ url = "https://gitlab.freedesktop.org/puckipedia/wlroots/-/commit/1f2cd76e27f19d268...";
+ sha256 = "sha256-18/v/TTRrnDDzrGJ4ZqCsnH+wsFuAJMvgBDS+JqAjoU=";
+ })
+ (fetchpatch {
+ url = "https://gitlab.freedesktop.org/puckipedia/wlroots/-/commit/193e7dc6bb02ca379...";
+ sha256 = "sha256-Z+Hi+DBVH/m1MABTzlxMLUuWMe5BFg++J9UP1mxs4z8=";
+ })
+ ];
+
+ # Add the protocol here instead of in wayland-protocols for recompilation reasons
+ postPatch = ''
+ cp ${./security-context-v1.xml} protocol/security-context-v1.xml
+ substituteInPlace protocol/meson.build \
+ --replace "wl_protocol_dir / 'staging/security-context/" "'"
+ '';
+
postFixup = ''
# Install ALL example programs to $examples:
# screencopy dmabuf-capture input-inhibitor layer-shell idle-inhibit idle
diff --git a/pkgs/development/libraries/wlroots/security-context-v1.xml b/pkgs/development/libraries/wlroots/security-context-v1.xml
new file mode 100644
index 00000000000..073c0d07585
--- /dev/null
+++ b/pkgs/development/libraries/wlroots/security-context-v1.xml
@@ -0,0 +1,131 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<protocol name="security_context_v1">
+ <copyright>
+ Copyright © 2021 Simon Ser
+
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of this software and associated documentation files (the "Software"),
+ to deal in the Software without restriction, including without limitation
+ the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ and/or sell copies of the Software, and to permit persons to whom the
+ Software is furnished to do so, subject to the following conditions:
+
+ The above copyright notice and this permission notice (including the next
+ paragraph) shall be included in all copies or substantial portions of the
+ Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ DEALINGS IN THE SOFTWARE.
+ </copyright>
+
+ <interface name="wp_security_context_manager_v1" version="1">
+ <description summary="client security context manager">
+ This interface allows a client to register a new Wayland connection to
+ the compositor and attach a security context to it.
+
+ This is intended to be used by sandboxes. Sandbox engines attach a
+ security context to all connections coming from inside the sandbox. The
+ compositor can then restrict the features that the sandboxed connections
+ can use.
+
+ Warning! The protocol described in this file is experimental and
+ backward incompatible changes may be made. Backward compatible changes
+ may be added together with the corresponding interface version bump.
+ Backward incompatible changes are done by bumping the version number in
+ the protocol and interface names and resetting the interface version.
+ Once the protocol is to be declared stable, the 'z' prefix and the
+ version number in the protocol and interface names are removed and the
+ interface version number is reset.
+ </description>
+
+ <enum name="error">
+
+ </enum>
+
+ <request name="destroy" type="destructor">
+ <description summary="destroy the manager object">
+ Destroy the manager. This doesn't destroy objects created with the
+ manager.
+ </description>
+ </request>
+
+ <request name="create_listener">
+ <description summary="create a new security context">
+ Creates a new security context with a socket listening FD.
+
+ The compositor will accept new client connections on listen_fd.
+ listen_fd must be ready to accept new connections when this request is
+ sent by the client. In other words, the client must call bind(2) and
+ listen(2) before sending the FD.
+
+ close_fd is a FD closed by the client when the compositor should stop
+ accepting new connections on listen_fd.
+
+ The compositor must continue to accept connections on listen_fd when
+ the Wayland client which created the security context disconnects.
+ </description>
+ <arg name="id" type="new_id" interface="wp_security_context_v1"/>
+ <arg name="listen_fd" type="fd" summary="listening socket FD"/>
+ <arg name="close_fd" type="fd" summary="FD closed when done"/>
+ </request>
+ </interface>
+
+ <interface name="wp_security_context_v1" version="1">
+ <description summary="client security context">
+ The security context allows a client to register a new client and attach
+ security context metadata to the connections.
+
+ When both are set, the application ID and the sandbox engine must
+ uniquely identify an application.
+ </description>
+
+ <enum name="error">
+
+
+ </enum>
+
+ <request name="destroy" type="destructor">
+ <description summary="destroy the security context object">
+ Destroy the security context object.
+ </description>
+ </request>
+
+ <request name="set_sandbox_engine">
+ <description summary="set the sandbox engine">
+ Attach a unique sandbox engine name to the security context.
+
+ It is a protocol error to call this request twice. The already_set
+ error is sent in this case.
+ </description>
+ <arg name="name" type="string" summary="the sandbox engine name"/>
+ </request>
+
+ <request name="set_app_id">
+ <description summary="set the application ID">
+ Attach an application ID to the security context.
+
+ It is a protocol error to call this request twice. The already_set
+ error is sent in this case.
+ </description>
+ <arg name="app_id" type="string" summary="the application ID"/>
+ </request>
+
+ <request name="commit">
+ <description summary="register the security context">
+ Atomically register the new client and attach the security context
+ metadata.
+
+ It's a protocol error to send any request other than "destroy" after
+ this request. In this case, the already_used error is sent.
+ </description>
+ </request>
+ </interface>
+</protocol>
--
2.35.1