config: add exe client criteria

jay-config/src/_private.rs

@@ -93,4 +93,5 @@ pub enum ClientCriterionStringField {
     SandboxAppId,
     SandboxInstanceId,
     Comm,
+    Exe,
 }

jay-config/src/_private/client.rs

@@ -1547,6 +1547,8 @@ impl ConfigClient {
             ClientCriterion::IsXwayland => ClientCriterionIpc::IsXwayland,
             ClientCriterion::Comm(t) => string!(t, Comm, false),
             ClientCriterion::CommRegex(t) => string!(t, Comm, true),
+            ClientCriterion::Exe(t) => string!(t, Exe, false),
+            ClientCriterion::ExeRegex(t) => string!(t, Exe, true),
         };
         let res = self.send_with_response(&ClientMessage::CreateClientMatcher { criterion });
         get_response!(

jay-config/src/client.rs

@@ -87,6 +87,10 @@ pub enum ClientCriterion<'a> {
     Comm(&'a str),
     /// Matches the `/proc/pid/comm` of the client with a regular expression.
     CommRegex(&'a str),
+    /// Matches the `/proc/pid/exe` of the client verbatim.
+    Exe(&'a str),
+    /// Matches the `/proc/pid/exe` of the client with a regular expression.
+    ExeRegex(&'a str),
 }
 
 impl ClientCriterion<'_> {

src/config/handler.rs

@@ -1883,6 +1883,7 @@ impl ConfigProxyHandler {
                         mgr.sandbox_instance_id(needle)
                     }
                     ClientCriterionStringField::Comm => mgr.comm(needle),
+                    ClientCriterionStringField::Exe => mgr.exe(needle),
                 }
             }
             ClientCriterionIpc::Sandboxed => mgr.sandboxed(),

src/criteria/clm.rs

@@ -11,7 +11,7 @@ use {
                 clmm_pid::ClmMatchPid,
                 clmm_sandboxed::ClmMatchSandboxed,
                 clmm_string::{
-                    ClmMatchComm, ClmMatchSandboxAppId, ClmMatchSandboxEngine,
+                    ClmMatchComm, ClmMatchExe, ClmMatchSandboxAppId, ClmMatchSandboxEngine,
                     ClmMatchSandboxInstanceId,
                 },
                 clmm_uid::ClmMatchUid,
@@ -60,6 +60,7 @@ pub struct RootMatchers {
     uid: ClmRootMatcherMap<ClmMatchUid>,
     pid: ClmRootMatcherMap<ClmMatchPid>,
     comm: ClmRootMatcherMap<ClmMatchComm>,
+    exe: ClmRootMatcherMap<ClmMatchExe>,
 }
 
 pub async fn handle_cl_changes(state: Rc<State>) {
@@ -163,6 +164,7 @@ impl ClMatcherManager {
             unconditional!(uid);
             unconditional!(pid);
             unconditional!(comm);
+            unconditional!(exe);
             fixed!(sandboxed);
             fixed!(is_xwayland);
             self.constant[true].handle(data);
@@ -200,6 +202,10 @@ impl ClMatcherManager {
     pub fn comm(&self, string: CritLiteralOrRegex) -> Rc<ClmUpstreamNode> {
         self.root(ClmMatchComm::new(string))
     }
+
+    pub fn exe(&self, string: CritLiteralOrRegex) -> Rc<ClmUpstreamNode> {
+        self.root(ClmMatchExe::new(string))
+    }
 }
 
 impl CritTarget for Rc<Client> {

src/criteria/clm/clm_matchers/clmm_string.rs

@@ -16,9 +16,11 @@ pub type ClmMatchSandboxEngine = ClmMatchString<AcceptorMetadataAccess<SandboxEn
 pub type ClmMatchSandboxAppId = ClmMatchString<AcceptorMetadataAccess<SandboxAppIdField>>;
 pub type ClmMatchSandboxInstanceId = ClmMatchString<AcceptorMetadataAccess<SandboxInstanceIdField>>;
 pub type ClmMatchComm = ClmMatchString<CommAccess>;
+pub type ClmMatchExe = ClmMatchString<ExeAccess>;
 
 pub struct AcceptorMetadataAccess<T>(PhantomData<T>);
 pub struct CommAccess;
+pub struct ExeAccess;
 
 trait SandboxField: Sized + 'static {
     fn field(meta: &AcceptorMetadata) -> &Option<String>;
@@ -89,3 +91,13 @@ impl StringAccess<Rc<Client>> for CommAccess {
         &roots.comm
     }
 }
+
+impl StringAccess<Rc<Client>> for ExeAccess {
+    fn with_string(data: &Rc<Client>, f: impl FnOnce(&str) -> bool) -> bool {
+        f(&data.pid_info.exe)
+    }
+
+    fn nodes(roots: &RootMatchers) -> &ClmRootMatcherMap<ClmMatchString<Self>> {
+        &roots.exe
+    }
+}

src/utils/pid_info.rs

@@ -1,6 +1,7 @@
 use {
     crate::utils::{errorfmt::ErrorFmt, oserror::OsError},
     bstr::ByteSlice,
+    std::os::unix::ffi::OsStrExt,
     uapi::{OwnedFd, c},
 };
 
@@ -8,6 +9,7 @@ pub struct PidInfo {
     pub uid: c::uid_t,
     pub pid: c::pid_t,
     pub comm: String,
+    pub exe: String,
 }
 
 pub fn get_pid_info(uid: c::uid_t, pid: c::pid_t) -> PidInfo {
@@ -18,7 +20,24 @@ pub fn get_pid_info(uid: c::uid_t, pid: c::pid_t) -> PidInfo {
             "Unknown".to_string()
         }
     };
-    PidInfo { uid, pid, comm }
+    let exe = match std::fs::read_link(format!("/proc/{}/exe", pid)) {
+        Ok(name) => name
+            .as_os_str()
+            .as_bytes()
+            .trim_ascii_end()
+            .as_bstr()
+            .to_string(),
+        Err(e) => {
+            log::warn!("Could not read `exe` of pid {}: {}", pid, ErrorFmt(e));
+            "Unknown".to_string()
+        }
+    };
+    PidInfo {
+        uid,
+        pid,
+        comm,
+        exe,
+    }
 }
 
 pub fn get_socket_creds(socket: &OwnedFd) -> Option<(c::uid_t, c::pid_t)> {

toml-config/src/config.rs

@@ -237,6 +237,8 @@ pub struct ClientMatch {
     pub is_xwayland: Option<bool>,
     pub comm: Option<String>,
     pub comm_regex: Option<String>,
+    pub exe: Option<String>,
+    pub exe_regex: Option<String>,
 }
 
 #[derive(Debug, Clone)]

toml-config/src/config/parsers/client_match.rs

@@ -57,6 +57,8 @@ impl Parser for ClientMatchParser<'_> {
                 is_xwayland,
                 comm,
                 comm_regex,
+                exe,
+                exe_regex,
             ),
         ) = ext.extract((
             (
@@ -79,6 +81,8 @@ impl Parser for ClientMatchParser<'_> {
                 opt(bol("is-xwayland")),
                 opt(str("comm")),
                 opt(str("comm-regex")),
+                opt(str("exe")),
+                opt(str("exe-regex")),
             ),
         ))?;
         let mut not = None;
@@ -124,6 +128,8 @@ impl Parser for ClientMatchParser<'_> {
             is_xwayland: is_xwayland.despan(),
             comm: comm.despan_into(),
             comm_regex: comm_regex.despan_into(),
+            exe: exe.despan_into(),
+            exe_regex: exe_regex.despan_into(),
         })
     }
 }

toml-config/src/rules.rs

@@ -122,6 +122,8 @@ impl Rule for ClientRule {
         value_ref!(SandboxInstanceIdRegex, sandbox_instance_id_regex);
         value_ref!(Comm, comm);
         value_ref!(CommRegex, comm_regex);
+        value_ref!(Exe, exe);
+        value_ref!(ExeRegex, exe_regex);
         value!(Uid, uid);
         value!(Pid, pid);
         bool!(Sandboxed, sandboxed);

toml-spec/spec/spec.generated.json

@@ -579,6 +579,14 @@
         "comm-regex": {
           "type": "string",
           "description": "Matches the `/proc/pid/comm` of the client with a regular expression."
+        },
+        "exe": {
+          "type": "string",
+          "description": "Matches the `/proc/pid/exe` of the client verbatim."
+        },
+        "exe-regex": {
+          "type": "string",
+          "description": "Matches the `/proc/pid/exe` of the client with a regular expression."
         }
       },
       "required": []

toml-spec/spec/spec.generated.md

@@ -905,6 +905,18 @@ The table has the following fields:
 
   The value of this field should be a string.
 
+- `exe` (optional):
+
+  Matches the `/proc/pid/exe` of the client verbatim.
+
+  The value of this field should be a string.
+
+- `exe-regex` (optional):
+
+  Matches the `/proc/pid/exe` of the client with a regular expression.
+
+  The value of this field should be a string.
+
 
 <a name="types-ClientMatchExactly"></a>
 ### `ClientMatchExactly`

toml-spec/spec/spec.yaml

@@ -3259,6 +3259,14 @@ ClientMatch:
       kind: string
       required: false
       description: Matches the `/proc/pid/comm` of the client with a regular expression.
+    exe:
+      kind: string
+      required: false
+      description: Matches the `/proc/pid/exe` of the client verbatim.
+    exe-regex:
+      kind: string
+      required: false
+      description: Matches the `/proc/pid/exe` of the client with a regular expression.
 
 
 ClientMatchExactly: