From 8a35bc3ca493fbb7663e6919e495301aa2a0028c Mon Sep 17 00:00:00 2001 From: kossLAN Date: Fri, 29 May 2026 18:13:14 -0400 Subject: [PATCH] security: remove context protocol --- src/acceptor.rs | 4 +- src/client.rs | 19 ++- src/compositor.rs | 1 - .../clm/clm_matchers/clmm_sandboxed.rs | 2 +- src/criteria/clm/clm_matchers/clmm_string.rs | 41 +++--- src/globals.rs | 2 - src/ifs.rs | 2 - src/ifs/jay_client_query.rs | 8 +- src/ifs/wp_security_context_manager_v1.rs | 103 -------------- src/ifs/wp_security_context_v1.rs | 117 ---------------- src/main.rs | 1 - src/security_context_acceptor.rs | 132 ------------------ src/state.rs | 3 - src/xwayland.rs | 5 +- wire/wp_security_context_manager_v1.txt | 8 -- wire/wp_security_context_v1.txt | 17 --- 16 files changed, 42 insertions(+), 423 deletions(-) delete mode 100644 src/ifs/wp_security_context_manager_v1.rs delete mode 100644 src/ifs/wp_security_context_v1.rs delete mode 100644 src/security_context_acceptor.rs delete mode 100644 wire/wp_security_context_manager_v1.txt delete mode 100644 wire/wp_security_context_v1.txt diff --git a/src/acceptor.rs b/src/acceptor.rs index b23b1ade..324d31a1 100644 --- a/src/acceptor.rs +++ b/src/acceptor.rs @@ -1,7 +1,7 @@ use { crate::{ async_engine::SpawnedFuture, - security_context_acceptor::AcceptorMetadata, + client::ClientMetadata, state::State, utils::{ errorfmt::ErrorFmt, @@ -138,7 +138,7 @@ impl Acceptor { } async fn accept(fd: Rc, state: Rc) { - let metadata = Rc::new(AcceptorMetadata::default()); + let metadata = Rc::new(ClientMetadata::default()); loop { let fd = match state.ring.accept(&fd, c::SOCK_CLOEXEC).await { Ok(fd) => fd, diff --git a/src/client.rs b/src/client.rs index b3a36bb9..28b71eaf 100644 --- a/src/client.rs +++ b/src/client.rs @@ -14,7 +14,6 @@ use { }, leaks::Tracker, object::{Interface, Object, ObjectId, WL_DISPLAY_ID}, - security_context_acceptor::AcceptorMetadata, state::State, utils::{ asyncevent::AsyncEvent, @@ -95,6 +94,14 @@ pub struct Clients { shutdown_clients: RefCell>, } +#[derive(Default)] +pub struct ClientMetadata { + pub sandboxed: bool, + pub sandbox_engine: Option, + pub app_id: Option, + pub instance_id: Option, +} + impl Clients { pub fn new() -> Self { Self { @@ -126,12 +133,12 @@ impl Clients { id: ClientId, global: &Rc, socket: Rc, - acceptor: &Rc, + metadata: &Rc, ) -> Result<(), ClientError> { let Some((uid, pid)) = get_socket_creds(&socket) else { return Ok(()); }; - self.spawn2(id, global, socket, uid, pid, false, acceptor)?; + self.spawn2(id, global, socket, uid, pid, false, metadata)?; Ok(()) } @@ -143,7 +150,7 @@ impl Clients { uid: c::uid_t, pid: c::pid_t, is_xwayland: bool, - acceptor: &Rc, + metadata: &Rc, ) -> Result, ClientError> { let data = Rc::new_cyclic(|slf| Client { id, @@ -173,7 +180,7 @@ impl Clients { focus_stealing_serial: Default::default(), changed_properties: Default::default(), destroyed: Default::default(), - acceptor: acceptor.clone(), + metadata: metadata.clone(), }); track!(data, data); let display = Rc::new(WlDisplay::new(&data)); @@ -292,7 +299,7 @@ pub struct Client { pub focus_stealing_serial: Cell>, pub changed_properties: Cell, pub destroyed: CopyHashMap>>, - pub acceptor: Rc, + pub metadata: Rc, } pub const NUM_CACHED_SERIAL_RANGES: usize = 64; diff --git a/src/compositor.rs b/src/compositor.rs index 9eac6f98..141a206f 100644 --- a/src/compositor.rs +++ b/src/compositor.rs @@ -325,7 +325,6 @@ fn start_compositor2( explicit_sync_supported: Default::default(), keyboard_state_ids: Default::default(), physical_keyboard_ids: Default::default(), - security_context_acceptors: Default::default(), cursor_user_group_ids: Default::default(), cursor_user_ids: Default::default(), cursor_user_groups: Default::default(), diff --git a/src/criteria/clm/clm_matchers/clmm_sandboxed.rs b/src/criteria/clm/clm_matchers/clmm_sandboxed.rs index 8e0d8f53..1f84e16d 100644 --- a/src/criteria/clm/clm_matchers/clmm_sandboxed.rs +++ b/src/criteria/clm/clm_matchers/clmm_sandboxed.rs @@ -8,6 +8,6 @@ fixed_root_criterion!(ClmMatchSandboxed, sandboxed); impl CritFixedRootCriterion for ClmMatchSandboxed { fn matches(&self, data: &Client) -> bool { - data.acceptor.sandboxed + data.metadata.sandboxed } } diff --git a/src/criteria/clm/clm_matchers/clmm_string.rs b/src/criteria/clm/clm_matchers/clmm_string.rs index 8f7c3689..aaf82198 100644 --- a/src/criteria/clm/clm_matchers/clmm_string.rs +++ b/src/criteria/clm/clm_matchers/clmm_string.rs @@ -1,44 +1,43 @@ use { crate::{ - client::Client, + client::{Client, ClientMetadata}, criteria::{ clm::{ClmRootMatcherMap, RootMatchers}, crit_matchers::critm_string::{CritMatchString, StringAccess}, }, - security_context_acceptor::AcceptorMetadata, }, std::marker::PhantomData, }; pub type ClmMatchString = CritMatchString; -pub type ClmMatchSandboxEngine = ClmMatchString>; -pub type ClmMatchSandboxAppId = ClmMatchString>; -pub type ClmMatchSandboxInstanceId = ClmMatchString>; +pub type ClmMatchSandboxEngine = ClmMatchString>; +pub type ClmMatchSandboxAppId = ClmMatchString>; +pub type ClmMatchSandboxInstanceId = ClmMatchString>; pub type ClmMatchComm = ClmMatchString; pub type ClmMatchExe = ClmMatchString; -pub struct AcceptorMetadataAccess(PhantomData); +pub struct ClientMetadataAccess(PhantomData); pub struct CommAccess; pub struct ExeAccess; -trait AcceptorMetadataField: Sized + 'static { - fn field(meta: &AcceptorMetadata) -> &Option; +trait ClientMetadataField: Sized + 'static { + fn field(meta: &ClientMetadata) -> &Option; fn nodes( roots: &RootMatchers, - ) -> &ClmRootMatcherMap>>; + ) -> &ClmRootMatcherMap>>; } pub struct SandboxEngineField; pub struct SandboxAppIdField; pub struct SandboxInstanceIdField; -impl StringAccess for AcceptorMetadataAccess +impl StringAccess for ClientMetadataAccess where - T: AcceptorMetadataField, + T: ClientMetadataField, { fn with_string(data: &Client, f: impl FnOnce(&str) -> bool) -> bool { - f(T::field(&data.acceptor).as_deref().unwrap_or_default()) + f(T::field(&data.metadata).as_deref().unwrap_or_default()) } fn nodes(roots: &RootMatchers) -> &ClmRootMatcherMap> { @@ -46,38 +45,38 @@ where } } -impl AcceptorMetadataField for SandboxEngineField { - fn field(meta: &AcceptorMetadata) -> &Option { +impl ClientMetadataField for SandboxEngineField { + fn field(meta: &ClientMetadata) -> &Option { &meta.sandbox_engine } fn nodes( roots: &RootMatchers, - ) -> &ClmRootMatcherMap>> { + ) -> &ClmRootMatcherMap>> { &roots.sandbox_engine } } -impl AcceptorMetadataField for SandboxAppIdField { - fn field(meta: &AcceptorMetadata) -> &Option { +impl ClientMetadataField for SandboxAppIdField { + fn field(meta: &ClientMetadata) -> &Option { &meta.app_id } fn nodes( roots: &RootMatchers, - ) -> &ClmRootMatcherMap>> { + ) -> &ClmRootMatcherMap>> { &roots.sandbox_app_id } } -impl AcceptorMetadataField for SandboxInstanceIdField { - fn field(meta: &AcceptorMetadata) -> &Option { +impl ClientMetadataField for SandboxInstanceIdField { + fn field(meta: &ClientMetadata) -> &Option { &meta.instance_id } fn nodes( roots: &RootMatchers, - ) -> &ClmRootMatcherMap>> { + ) -> &ClmRootMatcherMap>> { &roots.sandbox_instance_id } } diff --git a/src/globals.rs b/src/globals.rs index 23d303e2..963f3ccd 100644 --- a/src/globals.rs +++ b/src/globals.rs @@ -56,7 +56,6 @@ use { wp_fractional_scale_manager_v1::WpFractionalScaleManagerV1Global, wp_linux_drm_syncobj_manager_v1::WpLinuxDrmSyncobjManagerV1Global, wp_presentation::WpPresentationGlobal, - wp_security_context_manager_v1::WpSecurityContextManagerV1Global, wp_single_pixel_buffer_manager_v1::WpSinglePixelBufferManagerV1Global, wp_tearing_control_manager_v1::WpTearingControlManagerV1Global, wp_viewporter::WpViewporterGlobal, @@ -205,7 +204,6 @@ singletons! { ZwpVirtualKeyboardManagerV1, ZwpInputMethodManagerV2, ZwpTextInputManagerV3, - WpSecurityContextManagerV1, XdgWmDialogV1, ExtTransientSeatManagerV1, ZwpPointerGesturesV1, diff --git a/src/ifs.rs b/src/ifs.rs index 7df67bae..85993cf3 100644 --- a/src/ifs.rs +++ b/src/ifs.rs @@ -74,8 +74,6 @@ pub mod wp_linux_drm_syncobj_manager_v1; pub mod wp_linux_drm_syncobj_timeline_v1; pub mod wp_presentation; pub mod wp_presentation_feedback; -pub mod wp_security_context_manager_v1; -pub mod wp_security_context_v1; pub mod wp_single_pixel_buffer_manager_v1; pub mod wp_tearing_control_manager_v1; pub mod wp_viewporter; diff --git a/src/ifs/jay_client_query.rs b/src/ifs/jay_client_query.rs index 2a20e109..99807433 100644 --- a/src/ifs/jay_client_query.rs +++ b/src/ifs/jay_client_query.rs @@ -71,25 +71,25 @@ impl JayClientQueryRequestHandler for JayClientQuery { exe: &client.pid_info.exe, }); } - if client.acceptor.sandboxed { + if client.metadata.sandboxed { self.client.event(Sandboxed { self_id: self.id }); } if client.is_xwayland { self.client.event(IsXwayland { self_id: self.id }); } - if let Some(engine) = &client.acceptor.sandbox_engine { + if let Some(engine) = &client.metadata.sandbox_engine { self.client.event(SandboxEngine { self_id: self.id, engine, }); } - if let Some(app_id) = &client.acceptor.app_id { + if let Some(app_id) = &client.metadata.app_id { self.client.event(SandboxAppId { self_id: self.id, app_id, }); } - if let Some(instance_id) = &client.acceptor.instance_id { + if let Some(instance_id) = &client.metadata.instance_id { self.client.event(SandboxInstanceId { self_id: self.id, instance_id, diff --git a/src/ifs/wp_security_context_manager_v1.rs b/src/ifs/wp_security_context_manager_v1.rs deleted file mode 100644 index 8a6c668c..00000000 --- a/src/ifs/wp_security_context_manager_v1.rs +++ /dev/null @@ -1,103 +0,0 @@ -use { - crate::{ - client::{Client, ClientError}, - globals::{Global, GlobalName}, - ifs::wp_security_context_v1::WpSecurityContextV1, - leaks::Tracker, - object::{Object, Version}, - wire::{WpSecurityContextManagerV1Id, wp_security_context_manager_v1::*}, - }, - std::rc::Rc, - thiserror::Error, -}; - -pub struct WpSecurityContextManagerV1Global { - pub name: GlobalName, -} - -impl WpSecurityContextManagerV1Global { - pub fn new(name: GlobalName) -> Self { - Self { name } - } - - fn bind_( - self: Rc, - id: WpSecurityContextManagerV1Id, - client: &Rc, - version: Version, - ) -> Result<(), WpSecurityContextManagerV1Error> { - let obj = Rc::new(WpSecurityContextManagerV1 { - id, - client: client.clone(), - tracker: Default::default(), - version, - }); - track!(client, obj); - client.add_client_obj(&obj)?; - Ok(()) - } -} - -global_base!( - WpSecurityContextManagerV1Global, - WpSecurityContextManagerV1, - WpSecurityContextManagerV1Error -); - -impl Global for WpSecurityContextManagerV1Global { - fn version(&self) -> u32 { - 1 - } -} - -simple_add_global!(WpSecurityContextManagerV1Global); - -pub struct WpSecurityContextManagerV1 { - pub id: WpSecurityContextManagerV1Id, - pub client: Rc, - pub tracker: Tracker, - pub version: Version, -} - -impl WpSecurityContextManagerV1RequestHandler for WpSecurityContextManagerV1 { - type Error = WpSecurityContextManagerV1Error; - - fn destroy(&self, _req: Destroy, _slf: &Rc) -> Result<(), Self::Error> { - self.client.remove_obj(self)?; - Ok(()) - } - - fn create_listener(&self, req: CreateListener, _slf: &Rc) -> Result<(), Self::Error> { - let obj = Rc::new(WpSecurityContextV1 { - id: req.id, - client: self.client.clone(), - tracker: Default::default(), - version: self.version, - listen_fd: req.listen_fd, - close_fd: req.close_fd, - sandbox_engine: Default::default(), - app_id: Default::default(), - instance_id: Default::default(), - committed: Default::default(), - }); - track!(self.client, obj); - self.client.add_client_obj(&obj)?; - Ok(()) - } -} - -object_base! { - self = WpSecurityContextManagerV1; - version = self.version; -} - -impl Object for WpSecurityContextManagerV1 {} - -simple_add_obj!(WpSecurityContextManagerV1); - -#[derive(Debug, Error)] -pub enum WpSecurityContextManagerV1Error { - #[error(transparent)] - ClientError(Box), -} -efrom!(WpSecurityContextManagerV1Error, ClientError); diff --git a/src/ifs/wp_security_context_v1.rs b/src/ifs/wp_security_context_v1.rs deleted file mode 100644 index 1eb1ee99..00000000 --- a/src/ifs/wp_security_context_v1.rs +++ /dev/null @@ -1,117 +0,0 @@ -use { - crate::{ - client::{Client, ClientError}, - leaks::Tracker, - object::{Object, Version}, - wire::{WpSecurityContextV1Id, wp_security_context_v1::*}, - }, - std::{ - cell::{Cell, RefCell}, - rc::Rc, - }, - thiserror::Error, - uapi::OwnedFd, -}; - -pub struct WpSecurityContextV1 { - pub id: WpSecurityContextV1Id, - pub client: Rc, - pub tracker: Tracker, - pub version: Version, - pub listen_fd: Rc, - pub close_fd: Rc, - pub sandbox_engine: RefCell>, - pub app_id: RefCell>, - pub instance_id: RefCell>, - pub committed: Cell, -} - -impl WpSecurityContextV1 { - fn check_committed(&self) -> Result<(), WpSecurityContextV1Error> { - if self.committed.get() { - return Err(WpSecurityContextV1Error::Committed); - } - Ok(()) - } -} - -impl WpSecurityContextV1RequestHandler for WpSecurityContextV1 { - type Error = WpSecurityContextV1Error; - - fn destroy(&self, _req: Destroy, _slf: &Rc) -> Result<(), Self::Error> { - self.client.remove_obj(self)?; - Ok(()) - } - - fn set_sandbox_engine( - &self, - req: SetSandboxEngine<'_>, - _slf: &Rc, - ) -> Result<(), Self::Error> { - self.check_committed()?; - let val = &mut *self.sandbox_engine.borrow_mut(); - if val.is_some() { - return Err(WpSecurityContextV1Error::EnginSet); - } - *val = Some(req.name.to_string()); - Ok(()) - } - - fn set_app_id(&self, req: SetAppId<'_>, _slf: &Rc) -> Result<(), Self::Error> { - self.check_committed()?; - let val = &mut *self.app_id.borrow_mut(); - if val.is_some() { - return Err(WpSecurityContextV1Error::AppSet); - } - *val = Some(req.app_id.to_string()); - Ok(()) - } - - fn set_instance_id(&self, req: SetInstanceId<'_>, _slf: &Rc) -> Result<(), Self::Error> { - self.check_committed()?; - let val = &mut *self.instance_id.borrow_mut(); - if val.is_some() { - return Err(WpSecurityContextV1Error::InstanceSet); - } - *val = Some(req.instance_id.to_string()); - Ok(()) - } - - fn commit(&self, _req: Commit, _slf: &Rc) -> Result<(), Self::Error> { - self.check_committed()?; - self.committed.set(true); - self.client.state.security_context_acceptors.spawn( - &self.client.state, - self.sandbox_engine.take(), - self.app_id.take(), - self.instance_id.take(), - &self.listen_fd, - &self.close_fd, - ); - Ok(()) - } -} - -object_base! { - self = WpSecurityContextV1; - version = self.version; -} - -impl Object for WpSecurityContextV1 {} - -simple_add_obj!(WpSecurityContextV1); - -#[derive(Debug, Error)] -pub enum WpSecurityContextV1Error { - #[error(transparent)] - ClientError(Box), - #[error("The sandbox engine has already been set")] - EnginSet, - #[error("The app id has already been set")] - AppSet, - #[error("The instance id has already been set")] - InstanceSet, - #[error("The context has already been committed")] - Committed, -} -efrom!(WpSecurityContextV1Error, ClientError); diff --git a/src/main.rs b/src/main.rs index 77f13bbb..4576a824 100644 --- a/src/main.rs +++ b/src/main.rs @@ -97,7 +97,6 @@ mod rect; mod renderer; mod scale; mod screenshoter; -mod security_context_acceptor; mod sighand; mod state; mod tasks; diff --git a/src/security_context_acceptor.rs b/src/security_context_acceptor.rs deleted file mode 100644 index f13f0b0f..00000000 --- a/src/security_context_acceptor.rs +++ /dev/null @@ -1,132 +0,0 @@ -use { - crate::{ - async_engine::SpawnedFuture, - state::State, - utils::{copyhashmap::CopyHashMap, errorfmt::ErrorFmt, hash_map_ext::HashMapExt}, - }, - std::{ - cell::Cell, - fmt::{Display, Formatter}, - rc::Rc, - }, - uapi::{OwnedFd, c}, -}; - -#[derive(Default)] -pub struct SecurityContextAcceptors { - ids: AcceptorIds, - acceptors: CopyHashMap>, -} - -linear_ids!(AcceptorIds, AcceptorId, u64); - -struct Acceptor { - id: AcceptorId, - state: Rc, - metadata: Rc, - listen_fd: Rc, - close_fd: Rc, - listen_future: Cell>>, - close_future: Cell>>, -} - -#[derive(Default)] -pub struct AcceptorMetadata { - pub sandboxed: bool, - pub sandbox_engine: Option, - pub app_id: Option, - pub instance_id: Option, -} - -impl SecurityContextAcceptors { - pub fn clear(&self) { - for acceptor in self.acceptors.lock().drain_values() { - acceptor.kill(); - } - } - - pub fn spawn( - &self, - state: &Rc, - sandbox_engine: Option, - app_id: Option, - instance_id: Option, - listen_fd: &Rc, - close_fd: &Rc, - ) { - let acceptor = Rc::new(Acceptor { - id: self.ids.next(), - state: state.clone(), - metadata: Rc::new(AcceptorMetadata { - sandboxed: true, - sandbox_engine, - app_id, - instance_id, - }), - listen_fd: listen_fd.clone(), - close_fd: close_fd.clone(), - listen_future: Cell::new(None), - close_future: Cell::new(None), - }); - log::info!("Creating security acceptor {acceptor}"); - acceptor.listen_future.set(Some( - state - .eng - .spawn("security accept", acceptor.clone().accept()), - )); - acceptor.close_future.set(Some( - state - .eng - .spawn("security await close", acceptor.clone().close()), - )); - self.acceptors.set(acceptor.id, acceptor); - } -} - -impl Acceptor { - fn kill(&self) { - log::info!("Destroying security acceptor {self}"); - self.listen_future.take(); - self.close_future.take(); - self.state - .security_context_acceptors - .acceptors - .remove(&self.id); - } - - async fn accept(self: Rc) { - let s = &self.state; - loop { - let fd = match s.ring.accept(&self.listen_fd, c::SOCK_CLOEXEC).await { - Ok(fd) => fd, - Err(e) => { - log::error!("Could not accept a client: {}", ErrorFmt(e)); - break; - } - }; - let id = s.clients.id(); - if let Err(e) = s.clients.spawn(id, s, fd, &self.metadata) { - log::error!("Could not spawn a client: {}", ErrorFmt(e)); - break; - } - } - self.kill(); - } - - async fn close(self: Rc) { - let _ = self.state.ring.poll(&self.close_fd, 0).await; - self.kill(); - } -} - -impl Display for Acceptor { - fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result { - write!( - f, - "{}/{}/{}", - self.metadata.sandbox_engine.as_deref().unwrap_or(""), - self.metadata.app_id.as_deref().unwrap_or(""), - self.metadata.instance_id.as_deref().unwrap_or(""), - ) - } -} diff --git a/src/state.rs b/src/state.rs index bcb4f63e..047fdb9f 100644 --- a/src/state.rs +++ b/src/state.rs @@ -108,7 +108,6 @@ use { rect::{Rect, Region}, renderer::Renderer, scale::Scale, - security_context_acceptor::SecurityContextAcceptors, theme::{BarPosition, Color, Theme, ThemeColor, ThemeSized}, time::Time, tree::{ @@ -343,7 +342,6 @@ pub struct State { pub explicit_sync_supported: Cell, pub keyboard_state_ids: KeyboardStateIds, pub physical_keyboard_ids: PhysicalKeyboardIds, - pub security_context_acceptors: SecurityContextAcceptors, pub cursor_user_group_ids: CursorUserGroupIds, pub cursor_user_ids: CursorUserIds, pub cursor_user_groups: CopyHashMap>, @@ -1249,7 +1247,6 @@ impl State { self.render_ctx_watchers.clear(); self.workspace_watchers.clear(); self.toplevel_lists.clear(); - self.security_context_acceptors.clear(); self.slow_clients.clear(); for h in self.input_device_handlers.borrow_mut().drain_values() { h.async_event.clear(); diff --git a/src/xwayland.rs b/src/xwayland.rs index 37949193..66dd1b60 100644 --- a/src/xwayland.rs +++ b/src/xwayland.rs @@ -3,7 +3,7 @@ mod xwm; use { crate::{ - client::ClientError, + client::{ClientError, ClientMetadata}, compositor::DISPLAY, forker::{ForkerError, ForkerProxy}, ifs::{ @@ -12,7 +12,6 @@ use { wl_surface::x_surface::xwindow::{Xwindow, XwindowData}, }, io_uring::IoUringError, - security_context_acceptor::AcceptorMetadata, state::State, user_session::import_environment, utils::{ @@ -192,7 +191,7 @@ async fn run( uapi::getuid(), pid, true, - &Rc::new(AcceptorMetadata::default()), + &Rc::new(ClientMetadata::default()), ); let client = match client { Ok(c) => c, diff --git a/wire/wp_security_context_manager_v1.txt b/wire/wp_security_context_manager_v1.txt deleted file mode 100644 index 6d351344..00000000 --- a/wire/wp_security_context_manager_v1.txt +++ /dev/null @@ -1,8 +0,0 @@ -request destroy (destructor) { -} - -request create_listener { - id: id(wp_security_context_v1) (new), - listen_fd: fd, - close_fd: fd, -} diff --git a/wire/wp_security_context_v1.txt b/wire/wp_security_context_v1.txt deleted file mode 100644 index 1a037aee..00000000 --- a/wire/wp_security_context_v1.txt +++ /dev/null @@ -1,17 +0,0 @@ -request destroy (destructor) { -} - -request set_sandbox_engine { - name: str, -} - -request set_app_id { - app_id: str, -} - -request set_instance_id { - instance_id: str, -} - -request commit { -}