mirror of
https://gitlab.freedesktop.org/pipewire/pipewire.git
synced 2025-10-29 05:40:27 -04:00
protocol-native: improve security context properties
Remove the engine_name, use pipewire.sec.engine in the properties. Make some constants for this. Document some more properties.
This commit is contained in:
Wim Taymans
parent
d250f6932c
commit
477c6e8e90
5 changed files with 26 additions and 33 deletions
|
|
@ -1890,7 +1890,7 @@ static int security_context_method_marshal_add_listener(void *object,
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int security_context_marshal_create(void *object, const char *engine_name,
|
||||
static int security_context_marshal_create(void *object,
|
||||
int listen_fd, int close_fd, const struct spa_dict *props)
|
||||
{
|
||||
struct pw_proxy *proxy = object;
|
||||
|
|
@ -1901,7 +1901,6 @@ static int security_context_marshal_create(void *object, const char *engine_name
|
|||
|
||||
spa_pod_builder_push_struct(b, &f);
|
||||
spa_pod_builder_add(b,
|
||||
SPA_POD_String(engine_name),
|
||||
SPA_POD_Fd(pw_protocol_native_add_proxy_fd(proxy, listen_fd)),
|
||||
SPA_POD_Fd(pw_protocol_native_add_proxy_fd(proxy, close_fd)),
|
||||
NULL);
|
||||
|
|
@ -1917,7 +1916,6 @@ static int security_context_demarshal_create(void *object, const struct pw_proto
|
|||
struct spa_dict props = SPA_DICT_INIT(NULL, 0);
|
||||
struct spa_pod_parser prs;
|
||||
struct spa_pod_frame f[2];
|
||||
char *engine_name;
|
||||
int64_t listen_idx, close_idx;
|
||||
int listen_fd, close_fd;
|
||||
|
||||
|
|
@ -1925,7 +1923,6 @@ static int security_context_demarshal_create(void *object, const struct pw_proto
|
|||
if (spa_pod_parser_push_struct(&prs, &f[0]) < 0)
|
||||
return -EINVAL;
|
||||
if (spa_pod_parser_get(&prs,
|
||||
SPA_POD_String(&engine_name),
|
||||
SPA_POD_Fd(&listen_idx),
|
||||
SPA_POD_Fd(&close_idx),
|
||||
NULL) < 0)
|
||||
|
|
@ -1936,7 +1933,7 @@ static int security_context_demarshal_create(void *object, const struct pw_proto
|
|||
close_fd = pw_protocol_native_get_resource_fd(resource, close_idx);
|
||||
|
||||
return pw_resource_notify(resource, struct pw_security_context_methods, create, 0,
|
||||
engine_name, listen_fd, close_fd, &props);
|
||||
listen_fd, close_fd, &props);
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -28,7 +28,6 @@ struct resource_data {
|
|||
};
|
||||
|
||||
static int security_context_create(void *object,
|
||||
const char *engine_name,
|
||||
int listen_fd,
|
||||
int close_fd,
|
||||
const struct spa_dict *props)
|
||||
|
|
@ -36,40 +35,25 @@ static int security_context_create(void *object,
|
|||
struct resource_data *d = object;
|
||||
struct impl *impl = d->impl;
|
||||
struct pw_impl_client *client;
|
||||
const struct pw_properties *cp;
|
||||
struct pw_properties *p;
|
||||
const struct pw_properties *p;
|
||||
int res = 0;
|
||||
|
||||
if (engine_name == NULL)
|
||||
goto invalid;
|
||||
|
||||
if ((client = impl->context->current_client) == NULL)
|
||||
goto not_allowed;
|
||||
if (client->protocol != impl->protocol)
|
||||
goto not_allowed;
|
||||
|
||||
/* we can't make a nested security context */
|
||||
cp = pw_impl_client_get_properties(client);
|
||||
if (pw_properties_get(cp, PW_KEY_SEC_CONTEXT) != NULL)
|
||||
p = pw_impl_client_get_properties(client);
|
||||
if (pw_properties_get(p, PW_KEY_SEC_ENGINE) != NULL)
|
||||
goto not_allowed;
|
||||
|
||||
p = props ? pw_properties_new_dict(props) : pw_properties_new(NULL, NULL);
|
||||
if (p == NULL)
|
||||
goto not_allowed;
|
||||
|
||||
pw_properties_set(p, PW_KEY_SEC_CONTEXT, engine_name);
|
||||
|
||||
if (pw_protocol_add_fd_server(impl->protocol, impl->context->core,
|
||||
listen_fd, close_fd, &p->dict) == NULL)
|
||||
listen_fd, close_fd, props) == NULL)
|
||||
res = -errno;
|
||||
|
||||
pw_properties_free(p);
|
||||
|
||||
return res;
|
||||
|
||||
invalid:
|
||||
pw_log_warn("missing engine name");
|
||||
return -EINVAL;
|
||||
not_allowed:
|
||||
pw_log_warn("can't make security context");
|
||||
return -EPERM;
|
||||
|
|
|
|||
|
|
@ -70,19 +70,25 @@ struct pw_security_context_methods {
|
|||
* After sending this request, closing listen_fd and close_fd remains the
|
||||
* only valid operation on them.
|
||||
*
|
||||
* \param engine_name a unique sandbox engine name.
|
||||
* \param listen_fd the fd to listen on for new connections
|
||||
* \param close_fd the fd used to stop listening
|
||||
* \param props extra (engine_name specific) properties. These will be
|
||||
* copied on the client that connects through this context.
|
||||
* \param props extra properties. These will be copied on the client
|
||||
* that connects through this context.
|
||||
*
|
||||
* Some properties to set:
|
||||
*
|
||||
* - pipewire.sec.engine with the engine name.
|
||||
* - pipewire.sec.app-id with the application id, this is an opaque,
|
||||
* engine specific id for an application
|
||||
* - pipewire.sec.instance-id with the instance id, this is an opaque,
|
||||
* engine specific id for a running instance of an application.
|
||||
*
|
||||
* See https://gitlab.freedesktop.org/wayland/wayland-protocols/-/blob/main/staging/security-context/engines.md
|
||||
* For a list of engine_names and the properties to set.
|
||||
* For a list of engine names and the properties to set.
|
||||
*
|
||||
* This requires X and W permissions on the security_context.
|
||||
*/
|
||||
int (*create) (void *object,
|
||||
const char *engine_name,
|
||||
int listen_fd,
|
||||
int close_fd,
|
||||
const struct spa_dict *props);
|
||||
|
|
|
|||
|
|
@ -39,7 +39,12 @@ extern "C" {
|
|||
#define PW_KEY_SEC_LABEL "pipewire.sec.label" /**< client security label, set by protocol*/
|
||||
|
||||
#define PW_KEY_SEC_SOCKET "pipewire.sec.socket" /**< client socket name, set by protocol */
|
||||
#define PW_KEY_SEC_CONTEXT "pipewire.sec.context" /**< client secure context, set by protocol */
|
||||
|
||||
#define PW_KEY_SEC_ENGINE "pipewire.sec.engine" /**< client secure context engine, set by protocol.
|
||||
* This can also be set by a client when making a
|
||||
* new security context. */
|
||||
#define PW_KEY_SEC_APP_ID "pipewire.sec.app-id" /**< client secure application id */
|
||||
#define PW_KEY_SEC_INSTANCE_ID "pipewire.sec.instance-id" /**< client secure instance id */
|
||||
|
||||
#define PW_KEY_LIBRARY_NAME_SYSTEM "library.name.system" /**< name of the system library to use */
|
||||
#define PW_KEY_LIBRARY_NAME_LOOP "library.name.loop" /**< name of the loop library to use */
|
||||
|
|
|
|||
|
|
@ -137,10 +137,11 @@ static void test_create(void)
|
|||
|
||||
static const struct spa_dict_item items[] = {
|
||||
{ "pipewire.foo.bar", "baz" },
|
||||
{ "pipewire.access", "restricted" },
|
||||
{ PW_KEY_SEC_ENGINE, "org.flatpak" },
|
||||
{ PW_KEY_ACCESS, "restricted" },
|
||||
};
|
||||
|
||||
pw_security_context_create(info.sec, "org.flatpak",
|
||||
pw_security_context_create(info.sec,
|
||||
listen_fd, close_fd[1],
|
||||
&SPA_DICT_INIT_ARRAY(items));
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue