mirror of
https://gitlab.freedesktop.org/pipewire/pipewire.git
synced 2025-12-16 08:56:45 -05:00
protocol-native: improve security context properties
Remove the engine_name, use pipewire.sec.engine in the properties. Make some constants for this. Document some more properties.
This commit is contained in:
Wim Taymans
parent
d250f6932c
commit
477c6e8e90
5 changed files with 26 additions and 33 deletions
|
|
@ -1890,7 +1890,7 @@ static int security_context_method_marshal_add_listener(void *object,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int security_context_marshal_create(void *object, const char *engine_name,
|
static int security_context_marshal_create(void *object,
|
||||||
int listen_fd, int close_fd, const struct spa_dict *props)
|
int listen_fd, int close_fd, const struct spa_dict *props)
|
||||||
{
|
{
|
||||||
struct pw_proxy *proxy = object;
|
struct pw_proxy *proxy = object;
|
||||||
|
|
@ -1901,7 +1901,6 @@ static int security_context_marshal_create(void *object, const char *engine_name
|
||||||
|
|
||||||
spa_pod_builder_push_struct(b, &f);
|
spa_pod_builder_push_struct(b, &f);
|
||||||
spa_pod_builder_add(b,
|
spa_pod_builder_add(b,
|
||||||
SPA_POD_String(engine_name),
|
|
||||||
SPA_POD_Fd(pw_protocol_native_add_proxy_fd(proxy, listen_fd)),
|
SPA_POD_Fd(pw_protocol_native_add_proxy_fd(proxy, listen_fd)),
|
||||||
SPA_POD_Fd(pw_protocol_native_add_proxy_fd(proxy, close_fd)),
|
SPA_POD_Fd(pw_protocol_native_add_proxy_fd(proxy, close_fd)),
|
||||||
NULL);
|
NULL);
|
||||||
|
|
@ -1917,7 +1916,6 @@ static int security_context_demarshal_create(void *object, const struct pw_proto
|
||||||
struct spa_dict props = SPA_DICT_INIT(NULL, 0);
|
struct spa_dict props = SPA_DICT_INIT(NULL, 0);
|
||||||
struct spa_pod_parser prs;
|
struct spa_pod_parser prs;
|
||||||
struct spa_pod_frame f[2];
|
struct spa_pod_frame f[2];
|
||||||
char *engine_name;
|
|
||||||
int64_t listen_idx, close_idx;
|
int64_t listen_idx, close_idx;
|
||||||
int listen_fd, close_fd;
|
int listen_fd, close_fd;
|
||||||
|
|
||||||
|
|
@ -1925,7 +1923,6 @@ static int security_context_demarshal_create(void *object, const struct pw_proto
|
||||||
if (spa_pod_parser_push_struct(&prs, &f[0]) < 0)
|
if (spa_pod_parser_push_struct(&prs, &f[0]) < 0)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
if (spa_pod_parser_get(&prs,
|
if (spa_pod_parser_get(&prs,
|
||||||
SPA_POD_String(&engine_name),
|
|
||||||
SPA_POD_Fd(&listen_idx),
|
SPA_POD_Fd(&listen_idx),
|
||||||
SPA_POD_Fd(&close_idx),
|
SPA_POD_Fd(&close_idx),
|
||||||
NULL) < 0)
|
NULL) < 0)
|
||||||
|
|
@ -1936,7 +1933,7 @@ static int security_context_demarshal_create(void *object, const struct pw_proto
|
||||||
close_fd = pw_protocol_native_get_resource_fd(resource, close_idx);
|
close_fd = pw_protocol_native_get_resource_fd(resource, close_idx);
|
||||||
|
|
||||||
return pw_resource_notify(resource, struct pw_security_context_methods, create, 0,
|
return pw_resource_notify(resource, struct pw_security_context_methods, create, 0,
|
||||||
engine_name, listen_fd, close_fd, &props);
|
listen_fd, close_fd, &props);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -28,7 +28,6 @@ struct resource_data {
|
||||||
};
|
};
|
||||||
|
|
||||||
static int security_context_create(void *object,
|
static int security_context_create(void *object,
|
||||||
const char *engine_name,
|
|
||||||
int listen_fd,
|
int listen_fd,
|
||||||
int close_fd,
|
int close_fd,
|
||||||
const struct spa_dict *props)
|
const struct spa_dict *props)
|
||||||
|
|
@ -36,40 +35,25 @@ static int security_context_create(void *object,
|
||||||
struct resource_data *d = object;
|
struct resource_data *d = object;
|
||||||
struct impl *impl = d->impl;
|
struct impl *impl = d->impl;
|
||||||
struct pw_impl_client *client;
|
struct pw_impl_client *client;
|
||||||
const struct pw_properties *cp;
|
const struct pw_properties *p;
|
||||||
struct pw_properties *p;
|
|
||||||
int res = 0;
|
int res = 0;
|
||||||
|
|
||||||
if (engine_name == NULL)
|
|
||||||
goto invalid;
|
|
||||||
|
|
||||||
if ((client = impl->context->current_client) == NULL)
|
if ((client = impl->context->current_client) == NULL)
|
||||||
goto not_allowed;
|
goto not_allowed;
|
||||||
if (client->protocol != impl->protocol)
|
if (client->protocol != impl->protocol)
|
||||||
goto not_allowed;
|
goto not_allowed;
|
||||||
|
|
||||||
/* we can't make a nested security context */
|
/* we can't make a nested security context */
|
||||||
cp = pw_impl_client_get_properties(client);
|
p = pw_impl_client_get_properties(client);
|
||||||
if (pw_properties_get(cp, PW_KEY_SEC_CONTEXT) != NULL)
|
if (pw_properties_get(p, PW_KEY_SEC_ENGINE) != NULL)
|
||||||
goto not_allowed;
|
goto not_allowed;
|
||||||
|
|
||||||
p = props ? pw_properties_new_dict(props) : pw_properties_new(NULL, NULL);
|
|
||||||
if (p == NULL)
|
|
||||||
goto not_allowed;
|
|
||||||
|
|
||||||
pw_properties_set(p, PW_KEY_SEC_CONTEXT, engine_name);
|
|
||||||
|
|
||||||
if (pw_protocol_add_fd_server(impl->protocol, impl->context->core,
|
if (pw_protocol_add_fd_server(impl->protocol, impl->context->core,
|
||||||
listen_fd, close_fd, &p->dict) == NULL)
|
listen_fd, close_fd, props) == NULL)
|
||||||
res = -errno;
|
res = -errno;
|
||||||
|
|
||||||
pw_properties_free(p);
|
|
||||||
|
|
||||||
return res;
|
return res;
|
||||||
|
|
||||||
invalid:
|
|
||||||
pw_log_warn("missing engine name");
|
|
||||||
return -EINVAL;
|
|
||||||
not_allowed:
|
not_allowed:
|
||||||
pw_log_warn("can't make security context");
|
pw_log_warn("can't make security context");
|
||||||
return -EPERM;
|
return -EPERM;
|
||||||
|
|
|
||||||
|
|
@ -70,19 +70,25 @@ struct pw_security_context_methods {
|
||||||
* After sending this request, closing listen_fd and close_fd remains the
|
* After sending this request, closing listen_fd and close_fd remains the
|
||||||
* only valid operation on them.
|
* only valid operation on them.
|
||||||
*
|
*
|
||||||
* \param engine_name a unique sandbox engine name.
|
|
||||||
* \param listen_fd the fd to listen on for new connections
|
* \param listen_fd the fd to listen on for new connections
|
||||||
* \param close_fd the fd used to stop listening
|
* \param close_fd the fd used to stop listening
|
||||||
* \param props extra (engine_name specific) properties. These will be
|
* \param props extra properties. These will be copied on the client
|
||||||
* copied on the client that connects through this context.
|
* that connects through this context.
|
||||||
|
*
|
||||||
|
* Some properties to set:
|
||||||
|
*
|
||||||
|
* - pipewire.sec.engine with the engine name.
|
||||||
|
* - pipewire.sec.app-id with the application id, this is an opaque,
|
||||||
|
* engine specific id for an application
|
||||||
|
* - pipewire.sec.instance-id with the instance id, this is an opaque,
|
||||||
|
* engine specific id for a running instance of an application.
|
||||||
*
|
*
|
||||||
* See https://gitlab.freedesktop.org/wayland/wayland-protocols/-/blob/main/staging/security-context/engines.md
|
* See https://gitlab.freedesktop.org/wayland/wayland-protocols/-/blob/main/staging/security-context/engines.md
|
||||||
* For a list of engine_names and the properties to set.
|
* For a list of engine names and the properties to set.
|
||||||
*
|
*
|
||||||
* This requires X and W permissions on the security_context.
|
* This requires X and W permissions on the security_context.
|
||||||
*/
|
*/
|
||||||
int (*create) (void *object,
|
int (*create) (void *object,
|
||||||
const char *engine_name,
|
|
||||||
int listen_fd,
|
int listen_fd,
|
||||||
int close_fd,
|
int close_fd,
|
||||||
const struct spa_dict *props);
|
const struct spa_dict *props);
|
||||||
|
|
|
||||||
|
|
@ -39,7 +39,12 @@ extern "C" {
|
||||||
#define PW_KEY_SEC_LABEL "pipewire.sec.label" /**< client security label, set by protocol*/
|
#define PW_KEY_SEC_LABEL "pipewire.sec.label" /**< client security label, set by protocol*/
|
||||||
|
|
||||||
#define PW_KEY_SEC_SOCKET "pipewire.sec.socket" /**< client socket name, set by protocol */
|
#define PW_KEY_SEC_SOCKET "pipewire.sec.socket" /**< client socket name, set by protocol */
|
||||||
#define PW_KEY_SEC_CONTEXT "pipewire.sec.context" /**< client secure context, set by protocol */
|
|
||||||
|
#define PW_KEY_SEC_ENGINE "pipewire.sec.engine" /**< client secure context engine, set by protocol.
|
||||||
|
* This can also be set by a client when making a
|
||||||
|
* new security context. */
|
||||||
|
#define PW_KEY_SEC_APP_ID "pipewire.sec.app-id" /**< client secure application id */
|
||||||
|
#define PW_KEY_SEC_INSTANCE_ID "pipewire.sec.instance-id" /**< client secure instance id */
|
||||||
|
|
||||||
#define PW_KEY_LIBRARY_NAME_SYSTEM "library.name.system" /**< name of the system library to use */
|
#define PW_KEY_LIBRARY_NAME_SYSTEM "library.name.system" /**< name of the system library to use */
|
||||||
#define PW_KEY_LIBRARY_NAME_LOOP "library.name.loop" /**< name of the loop library to use */
|
#define PW_KEY_LIBRARY_NAME_LOOP "library.name.loop" /**< name of the loop library to use */
|
||||||
|
|
|
||||||
|
|
@ -137,10 +137,11 @@ static void test_create(void)
|
||||||
|
|
||||||
static const struct spa_dict_item items[] = {
|
static const struct spa_dict_item items[] = {
|
||||||
{ "pipewire.foo.bar", "baz" },
|
{ "pipewire.foo.bar", "baz" },
|
||||||
{ "pipewire.access", "restricted" },
|
{ PW_KEY_SEC_ENGINE, "org.flatpak" },
|
||||||
|
{ PW_KEY_ACCESS, "restricted" },
|
||||||
};
|
};
|
||||||
|
|
||||||
pw_security_context_create(info.sec, "org.flatpak",
|
pw_security_context_create(info.sec,
|
||||||
listen_fd, close_fd[1],
|
listen_fd, close_fd[1],
|
||||||
&SPA_DICT_INIT_ARRAY(items));
|
&SPA_DICT_INIT_ARRAY(items));
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue