This adds a command (security_label) which is used to allow or deny access to
privileged interfaces on a client-by-client basis. If no security configuration
it present, all privileged operations are allowed to all clients.
- "security_label deny default *" will deny clients access to all privileged
operations
- "security_label set default layer_shell" will overwrite the access list for
the label "default" and only allow access to the layer_shell interface
- "security_label permit recorder screencopy_manager" allows connections that
have the label "recorder" access to screencopy_manager in addition to the
current permissions of the "recorder" label
If a client does not have a label or if the label's permissions were not
defined using security_label, the permissions for the "default" label are used;
if no definition for "default" is present, all interfaces are allowed.
Using permit or deny on a new label does not copy the default.
The security configuration state is reset on a config reload (similar to the
assign and for_window lists). Currently, the security policy is only enforced
during the binding or enumeration of global resources; existing handles to
privileged interfaces are not invalided by a change in policy, and existing
clients are not informed of the presence of newly available interfaces.
This allows writing commands like "for_window [trigger="map",workspace="1"]"
that only execute if the criteria matches during the initial mapping of the
window.
Currently implemented trigger names:
- command: explicit invocation by a command, not very useful
- map: initial window creation
- mark, title, app_id, class, window_role, window_type:
the given property changed
This command can be used to create a new listening socket (suitable for use in
WAYLAND_DISPLAY) whose clients will all have a specific label.
Co-authored-by: Mykola Orliuk <virkony@gmail.com>
Similar to app_id or con_id, labels are present in the IPC JSON output and can
be matched in criteria using [cli_label="regex"]. This can be useful to
support instance-specific rules in applications that do not support changing
app_id/class based on a command line argument.
This adds a few arguments to exec that cause sway to create a wayland socket
file descriptor and point the WAYLAND_SOCKET environment variable at the
socket. This in turn allows sway to track all windows created by this client
(in a more robust manner than the existing pid-based tracking).
Note that this only works if the exec ends up launching a single wayland client
(a script that launches multiple commands will not work correctly; a process
that uses libwayland-client itself and runs other processes is fine).
"exec --use-wayland-socket command" only sets WAYLAND_SOCKET and does nothing else.
"exec --label <label> <program>" will associate the specified label with the
wl_client and all windows it creates.
active_keyboard may be NULL, in which case an invalid pointer could be
passed to wlr_input_method_keyboard_grab_v2_send_modifiers. This
procedure call is unnecessary since wlroots commit 372a52ec "input
method: send modifiers in set_keyboard", so the call can simply be
removed.
Fixes#6836.
Currently, a floating window that's been fullscreened can send us
xdg_toplevel::move, and we'll enter seatop_move_floating, which lets us
drag the surface around while it's fullscreen. We don't want
this--fullscreen surfaces should always be aligned to the screen--so add
the same check that seatop_default already does when entering this mode.
Tested with Weston's weston-fullscreen demo, which sends a move request
if you click anywhere on its surface.
When REAPER submenu is closed `XCB_CLIENT_MESSAGE` with type
`NET_ACTIVE_WINDOW` is sent to set focus to parent menu.
Closes: https://github.com/swaywm/sway/issues/6324
An address of a variable can never be NULL, so checking it doesn't make
sense; and `destroy_buffer()` can operate on already destroyed buffers
anyway.
Fixes#6780
wlroots often requires dependencies more recent than Sway's.
Executing the wlroots subproject first will give Meson a chance to
find these newer dependencies, possibly via subprojects.
The subproject will override the "wlroots" dependency when executed,
so we don't need to use get_variable anymore.
References: https://github.com/swaywm/sway/pull/6498#issuecomment-1001746017
Commit 37d7bc6998 ("transaction: Only wait for ack from visible
views") introduced a check which uses view_is_visible() to check if a view
is still visible on the screen. However view_is_visible() will early
return in case the node is in the destroying state. This is incorrect
for transactions, since a destroying view which is visible will trigger
configure events for other clients. This bug was visible when repeatedly
opening and closing two views side by side, since we ignore the
destroying node we get a frame where the still open view is shown with
the old configure values and the rest is the desktop background. The
next frame is than correct again.
Fix this by considering destroying views as visible, we correctly wait
for them and send the configure events to other views in time, fixing
the background flicker.
Fixes#6473
02b412a introduced the use of list for sdbus deps, however
it was assuming that all packages which were in a list has a version
higher than 239. That is true for libsystemd and libelogind, since they
use the same versions, however basu is using version numbers which are
way lower than what libsystemd/libelogind are using, so basu only build
is failing.
`popup_unconstrain` uses view coordinates to init the output box for
popups. However wlroots expects the box to be set in a toplevel surface
coordinate system, which is not always equal to view. The difference
between those is a window geometry set via xdg-shell.
GTK4 reserves some space for client-side decoration and thus has a
window with top left corner not matching to (0, 0) of a surface. The box
calculated without taking that into account was slightly shifted
compared to the actual output and allowed to position part of the popup
off screen.
SUID privilege drop is needed for the "builtin"-backend of libseat,
which copied our old "direct" backend behavior for the sake of
compatibility and ease of transition.
libseat now has a better alternative in the form of seatd-launch. It
uses the normal seatd daemon and libseat backend and takes care of SUID
for us.
Add a soft deprecation warning to highlight our future intent of
removing this code. The deprecation cycle is needed to avoid surprises
when sway no longer drops privileges.
Future meson releases will change the default and warns when the
implicit default is used, breaking builds.
Explicitly set check: false to maintain behavior and silence warnings.
Followup on 4e4898e90f.
If a view quickly maps and unmaps repeatedly, there will be multiple
destroyed containers with same view in a single transaction. Each of
these containers will then try to destroy this view, resulting in use
after free.
The container should only destroy the view if the view still belongs
to the container.
Simple reproducer: couple XMapWindow + XUnmapWindow in a loop followed
by XDestroyWindow.
See #6605
