Propagate Xauthority details to the sandbox if X11 is enabled

Some xservers out there (like xorg 1.17.1) have a broken server interpreted local xauth, which causes apps to fail to connect to the xserver. This fixes that by propagating Xauthority data such as the MIT-MAGIC-COOKIE-1.
2015-10-01 21:23:23 +02:00 · 2015-10-01 21:23:23 +02:00 · 208eb7b1aa
parent eedbeab9d0
commit 208eb7b1aa
5 changed files with 87 additions and 3 deletions
--- a/configure.ac
+++ b/configure.ac
@ -59,6 +59,9 @@ AC_SUBST(BASE_LIBS)
 PKG_CHECK_MODULES(SOUP, [libsoup-2.4])
 AC_SUBST(SOUP_CFLAGS)
 AC_SUBST(SOUP_LIBS)
+PKG_CHECK_MODULES(XAUTH, [xau])
+AC_SUBST(XAUTH_CFLAGS)
+AC_SUBST(XAUTH_LIBS)

 PKG_CHECK_MODULES(OSTREE, [libgsystem >= 2015.1 ostree-1 >= 2015.3])
 AC_SUBST(OSTREE_CFLAGS)
--- a/document-portal/Makefile.am.inc
+++ b/document-portal/Makefile.am.inc
@ -42,4 +42,4 @@ xdg_document_portal_SOURCES = \
 	$(NULL)

 xdg_document_portal_LDADD = $(BASE_LIBS) $(FUSE_LIBS) libxdgapp.la
-xdg_document_portal_CFLAGS = $(BASE_CFLAGS) $(OSTREE_CFLAGS) $(SOUP_CFLAGS) $(FUSE_CFLAGS) -I$(srcdir)/document-portal -I$(builddir)/document-portal
+xdg_document_portal_CFLAGS = $(BASE_CFLAGS) $(OSTREE_CFLAGS) $(SOUP_CFLAGS) $(XAUTH_LIBS) $(FUSE_CFLAGS) -I$(srcdir)/document-portal -I$(builddir)/document-portal
--- a/lib/Makefile.am.inc
+++ b/lib/Makefile.am.inc
@ -42,8 +42,8 @@ libxdgapp_la_SOURCES = \
 	$(systemd_dbus_built_sources)	\
 	$(NULL)

-libxdgapp_la_CFLAGS = $(AM_CFLAGS) $(BASE_CFLAGS) $(OSTREE_CFLAGS) $(SOUP_CFLAGS) -I$(srcdir)/dbus-proxy
-libxdgapp_la_LIBADD = libglnx.la $(BASE_LIBS) $(OSTREE_LIBS) $(SOUP_LIBS)
+libxdgapp_la_CFLAGS = $(AM_CFLAGS) $(BASE_CFLAGS) $(OSTREE_CFLAGS) $(SOUP_CFLAGS) $(XAUTH_CFLAGS) -I$(srcdir)/dbus-proxy
+libxdgapp_la_LIBADD = libglnx.la $(BASE_LIBS) $(OSTREE_LIBS) $(SOUP_LIBS) $(XAUTH_LIBS)

 bin_PROGRAMS += \
 	xdg-app-helper \
--- a/lib/xdg-app-helper.c
+++ b/lib/xdg-app-helper.c
@ -2278,19 +2278,24 @@ main (int argc,

      if (stat (x11_socket, &st) == 0 && S_ISSOCK (st.st_mode))
        {
+          char *xauth_path = strdup_printf ("/run/user/%d/Xauthority", uid);
          if (bind_mount (x11_socket, "tmp/.X11-unix/X99", 0))
            die ("can't bind X11 socket");

          xsetenv ("DISPLAY", ":99.0", 1);
+          xsetenv ("XAUTHORITY", xauth_path, 1);
+          free (xauth_path);
        }
      else
        {
          xunsetenv ("DISPLAY");
+          xunsetenv ("XAUTHORITY");
        }
    }
  else
    {
      xunsetenv ("DISPLAY");
+      xunsetenv ("XAUTHORITY");
    }

  /* Bind mount in the Wayland socket */
--- a/lib/xdg-app-run.c
+++ b/lib/xdg-app-run.c
@ -24,6 +24,9 @@
 #include <fcntl.h>
 #include <stdio.h>
 #include <unistd.h>
+#include <sys/utsname.h>
+
+#include <X11/Xauth.h>

 #include <gio/gio.h>
 #include "libgsystem.h"
@ -34,6 +37,7 @@
 #include "xdg-app-utils.h"
 #include "xdg-app-systemd-dbus.h"

+
 typedef enum {
  XDG_APP_CONTEXT_SHARED_NETWORK   = 1 << 0,
  XDG_APP_CONTEXT_SHARED_IPC       = 1 << 1,
@ -974,6 +978,58 @@ extract_unix_path_from_dbus_address (const char *address)
  return g_strndup (path, path_end - path);
 }

+static gboolean auth_streq (char *str,
+                            char *au_str,
+                            int au_len)
+{
+  return au_len == strlen (str) && memcmp (str, au_str, au_len) == 0;
+}
+
+static void
+write_xauth (char *number, FILE *output)
+{
+  Xauth *xa, local_xa;
+  char *filename;
+  FILE *f;
+  struct utsname unames;
+
+  if (uname (&unames))
+    {
+      g_warning ("uname failed");
+      return;
+    }
+
+  filename = XauFileName ();
+  f = fopen (filename, "rb");
+  if (f == NULL)
+    return;
+
+  while (TRUE)
+    {
+      xa = XauReadAuth (f);
+      if (xa == NULL)
+        break;
+      if (xa->family == FamilyLocal &&
+          auth_streq (unames.nodename, xa->address, xa->address_length) &&
+          (xa->number == NULL || auth_streq (number, xa->number, xa->number_length)))
+        {
+          local_xa = *xa;
+          if (local_xa.number)
+            {
+              local_xa.number = "99";
+              local_xa.number_length = 2;
+            }
+
+          if (!XauWriteAuth(output, &local_xa))
+            g_warning ("xauth write error");
+        }
+
+      XauDisposeAuth(xa);
+    }
+
+  fclose (f);
+}
+
 static void
 xdg_app_run_add_x11_args (GPtrArray *argv_array)
 {
@ -985,6 +1041,10 @@ xdg_app_run_add_x11_args (GPtrArray *argv_array)
      const char *display_nr = &display[1];
      const char *display_nr_end = display_nr;
      g_autofree char *d = NULL;
+      g_autofree char *tmp_path = NULL;
+      g_autofree char *path = NULL;
+      int fd;
+      FILE *output;

      while (g_ascii_isdigit (*display_nr_end))
        display_nr_end++;
@ -994,6 +1054,22 @@ xdg_app_run_add_x11_args (GPtrArray *argv_array)

      g_ptr_array_add (argv_array, g_strdup ("-x"));
      g_ptr_array_add (argv_array, x11_socket);
+
+      fd = g_file_open_tmp ("xdg-app-xauth-XXXXXX", &tmp_path, NULL);
+      if (fd >= 0)
+        {
+          output = fdopen (fd, "wb");
+          if (output != NULL)
+            {
+              write_xauth (d, output);
+              fclose (output);
+
+              g_ptr_array_add (argv_array, g_strdup ("-M"));
+              g_ptr_array_add (argv_array, g_strdup_printf ("/run/user/%d/Xauthority=%s", getuid(), tmp_path));
+            }
+          else
+            close (fd);
+        }
    }
 }