marko10_000
/
flatpak-builder
forked from Mirrors/flatpak-builder
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add metadata option to limit DRI access

tingping/wmclass
Alexander Larsson 2015-03-05 15:55:36 +01:00
parent da62eccc46
commit 5bfee405b1
7 changed files with 23 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
completion/xdg-app
View File

@ -56,7 +56,7 @@ _xdg-app() {
comps=$(xdg-app $mode list-runtimes)
;;
--allow|--forbid)
comps='x11 wayland ipc pulseaudio system-dbus session-dbus network host-fs homedir'
comps='x11 wayland ipc pulseaudio system-dbus session-dbus network host-fs homedir dri'
;;
--branch|--subject|--body|--title)
comps=''

2
doc/xdg-app-build-finish.xml
View File

@ -92,7 +92,7 @@
<listitem><para>
Set the KEY in the [Environment] group to true. KEY must
be one of: x11, wayland, ipc, pulseaudio, system-dbus,
session-dbus, network, host-fs, homedir.
session-dbus, network, host-fs, homedir, dri.
This option can be used multiple times.
</para></listitem>
</varlistentry>

4
doc/xdg-app-build.xml
View File

@ -85,7 +85,7 @@
Allow access to the named facility. This overrides
the Environment section from the application metadata.
KEY must be one of: x11, wayland, ipc, pulseaudio, system-dbus,
session-dbus, network, host-fs, homedir.
session-dbus, network, host-fs, homedir, dri.
This option can be used multiple times.
</para></listitem>
</varlistentry>
@ -98,7 +98,7 @@
Environment section from the application metadata and
--allow options to this command.
KEY must be one of: x11, wayland, ipc, pulseaudio, system-dbus,
session-dbus, network, host-fs, homedir.
session-dbus, network, host-fs, homedir, dri.
This option can be used multiple times.
</para></listitem>
</varlistentry>

4
doc/xdg-app-run.xml
View File

@ -123,7 +123,7 @@
Allow access to the named facility. This overrides
the Environment section from the application metadata.
KEY must be one of: x11, wayland, ipc, pulseaudio, system-dbus,
session-dbus, network, host-fs, homedir.
session-dbus, network, host-fs, homedir, dri.
This option can be used multiple times.
</para></listitem>
</varlistentry>
@ -136,7 +136,7 @@
Environment section from the application metadata and
--allow options to this command.
KEY must be one of: x11, wayland, ipc, pulseaudio, system-dbus,
session-dbus, network, host-fs, homedir.
session-dbus, network, host-fs, homedir, dri.
This option can be used multiple times.
</para></listitem>
</varlistentry>

2
xdg-app-builtins-build-finish.c
View File

@ -101,7 +101,7 @@ update_metadata (GFile *base, GCancellable *cancellable, GError **error)
GError *temp_error = NULL;
const char *environment_keys[] = {
"x11", "wayland", "ipc", "pulseaudio", "system-dbus", "session-dbus",
"network", "host-fs", "homedir", NULL
"network", "host-fs", "homedir", "dri", NULL
};
const char *key;
int i;

10
xdg-app-helper.c
View File

@ -242,6 +242,7 @@ usage (char **argv)
" -e Make /self/exports writable\n"
" -E Make /etc a pure symlink to /usr/etc\n"
" -f Mount the host filesystems\n"
" -g Allow use of direct rendering graphics\n"
" -F Mount the host filesystems read-only\n"
" -H Mount the users home directory (implied by -f)\n"
" -i Share IPC namespace with session\n"
@ -317,6 +318,7 @@ ascii_isdigit (char c)
static bool create_etc_symlink = FALSE;
static bool create_etc_dir = TRUE;
static bool create_monitor_links = FALSE;
static bool allow_dri = FALSE;
static const create_table_t create[] = {
{ FILE_TYPE_DIR, ".oldroot", 0755 },
@ -369,7 +371,7 @@ static const create_table_t create[] = {
{ FILE_TYPE_DEVICE, "dev/urandom", 0666},
{ FILE_TYPE_DEVICE, "dev/tty", 0666},
{ FILE_TYPE_DIR, "dev/dri", 0755},
{ FILE_TYPE_BIND_RO, "dev/dri", 0755, "/dev/dri", FILE_FLAGS_NON_FATAL|FILE_FLAGS_DEVICES},
{ FILE_TYPE_BIND_RO, "dev/dri", 0755, "/dev/dri", FILE_FLAGS_NON_FATAL|FILE_FLAGS_DEVICES, &allow_dri},
{ FILE_TYPE_REMOUNT, "dev", MS_RDONLY|MS_NOSUID|MS_NOEXEC},
};
@ -1219,7 +1221,7 @@ main (int argc,
if (prctl (PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
die_with_error ("prctl(PR_SET_NO_NEW_CAPS) failed");
while ((c = getopt (argc, argv, "+inWweEsfFHa:m:b:p:x:ly:d:D:v:I:")) >= 0)
while ((c = getopt (argc, argv, "+inWweEsfFHa:m:b:p:x:ly:d:D:v:I:g")) >= 0)
{
switch (c)
{
@ -1273,6 +1275,10 @@ main (int argc,
mount_host_fs_ro = TRUE;
break;
case 'g':
allow_dri = TRUE;
break;
case 'H':
mount_home = TRUE;
break;

9
xdg-app-run.c
View File

@ -19,7 +19,7 @@ xdg_app_run_verify_environment_keys (const char **keys,
const char *key;
const char *environment_keys[] = {
"x11", "wayland", "ipc", "pulseaudio", "system-dbus", "session-dbus",
"network", "host-fs", "homedir", NULL
"network", "host-fs", "homedir", "dri", NULL
};
if (keys == NULL)
@ -165,6 +165,13 @@ xdg_app_run_add_environment_args (GPtrArray *argv_array,
opts[i++] = 'i';
}
if ((g_key_file_get_boolean (metakey, "Environment", "dri", NULL) || g_strv_contains (allow, "dri")) &&
!g_strv_contains (forbid, "dri"))
{
g_debug ("Allowing dri access");
opts[i++] = 'g';
}
if ((g_key_file_get_boolean (metakey, "Environment", "host-fs", NULL) || g_strv_contains (allow, "nost-fs")) &&
!g_strv_contains (forbid, "host-fs"))
{