forked from Mirrors/flatpak-builder
Require some way to set cgroup for apps (currently systemd --user)
When the portal looks up the peer app id it needs to know whether it can trust that the cgroup path would be set, so that it can tell whether the app is sandboxed or trusted. We used to check if the cgroup was session-$uid.slice, and if so it was trusted, but this failed in the case of per-user dbus (not per-session) where e.g. gnome-terminal would be outside the session. Now we just fail if we can't set up a cgroup, thus whenever the cgroup path is not right we know that the app is trusted.tingping/wmclass
parent
6349b3ffc1
commit
f8d502ad19
|
@ -1681,15 +1681,14 @@ job_removed_cb (SystemdManager *manager,
|
|||
g_main_loop_quit (data->main_loop);
|
||||
}
|
||||
|
||||
void
|
||||
xdg_app_run_in_transient_unit (const char *appid)
|
||||
gboolean
|
||||
xdg_app_run_in_transient_unit (const char *appid, GError **error)
|
||||
{
|
||||
GDBusConnection *conn = NULL;
|
||||
GError *error = NULL;
|
||||
char *path = NULL;
|
||||
char *address = NULL;
|
||||
char *name = NULL;
|
||||
char *job = NULL;
|
||||
g_autoptr(GDBusConnection) conn = NULL;
|
||||
g_autofree char *path = NULL;
|
||||
g_autofree char *address = NULL;
|
||||
g_autofree char *name = NULL;
|
||||
g_autofree char *job = NULL;
|
||||
SystemdManager *manager = NULL;
|
||||
GVariantBuilder builder;
|
||||
GVariant *properties = NULL;
|
||||
|
@ -1698,40 +1697,35 @@ xdg_app_run_in_transient_unit (const char *appid)
|
|||
GMainContext *main_context = NULL;
|
||||
GMainLoop *main_loop = NULL;
|
||||
struct JobData data;
|
||||
gboolean res = FALSE;
|
||||
|
||||
path = g_strdup_printf ("/run/user/%d/systemd/private", getuid());
|
||||
|
||||
if (!g_file_test (path, G_FILE_TEST_EXISTS))
|
||||
goto out;
|
||||
return xdg_app_fail (error,
|
||||
"No systemd user session available, sandboxing not available");
|
||||
|
||||
main_context = g_main_context_new ();
|
||||
main_loop = g_main_loop_new (main_context, FALSE);
|
||||
|
||||
g_main_context_push_thread_default (main_context);
|
||||
|
||||
|
||||
address = g_strconcat ("unix:path=", path, NULL);
|
||||
|
||||
conn = g_dbus_connection_new_for_address_sync (address,
|
||||
G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_CLIENT,
|
||||
NULL,
|
||||
NULL, &error);
|
||||
NULL, error);
|
||||
if (!conn)
|
||||
{
|
||||
g_warning ("Can't connect to systemd: %s\n", error->message);
|
||||
goto out;
|
||||
}
|
||||
goto out;
|
||||
|
||||
manager = systemd_manager_proxy_new_sync (conn,
|
||||
G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES,
|
||||
NULL,
|
||||
"/org/freedesktop/systemd1",
|
||||
NULL, &error);
|
||||
NULL, error);
|
||||
if (!manager)
|
||||
{
|
||||
g_warning ("Can't create manager proxy: %s\n", error->message);
|
||||
goto out;
|
||||
}
|
||||
goto out;
|
||||
|
||||
name = g_strdup_printf ("xdg-app-%s-%d.scope", appid, getpid());
|
||||
|
||||
|
@ -1755,11 +1749,8 @@ xdg_app_run_in_transient_unit (const char *appid)
|
|||
aux,
|
||||
&job,
|
||||
NULL,
|
||||
&error))
|
||||
{
|
||||
g_warning ("Can't start transient unit: %s\n", error->message);
|
||||
goto out;
|
||||
}
|
||||
error))
|
||||
goto out;
|
||||
|
||||
data.job = job;
|
||||
data.main_loop = main_loop;
|
||||
|
@ -1767,6 +1758,8 @@ xdg_app_run_in_transient_unit (const char *appid)
|
|||
|
||||
g_main_loop_run (main_loop);
|
||||
|
||||
res = TRUE;
|
||||
|
||||
out:
|
||||
if (main_context)
|
||||
{
|
||||
|
@ -1775,16 +1768,10 @@ xdg_app_run_in_transient_unit (const char *appid)
|
|||
}
|
||||
if (main_loop)
|
||||
g_main_loop_unref (main_loop);
|
||||
if (error)
|
||||
g_error_free (error);
|
||||
if (manager)
|
||||
g_object_unref (manager);
|
||||
if (conn)
|
||||
g_object_unref (conn);
|
||||
g_free (path);
|
||||
g_free (address);
|
||||
g_free (job);
|
||||
g_free (name);
|
||||
|
||||
return res;
|
||||
}
|
||||
|
||||
static void
|
||||
|
@ -2153,7 +2140,8 @@ xdg_app_run_app (const char *app_ref,
|
|||
|
||||
/* Must run this before spawning the dbus proxy, to ensure it
|
||||
ends up in the app cgroup */
|
||||
xdg_app_run_in_transient_unit (app_ref_parts[1]);
|
||||
if (!xdg_app_run_in_transient_unit (app_ref_parts[1], error))
|
||||
return FALSE;
|
||||
|
||||
if (!add_dbus_proxy_args (argv_array, dbus_proxy_argv, error))
|
||||
return FALSE;
|
||||
|
|
|
@ -25,7 +25,8 @@
|
|||
#include "dbus-proxy/xdg-app-proxy.h"
|
||||
#include "xdg-app-common-types.h"
|
||||
|
||||
void xdg_app_run_in_transient_unit (const char *app_id);
|
||||
gboolean xdg_app_run_in_transient_unit (const char *app_id,
|
||||
GError **error);
|
||||
|
||||
#define XDG_APP_METADATA_GROUP_CONTEXT "Context"
|
||||
#define XDG_APP_METADATA_GROUP_SESSION_BUS_POLICY "Session Bus Policy"
|
||||
|
|
|
@ -970,8 +970,7 @@ got_credentials_cb (GObject *source_object,
|
|||
info->app_id = g_strdup (name);
|
||||
}
|
||||
}
|
||||
else if (g_str_has_prefix (scope, "session-") &&
|
||||
g_str_has_suffix (scope, ".scope"))
|
||||
else
|
||||
info->app_id = g_strdup ("");
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue