From f8d502ad197b60cf25baef9383e235f11b8afca4 Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Thu, 28 Jan 2016 11:15:58 +0100
Subject: [PATCH] Require some way to set cgroup for apps (currently systemd
 --user)

When the portal looks up the peer app id it needs to know whether it
can trust that the cgroup path would be set, so that it can tell
whether the app is sandboxed or trusted. We used to check if the
cgroup was session-$uid.slice, and if so it was trusted, but this
failed in the case of per-user dbus (not per-session) where
e.g. gnome-terminal would be outside the session.

Now we just fail if we can't set up a cgroup, thus whenever the cgroup
path is not right we know that the app is trusted.
---
 common/xdg-app-run.c   | 56 +++++++++++++++++-------------------------
 common/xdg-app-run.h   |  3 ++-
 common/xdg-app-utils.c |  3 +--
 3 files changed, 25 insertions(+), 37 deletions(-)

diff --git a/common/xdg-app-run.c b/common/xdg-app-run.c
index eecba6fb..8492496e 100644
--- a/common/xdg-app-run.c
+++ b/common/xdg-app-run.c
@@ -1681,15 +1681,14 @@ job_removed_cb (SystemdManager *manager,
     g_main_loop_quit (data->main_loop);
 }
 
-void
-xdg_app_run_in_transient_unit (const char *appid)
+gboolean
+xdg_app_run_in_transient_unit (const char *appid, GError **error)
 {
-  GDBusConnection *conn = NULL;
-  GError *error = NULL;
-  char *path = NULL;
-  char *address = NULL;
-  char *name = NULL;
-  char *job = NULL;
+  g_autoptr(GDBusConnection) conn = NULL;
+  g_autofree char *path = NULL;
+  g_autofree char *address = NULL;
+  g_autofree char *name = NULL;
+  g_autofree char *job = NULL;
   SystemdManager *manager = NULL;
   GVariantBuilder builder;
   GVariant *properties = NULL;
@@ -1698,40 +1697,35 @@ xdg_app_run_in_transient_unit (const char *appid)
   GMainContext *main_context = NULL;
   GMainLoop *main_loop = NULL;
   struct JobData data;
+  gboolean res = FALSE;
 
   path = g_strdup_printf ("/run/user/%d/systemd/private", getuid());
 
   if (!g_file_test (path, G_FILE_TEST_EXISTS))
-    goto out;
+    return xdg_app_fail (error,
+                         "No systemd user session available, sandboxing not available");
 
   main_context = g_main_context_new ();
   main_loop = g_main_loop_new (main_context, FALSE);
 
   g_main_context_push_thread_default (main_context);
 
-
   address = g_strconcat ("unix:path=", path, NULL);
 
   conn = g_dbus_connection_new_for_address_sync (address,
                                                  G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_CLIENT,
                                                  NULL,
-                                                 NULL, &error);
+                                                 NULL, error);
   if (!conn)
-    {
-      g_warning ("Can't connect to systemd: %s\n", error->message);
-      goto out;
-    }
+    goto out;
 
   manager = systemd_manager_proxy_new_sync (conn,
                                             G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES,
                                             NULL,
                                             "/org/freedesktop/systemd1",
-                                            NULL, &error);
+                                            NULL, error);
   if (!manager)
-    {
-      g_warning ("Can't create manager proxy: %s\n", error->message);
-      goto out;
-    }
+    goto out;
 
   name = g_strdup_printf ("xdg-app-%s-%d.scope", appid, getpid());
 
@@ -1755,11 +1749,8 @@ xdg_app_run_in_transient_unit (const char *appid)
                                                        aux,
                                                        &job,
                                                        NULL,
-                                                       &error))
-    {
-      g_warning ("Can't start transient unit: %s\n", error->message);
-      goto out;
-    }
+                                                       error))
+    goto out;
 
   data.job = job;
   data.main_loop = main_loop;
@@ -1767,6 +1758,8 @@ xdg_app_run_in_transient_unit (const char *appid)
 
   g_main_loop_run (main_loop);
 
+  res = TRUE;
+
  out:
   if (main_context)
     {
@@ -1775,16 +1768,10 @@ xdg_app_run_in_transient_unit (const char *appid)
     }
   if (main_loop)
     g_main_loop_unref (main_loop);
-  if (error)
-    g_error_free (error);
   if (manager)
     g_object_unref (manager);
-  if (conn)
-    g_object_unref (conn);
-  g_free (path);
-  g_free (address);
-  g_free (job);
-  g_free (name);
+
+  return res;
 }
 
 static void
@@ -2153,7 +2140,8 @@ xdg_app_run_app (const char *app_ref,
 
   /* Must run this before spawning the dbus proxy, to ensure it
      ends up in the app cgroup */
-  xdg_app_run_in_transient_unit (app_ref_parts[1]);
+  if (!xdg_app_run_in_transient_unit (app_ref_parts[1], error))
+    return FALSE;
 
   if (!add_dbus_proxy_args (argv_array, dbus_proxy_argv, error))
     return FALSE;
diff --git a/common/xdg-app-run.h b/common/xdg-app-run.h
index a06c2b3f..fad0957b 100644
--- a/common/xdg-app-run.h
+++ b/common/xdg-app-run.h
@@ -25,7 +25,8 @@
 #include "dbus-proxy/xdg-app-proxy.h"
 #include "xdg-app-common-types.h"
 
-void xdg_app_run_in_transient_unit (const char *app_id);
+gboolean xdg_app_run_in_transient_unit (const char *app_id,
+                                        GError **error);
 
 #define XDG_APP_METADATA_GROUP_CONTEXT "Context"
 #define XDG_APP_METADATA_GROUP_SESSION_BUS_POLICY "Session Bus Policy"
diff --git a/common/xdg-app-utils.c b/common/xdg-app-utils.c
index 18f26659..812ff963 100644
--- a/common/xdg-app-utils.c
+++ b/common/xdg-app-utils.c
@@ -970,8 +970,7 @@ got_credentials_cb (GObject *source_object,
                           info->app_id = g_strdup (name);
                         }
                     }
-                  else if (g_str_has_prefix (scope, "session-") &&
-                           g_str_has_suffix (scope, ".scope"))
+                  else
                     info->app_id = g_strdup ("");
                 }
             }