WebKit · webkit-commit-queue · Jan 23, 2024 · Jan 23, 2024
@@ -152,14 +152,38 @@ static String effectiveApplicationId()
     return makeString("org.webkit.app-", uuid.toString());
 }
 
-static int createFlatpakInfo()
+static void createBwrapInfo(GSubprocessLauncher* launcher, Vector<CString>& args, const char* instanceID)
+{
+    // This is the hardcoded path expected in xdg-desktop-portal's xdp_app_info_load_bwrap_info() used
+    // by xdp_app_info_map_pids() for the Realtime portal.
+    GUniquePtr<char> instancePath(g_build_filename(g_get_user_runtime_dir(), ".flatpak", instanceID, nullptr));
+    GUniquePtr<char> bwrapInfoPath(g_build_filename(instancePath.get(), "bwrapinfo.json", nullptr));
+
+    if (g_mkdir_with_parents(instancePath.get(), 0700) == -1) {
+        g_warning("Failed to create '%s': %s", instancePath.get(), g_strerror(errno));
+        return;
+    }
+
+    int bwrapInfoFD = open(bwrapInfoPath.get(), O_CREAT | O_RDWR | O_TRUNC, 0644);
+    if (bwrapInfoFD == -1) {
+        g_warning("Failed to create '%s': %s", bwrapInfoPath.get(), g_strerror(errno));
+        return;
+    }
+
+    GUniquePtr<char> bwrapInfoFdStr(g_strdup_printf("%d", bwrapInfoFD));
+    g_subprocess_launcher_take_fd(launcher, bwrapInfoFD, bwrapInfoFD);
+    args.appendVector(Vector<CString>({ "--info-fd", bwrapInfoFdStr.get() }));
+}
+
+static int createFlatpakInfo(const char* instanceID)
 {
     static NeverDestroyed<GUniquePtr<char>> data;
     static size_t size;
 
     if (!data.get()) {
         GUniquePtr<GKeyFile> keyFile(g_key_file_new());
         g_key_file_set_string(keyFile.get(), "Application", "name", effectiveApplicationId().utf8().data());
+        g_key_file_set_string(keyFile.get(), "Instance", "instance-id", instanceID);
         data->reset(g_key_file_to_data(keyFile.get(), &size, nullptr));
     }
 
@@ -848,7 +872,8 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
     // full permissions unless it can identify you as a snap or flatpak.
     // The easiest method is for us to pretend to be a flatpak and if that
     // fails just blocking portals entirely as it just becomes a sandbox escape.
-    int flatpakInfoFd = createFlatpakInfo();
+    GUniquePtr<char> instanceID(g_strdup_printf("webkit-%d-%lu", getpid(), launchOptions.processIdentifier.toUInt64()));
+    int flatpakInfoFd = createFlatpakInfo(instanceID.get());
     if (flatpakInfoFd != -1) {
         g_subprocess_launcher_take_fd(launcher, flatpakInfoFd, flatpakInfoFd);
         GUniquePtr<char> flatpakInfoFdStr(g_strdup_printf("%d", flatpakInfoFd));
@@ -858,6 +883,8 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
         }));
     }
 
+    createBwrapInfo(launcher, sandboxArgs, instanceID.get());
+
     if (launchOptions.processType == ProcessLauncher::ProcessType::Web) {
 #if PLATFORM(WAYLAND)
         if (PlatformDisplay::sharedDisplay().type() == PlatformDisplay::Type::Wayland) {