-
Notifications
You must be signed in to change notification settings - Fork 573
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wayland: add extra sockets that are used by older toolkits (e.g. gtk3) #5660
Conversation
I removed "wayland-shared-*" as I cannot find what was using it, and as the built-in apparmor profile doesn't have it either, concluded it was an error. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Adding Jamie to look at this from the security POV |
5ffd118
to
7c3b649
Compare
I forgot to fix the test, done now |
Codecov Report
@@ Coverage Diff @@
## master #5660 +/- ##
==========================================
- Coverage 78.96% 78.96% -0.01%
==========================================
Files 522 522
Lines 39711 39711
==========================================
- Hits 31358 31356 -2
- Misses 5807 5808 +1
- Partials 2546 2547 +1
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The policy itself looks okay.
/run/user/[0-9]*/wayland-shared-* rw, | ||
/run/user/[0-9]*/wayland-cursor-shared-* rw, | ||
/run/user/[0-9]*/xwayland-shared-* rw, | ||
/run/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks okay though ideally it wayland would store those sockets in some private space since they are actually handled to clients over a IPC call that carries the file descriptor. Still, this is okay just annoying.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These sockets/files are can also be created by clients to share data with the server - passed by FD as you rightly say. AFAICS it is an informal standard that $XDG_RUNTIME_DIR is the place for such things, and that's hardcoded in all the toolkits I've looked at.
owner /run/user/[0-9]*/###PLUG_SECURITY_TAGS###/wayland-shared-* rw, | ||
owner /run/user/[0-9]*/###PLUG_SECURITY_TAGS###/wayland-cursor-shared-* rw, | ||
owner /run/user/[0-9]*/###PLUG_SECURITY_TAGS###/xwayland-shared-* rw, | ||
owner /run/user/[0-9]*/###PLUG_SECURITY_TAGS###/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This matches the list above so OK
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1. Thanks!
Inspired by https://gitlab.com/apparmor/apparmor/blob/master/profiles/apparmor.d/abstractions/wayland