From 6a9179581aac2f99a139e1eb3968d27ab6fca503 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 9 May 2024 16:33:50 +0200 Subject: [PATCH] sandbox: Add support for Wayland - use XWayland for X application if it's run in Wayland session - run Wayland apps directly if it's run in Wayland session - add sandbox -Y option to run run Wayland application Resolves: RHEL-35984 --- ...pipewiresocket-W-waylandsocket-optio.patch | 232 ++++++++++++++++++ 0010-sandbox-Add-support-for-Wayland.patch | 133 ++++++++++ policycoreutils.spec | 2 + 3 files changed, 367 insertions(+) create mode 100644 0009-seunshare-Add-P-pipewiresocket-W-waylandsocket-optio.patch create mode 100644 0010-sandbox-Add-support-for-Wayland.patch diff --git a/0009-seunshare-Add-P-pipewiresocket-W-waylandsocket-optio.patch b/0009-seunshare-Add-P-pipewiresocket-W-waylandsocket-optio.patch new file mode 100644 index 0000000..11ffed4 --- /dev/null +++ b/0009-seunshare-Add-P-pipewiresocket-W-waylandsocket-optio.patch @@ -0,0 +1,232 @@ +From dde02ec582db3daa50ef09fdcfde025750f0575e Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 20 Feb 2024 11:11:56 +0100 +Subject: [PATCH] seunshare: Add [ -P pipewiresocket ] [ -W waylandsocket ] + options +Content-type: text/plain + +Mount /run/user/UID/ or /run/user/UID/ +inside unshared /run/user/UID directory + +Signed-off-by: Petr Lautrbach +--- + sandbox/seunshare.c | 120 +++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 113 insertions(+), 7 deletions(-) + +diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c +index 1d38ea92b9ae..106f625fcba5 100644 +--- a/sandbox/seunshare.c ++++ b/sandbox/seunshare.c +@@ -52,7 +52,8 @@ + + #define BUF_SIZE 1024 + #define DEFAULT_PATH "/usr/bin:/bin" +-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -r runuserdir ] [ -Z CONTEXT ] -- executable [args] ") ++#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] \ ++[ -r runuserdir ] [ -P pipewiresocket ] [ -W waylandsocket ] [ -Z CONTEXT ] -- executable [args] ") + + static int verbose = 0; + static int child = 0; +@@ -265,6 +266,10 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st + is_tmp = 1; + } + ++ if (strncmp("/run/user", dst, 9) == 0) { ++ flags = flags | MS_REC; ++ } ++ + /* mount directory */ + if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) { + fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno)); +@@ -289,6 +294,31 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st + + } + ++/** ++ * Mount directory and check that we mounted the right directory. ++ */ ++static int seunshare_mount_file(const char *src, const char *dst) ++{ ++ int flags = 0; ++ ++ if (verbose) ++ printf(_("Mounting %s on %s\n"), src, dst); ++ ++ if (access(dst, F_OK) == -1) { ++ FILE *fptr; ++ fptr = fopen(dst, "w"); ++ fclose(fptr); ++ } ++ /* mount file */ ++ if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) { ++ fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno)); ++ return -1; ++ } ++ ++ return 0; ++ ++} ++ + /* + If path is empty or ends with "/." or "/.. return -1 else return 0; + */ +@@ -616,6 +646,8 @@ killall (const char *execcon) + int main(int argc, char **argv) { + int status = -1; + const char *execcon = NULL; ++ const char *pipewire_socket = NULL; ++ const char *wayland_display = NULL; + + int clflag; /* holds codes for command line flags */ + int kill_all = 0; +@@ -641,6 +673,8 @@ int main(int argc, char **argv) { + {"verbose", 1, 0, 'v'}, + {"context", 1, 0, 'Z'}, + {"capabilities", 1, 0, 'C'}, ++ {"wayland", 1, 0, 'W'}, ++ {"pipewire", 1, 0, 'P'}, + {NULL, 0, 0, 0} + }; + +@@ -670,7 +704,7 @@ int main(int argc, char **argv) { + } + + while (1) { +- clflag = getopt_long(argc, argv, "Ccvh:r:t:Z:", long_options, NULL); ++ clflag = getopt_long(argc, argv, "Ccvh:r:t:W:Z:", long_options, NULL); + if (clflag == -1) + break; + +@@ -693,6 +727,12 @@ int main(int argc, char **argv) { + case 'C': + cap_set = CAPNG_SELECT_CAPS; + break; ++ case 'P': ++ pipewire_socket = optarg; ++ break; ++ case 'W': ++ wayland_display = optarg; ++ break; + case 'Z': + execcon = optarg; + break; +@@ -767,8 +807,14 @@ int main(int argc, char **argv) { + char *display = NULL; + char *LANG = NULL; + char *RUNTIME_DIR = NULL; ++ char *XDG_SESSION_TYPE = NULL; + int rc = -1; + char *resolved_path = NULL; ++ char *wayland_path_s = NULL; /* /tmp/.../wayland-0 */ ++ char *wayland_path = NULL; /* /run/user/UID/wayland-0 */ ++ char *pipewire_path_s = NULL; /* /tmp/.../pipewire-0 */ ++ char *pipewire_path = NULL; /* /run/user/UID/pipewire-0 */ ++ + + if (unshare(CLONE_NEWNS) < 0) { + perror(_("Failed to unshare")); +@@ -805,6 +851,42 @@ int main(int argc, char **argv) { + } + } + ++ if ((XDG_SESSION_TYPE = getenv("XDG_SESSION_TYPE")) != NULL) { ++ if ((XDG_SESSION_TYPE = strdup(XDG_SESSION_TYPE)) == NULL) { ++ perror(_("Out of memory")); ++ goto childerr; ++ } ++ } ++ ++ if (runuserdir_s && (wayland_display || pipewire_socket)) { ++ if (wayland_display) { ++ if (asprintf(&wayland_path_s, "%s/%s", runuserdir_s, wayland_display) == -1) { ++ perror(_("Out of memory")); ++ goto childerr; ++ } ++ ++ if (asprintf(&wayland_path, "%s/%s", RUNTIME_DIR, wayland_display) == -1) { ++ perror(_("Out of memory")); ++ goto childerr; ++ } ++ ++ if (seunshare_mount_file(wayland_path, wayland_path_s) == -1) ++ goto childerr; ++ } ++ ++ if (pipewire_socket) { ++ if (asprintf(&pipewire_path_s, "%s/%s", runuserdir_s, pipewire_socket) == -1) { ++ perror(_("Out of memory")); ++ goto childerr; ++ } ++ if (asprintf(&pipewire_path, "%s/pipewire-0", RUNTIME_DIR) == -1) { ++ perror(_("Out of memory")); ++ goto childerr; ++ } ++ seunshare_mount_file(pipewire_path, pipewire_path_s); ++ } ++ } ++ + /* mount homedir, runuserdir and tmpdir, in this order */ + if (runuserdir_s && seunshare_mount(runuserdir_s, RUNTIME_DIR, + &st_runuserdir_s) != 0) goto childerr; +@@ -816,10 +898,21 @@ int main(int argc, char **argv) { + if (drop_privs(uid) != 0) goto childerr; + + /* construct a new environment */ +- if ((display = getenv("DISPLAY")) != NULL) { +- if ((display = strdup(display)) == NULL) { +- perror(_("Out of memory")); +- goto childerr; ++ ++ if (XDG_SESSION_TYPE && strcmp(XDG_SESSION_TYPE, "wayland") == 0) { ++ if (wayland_display == NULL && (wayland_display = getenv("WAYLAND_DISPLAY")) != NULL) { ++ if ((wayland_display = strdup(wayland_display)) == NULL) { ++ perror(_("Out of memory")); ++ goto childerr; ++ } ++ } ++ } ++ else { ++ if ((display = getenv("DISPLAY")) != NULL) { ++ if ((display = strdup(display)) == NULL) { ++ perror(_("Out of memory")); ++ goto childerr; ++ } + } + } + +@@ -835,8 +928,16 @@ int main(int argc, char **argv) { + perror(_("Failed to clear environment")); + goto childerr; + } +- if (display) ++ if (display) { + rc |= setenv("DISPLAY", display, 1); ++ } ++ if (wayland_display) { ++ rc |= setenv("WAYLAND_DISPLAY", wayland_display, 1); ++ } ++ ++ if (XDG_SESSION_TYPE) ++ rc |= setenv("XDG_SESSION_TYPE", XDG_SESSION_TYPE, 1); ++ + if (LANG) + rc |= setenv("LANG", LANG, 1); + if (RUNTIME_DIR) +@@ -874,9 +975,14 @@ int main(int argc, char **argv) { + fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno)); + childerr: + free(resolved_path); ++ free(wayland_path); ++ free(wayland_path_s); ++ free(pipewire_path); ++ free(pipewire_path_s); + free(display); + free(LANG); + free(RUNTIME_DIR); ++ free(XDG_SESSION_TYPE); + exit(-1); + } + +-- +2.44.0 + diff --git a/0010-sandbox-Add-support-for-Wayland.patch b/0010-sandbox-Add-support-for-Wayland.patch new file mode 100644 index 0000000..203c35f --- /dev/null +++ b/0010-sandbox-Add-support-for-Wayland.patch @@ -0,0 +1,133 @@ +From 5d1224b87ea10f3026ecf53c4c448ac4655add04 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 20 Feb 2024 11:17:20 +0100 +Subject: [PATCH] sandbox: Add support for Wayland +Content-type: text/plain + +- use XWayland for X application if it's run in Wayland session +- run Wayland apps directly if it's run in Wayland session +- add sandbox -Y option to run run Wayland application + +Signed-off-by: Petr Lautrbach +--- + sandbox/sandbox | 26 ++++++++++++++++++++++++-- + sandbox/sandboxX.sh | 36 ++++++++++++++++++++++++------------ + 2 files changed, 48 insertions(+), 14 deletions(-) + +diff --git a/sandbox/sandbox b/sandbox/sandbox +index 7ab98076fd2b..009b5f4df8f2 100644 +--- a/sandbox/sandbox ++++ b/sandbox/sandbox +@@ -344,6 +344,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + action="callback", callback=self.__x_callback, + default=False, help=_("run X application within a sandbox")) + ++ parser.add_option("-Y", dest="Y_ind", ++ action="callback", callback=self.__x_callback, ++ default=False, help=_("run Wayland application within a sandbox")) ++ + parser.add_option("-H", "--homedir", + action="callback", callback=self.__validdir, + type="string", +@@ -457,6 +461,16 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + selinux.chcon(self.__runuserdir, self.__filecon, recursive=True) + selinux.setfscreatecon(None) + ++ def __is_wayland_app(self): ++ binary = shutil.which(self.__paths[0]) ++ if binary is None: ++ return True ++ output = subprocess.run(['ldd', binary], capture_output=True) ++ for line in str(output.stdout, "utf-8").split('\n'): ++ if line.find("libwayland") != -1: ++ return "yes" ++ return False ++ + def __execute(self): + try: + cmds = [SEUNSHARE, "-Z", self.__execcon] +@@ -465,7 +479,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + if self.__mount: + cmds += ["-t", self.__tmpdir, "-h", self.__homedir, "-r", self.__runuserdir] + +- if self.__options.X_ind: ++ if self.__options.X_ind or self.__options.Y_ind: + if self.__options.dpi: + dpi = self.__options.dpi + else: +@@ -474,6 +488,9 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + from gi.repository import Gtk + dpi = str(Gtk.Settings.get_default().props.gtk_xft_dpi / 1024) + ++ if os.environ.get('WAYLAND_DISPLAY') is not None: ++ cmds += ["-W", os.environ["WAYLAND_DISPLAY"]] ++ + xmodmapfile = self.__homedir + "/.xmodmap" + xd = open(xmodmapfile, "w") + try: +@@ -484,7 +501,12 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + + self.__setup_sandboxrc(self.__options.wm) + +- cmds += ["--", SANDBOXSH, self.__options.windowsize, dpi] ++ if self.__options.Y_ind or self.__is_wayland_app(): ++ WN = "yes" ++ else: ++ WN = "no" ++ ++ cmds += ["--", SANDBOXSH, WN, self.__options.windowsize, dpi] + else: + cmds += ["--"] + self.__paths + return subprocess.Popen(cmds).wait() +diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh +index c211ebc14549..e2a7ad9b2ac7 100644 +--- a/sandbox/sandboxX.sh ++++ b/sandbox/sandboxX.sh +@@ -2,20 +2,32 @@ + trap "" TERM + context=`id -Z | secon -t -l -P` + export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`" +-[ -z $1 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$1" +-[ -z $2 ] && export DPI="96" || export DPI="$2" ++[ -z $1 ] && export WAYLAND_NATIVE="no" || export WAYLAND_NATIVE="$1" ++[ -z $2 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$2" ++[ -z $3 ] && export DPI="96" || export DPI="$3" + trap "exit 0" HUP + +-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do +- export DISPLAY=:$D +- cat > ~/seremote << __EOF +-#!/bin/sh +-DISPLAY=$DISPLAY "\$@" ++if [ "$WAYLAND_NATIVE" == "no" ]; then ++ if [ -z "$WAYLAND_DISPLAY" ]; then ++ DISPLAY_COMMAND='/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null' ++ else ++ DISPLAY_COMMAND='/usr/bin/Xwayland -terminate -dpi $DPI -retro -geometry $SCREENSIZE -decorate -displayfd 5 5>&1 2>/dev/null' ++ fi ++ eval $DISPLAY_COMMAND | while read D; do ++ export DISPLAY=:$D ++ cat > ~/seremote << __EOF ++#!/bin/bash -x ++export DISPLAY=$DISPLAY ++export WAYLAND_DISPLAY=$WAYLAND_DISPLAY ++"\$@" + __EOF +- chmod +x ~/seremote ++ chmod +x ~/seremote ++ /usr/share/sandbox/start $HOME/.sandboxrc ++ export EXITCODE=$? ++ kill -TERM 0 ++ break ++ done ++else + /usr/share/sandbox/start $HOME/.sandboxrc +- export EXITCODE=$? +- kill -TERM 0 +- break +-done ++fi + exit 0 +-- +2.44.0 + diff --git a/policycoreutils.spec b/policycoreutils.spec index 200e255..871cb5f 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -44,6 +44,8 @@ Patch0005: 0005-Use-SHA-2-instead-of-SHA-1.patch Patch0006: 0006-python-sepolicy-Fix-spec-file-dependencies.patch Patch0007: 0007-sandbox-do-not-fail-without-xmodmap.patch Patch0008: 0008-sandbox-do-not-run-window-manager-if-it-s-not-a-sess.patch +Patch0009: 0009-seunshare-Add-P-pipewiresocket-W-waylandsocket-optio.patch +Patch0010: 0010-sandbox-Add-support-for-Wayland.patch # Patch list end Obsoletes: policycoreutils < 2.0.61-2