rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

sandbox: Add support for Wayland

Browse Source 
- use XWayland for X application if it's run in Wayland session
- run Wayland apps directly if it's run in Wayland session
- add sandbox -Y option to run run Wayland application

Resolves: RHEL-35984
This commit is contained in:
Petr Lautrbach 2024-05-09 16:33:50 +02:00
parent 6c667202a9
commit 6a9179581a
3 changed files with 367 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

232
0009-seunshare-Add-P-pipewiresocket-W-waylandsocket-optio.patch Normal file
View File

@ -0,0 +1,232 @@
From dde02ec582db3daa50ef09fdcfde025750f0575e Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Tue, 20 Feb 2024 11:11:56 +0100
Subject: [PATCH] seunshare: Add [ -P pipewiresocket ] [ -W waylandsocket ]
options
Content-type: text/plain
Mount /run/user/UID/<waylandsocket> or /run/user/UID/<pipewiresocket>
inside unshared /run/user/UID directory
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
sandbox/seunshare.c | 120 +++++++++++++++++++++++++++++++++++++++++---
1 file changed, 113 insertions(+), 7 deletions(-)
diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
index 1d38ea92b9ae..106f625fcba5 100644
--- a/sandbox/seunshare.c
+++ b/sandbox/seunshare.c
@@ -52,7 +52,8 @@
#define BUF_SIZE 1024
#define DEFAULT_PATH "/usr/bin:/bin"
-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -r runuserdir ] [ -Z CONTEXT ] -- executable [args] ")
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] \
+[ -r runuserdir ] [ -P pipewiresocket ] [ -W waylandsocket ] [ -Z CONTEXT ] -- executable [args] ")
static int verbose = 0;
static int child = 0;
@@ -265,6 +266,10 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
is_tmp = 1;
}
+ if (strncmp("/run/user", dst, 9) == 0) {
+ flags = flags | MS_REC;
+ }
+
/* mount directory */
if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
@@ -289,6 +294,31 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
}
+/**
+ * Mount directory and check that we mounted the right directory.
+ */
+static int seunshare_mount_file(const char *src, const char *dst)
+{
+ int flags = 0;
+
+ if (verbose)
+ printf(_("Mounting %s on %s\n"), src, dst);
+
+ if (access(dst, F_OK) == -1) {
+ FILE *fptr;
+ fptr = fopen(dst, "w");
+ fclose(fptr);
+ }
+ /* mount file */
+ if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
+ fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
+ return -1;
+ }
+
+ return 0;
+
+}
+
/*
If path is empty or ends with "/." or "/.. return -1 else return 0;
*/
@@ -616,6 +646,8 @@ killall (const char *execcon)
int main(int argc, char **argv) {
int status = -1;
const char *execcon = NULL;
+ const char *pipewire_socket = NULL;
+ const char *wayland_display = NULL;
int clflag; /* holds codes for command line flags */
int kill_all = 0;
@@ -641,6 +673,8 @@ int main(int argc, char **argv) {
{"verbose", 1, 0, 'v'},
{"context", 1, 0, 'Z'},
{"capabilities", 1, 0, 'C'},
+ {"wayland", 1, 0, 'W'},
+ {"pipewire", 1, 0, 'P'},
{NULL, 0, 0, 0}
};
@@ -670,7 +704,7 @@ int main(int argc, char **argv) {
}
while (1) {
- clflag = getopt_long(argc, argv, "Ccvh:r:t:Z:", long_options, NULL);
+ clflag = getopt_long(argc, argv, "Ccvh:r:t:W:Z:", long_options, NULL);
if (clflag == -1)
break;
@@ -693,6 +727,12 @@ int main(int argc, char **argv) {
case 'C':
cap_set = CAPNG_SELECT_CAPS;
break;
+ case 'P':
+ pipewire_socket = optarg;
+ break;
+ case 'W':
+ wayland_display = optarg;
+ break;
case 'Z':
execcon = optarg;
break;
@@ -767,8 +807,14 @@ int main(int argc, char **argv) {
char *display = NULL;
char *LANG = NULL;
char *RUNTIME_DIR = NULL;
+ char *XDG_SESSION_TYPE = NULL;
int rc = -1;
char *resolved_path = NULL;
+ char *wayland_path_s = NULL; /* /tmp/.../wayland-0 */
+ char *wayland_path = NULL; /* /run/user/UID/wayland-0 */
+ char *pipewire_path_s = NULL; /* /tmp/.../pipewire-0 */
+ char *pipewire_path = NULL; /* /run/user/UID/pipewire-0 */
+
if (unshare(CLONE_NEWNS) < 0) {
perror(_("Failed to unshare"));
@@ -805,6 +851,42 @@ int main(int argc, char **argv) {
}
}
+ if ((XDG_SESSION_TYPE = getenv("XDG_SESSION_TYPE")) != NULL) {
+ if ((XDG_SESSION_TYPE = strdup(XDG_SESSION_TYPE)) == NULL) {
+ perror(_("Out of memory"));
+ goto childerr;
+ }
+ }
+
+ if (runuserdir_s && (wayland_display || pipewire_socket)) {
+ if (wayland_display) {
+ if (asprintf(&wayland_path_s, "%s/%s", runuserdir_s, wayland_display) == -1) {
+ perror(_("Out of memory"));
+ goto childerr;
+ }
+
+ if (asprintf(&wayland_path, "%s/%s", RUNTIME_DIR, wayland_display) == -1) {
+ perror(_("Out of memory"));
+ goto childerr;
+ }
+
+ if (seunshare_mount_file(wayland_path, wayland_path_s) == -1)
+ goto childerr;
+ }
+
+ if (pipewire_socket) {
+ if (asprintf(&pipewire_path_s, "%s/%s", runuserdir_s, pipewire_socket) == -1) {
+ perror(_("Out of memory"));
+ goto childerr;
+ }
+ if (asprintf(&pipewire_path, "%s/pipewire-0", RUNTIME_DIR) == -1) {
+ perror(_("Out of memory"));
+ goto childerr;
+ }
+ seunshare_mount_file(pipewire_path, pipewire_path_s);
+ }
+ }
+
/* mount homedir, runuserdir and tmpdir, in this order */
if (runuserdir_s && seunshare_mount(runuserdir_s, RUNTIME_DIR,
&st_runuserdir_s) != 0) goto childerr;
@@ -816,10 +898,21 @@ int main(int argc, char **argv) {
if (drop_privs(uid) != 0) goto childerr;
/* construct a new environment */
- if ((display = getenv("DISPLAY")) != NULL) {
- if ((display = strdup(display)) == NULL) {
- perror(_("Out of memory"));
- goto childerr;
+
+ if (XDG_SESSION_TYPE && strcmp(XDG_SESSION_TYPE, "wayland") == 0) {
+ if (wayland_display == NULL && (wayland_display = getenv("WAYLAND_DISPLAY")) != NULL) {
+ if ((wayland_display = strdup(wayland_display)) == NULL) {
+ perror(_("Out of memory"));
+ goto childerr;
+ }
+ }
+ }
+ else {
+ if ((display = getenv("DISPLAY")) != NULL) {
+ if ((display = strdup(display)) == NULL) {
+ perror(_("Out of memory"));
+ goto childerr;
+ }
}
}
@@ -835,8 +928,16 @@ int main(int argc, char **argv) {
perror(_("Failed to clear environment"));
goto childerr;
}
- if (display)
+ if (display) {
rc |= setenv("DISPLAY", display, 1);
+ }
+ if (wayland_display) {
+ rc |= setenv("WAYLAND_DISPLAY", wayland_display, 1);
+ }
+
+ if (XDG_SESSION_TYPE)
+ rc |= setenv("XDG_SESSION_TYPE", XDG_SESSION_TYPE, 1);
+
if (LANG)
rc |= setenv("LANG", LANG, 1);
if (RUNTIME_DIR)
@@ -874,9 +975,14 @@ int main(int argc, char **argv) {
fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
childerr:
free(resolved_path);
+ free(wayland_path);
+ free(wayland_path_s);
+ free(pipewire_path);
+ free(pipewire_path_s);
free(display);
free(LANG);
free(RUNTIME_DIR);
+ free(XDG_SESSION_TYPE);
exit(-1);
}
--
2.44.0

133
0010-sandbox-Add-support-for-Wayland.patch Normal file
View File

@ -0,0 +1,133 @@
From 5d1224b87ea10f3026ecf53c4c448ac4655add04 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Tue, 20 Feb 2024 11:17:20 +0100
Subject: [PATCH] sandbox: Add support for Wayland
Content-type: text/plain
- use XWayland for X application if it's run in Wayland session
- run Wayland apps directly if it's run in Wayland session
- add sandbox -Y option to run run Wayland application
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
sandbox/sandbox | 26 ++++++++++++++++++++++++--
sandbox/sandboxX.sh | 36 ++++++++++++++++++++++++------------
2 files changed, 48 insertions(+), 14 deletions(-)
diff --git a/sandbox/sandbox b/sandbox/sandbox
index 7ab98076fd2b..009b5f4df8f2 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -344,6 +344,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
action="callback", callback=self.__x_callback,
default=False, help=_("run X application within a sandbox"))
+ parser.add_option("-Y", dest="Y_ind",
+ action="callback", callback=self.__x_callback,
+ default=False, help=_("run Wayland application within a sandbox"))
+
parser.add_option("-H", "--homedir",
action="callback", callback=self.__validdir,
type="string",
@@ -457,6 +461,16 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
selinux.chcon(self.__runuserdir, self.__filecon, recursive=True)
selinux.setfscreatecon(None)
+ def __is_wayland_app(self):
+ binary = shutil.which(self.__paths[0])
+ if binary is None:
+ return True
+ output = subprocess.run(['ldd', binary], capture_output=True)
+ for line in str(output.stdout, "utf-8").split('\n'):
+ if line.find("libwayland") != -1:
+ return "yes"
+ return False
+
def __execute(self):
try:
cmds = [SEUNSHARE, "-Z", self.__execcon]
@@ -465,7 +479,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
if self.__mount:
cmds += ["-t", self.__tmpdir, "-h", self.__homedir, "-r", self.__runuserdir]
- if self.__options.X_ind:
+ if self.__options.X_ind or self.__options.Y_ind:
if self.__options.dpi:
dpi = self.__options.dpi
else:
@@ -474,6 +488,9 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
from gi.repository import Gtk
dpi = str(Gtk.Settings.get_default().props.gtk_xft_dpi / 1024)
+ if os.environ.get('WAYLAND_DISPLAY') is not None:
+ cmds += ["-W", os.environ["WAYLAND_DISPLAY"]]
+
xmodmapfile = self.__homedir + "/.xmodmap"
xd = open(xmodmapfile, "w")
try:
@@ -484,7 +501,12 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
self.__setup_sandboxrc(self.__options.wm)
- cmds += ["--", SANDBOXSH, self.__options.windowsize, dpi]
+ if self.__options.Y_ind or self.__is_wayland_app():
+ WN = "yes"
+ else:
+ WN = "no"
+
+ cmds += ["--", SANDBOXSH, WN, self.__options.windowsize, dpi]
else:
cmds += ["--"] + self.__paths
return subprocess.Popen(cmds).wait()
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
index c211ebc14549..e2a7ad9b2ac7 100644
--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
@@ -2,20 +2,32 @@
trap "" TERM
context=`id -Z | secon -t -l -P`
export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
-[ -z $1 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$1"
-[ -z $2 ] && export DPI="96" || export DPI="$2"
+[ -z $1 ] && export WAYLAND_NATIVE="no" || export WAYLAND_NATIVE="$1"
+[ -z $2 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$2"
+[ -z $3 ] && export DPI="96" || export DPI="$3"
trap "exit 0" HUP
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
- export DISPLAY=:$D
- cat > ~/seremote << __EOF
-#!/bin/sh
-DISPLAY=$DISPLAY "\$@"
+if [ "$WAYLAND_NATIVE" == "no" ]; then
+ if [ -z "$WAYLAND_DISPLAY" ]; then
+ DISPLAY_COMMAND='/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null'
+ else
+ DISPLAY_COMMAND='/usr/bin/Xwayland -terminate -dpi $DPI -retro -geometry $SCREENSIZE -decorate -displayfd 5 5>&1 2>/dev/null'
+ fi
+ eval $DISPLAY_COMMAND | while read D; do
+ export DISPLAY=:$D
+ cat > ~/seremote << __EOF
+#!/bin/bash -x
+export DISPLAY=$DISPLAY
+export WAYLAND_DISPLAY=$WAYLAND_DISPLAY
+"\$@"
__EOF
- chmod +x ~/seremote
+ chmod +x ~/seremote
+ /usr/share/sandbox/start $HOME/.sandboxrc
+ export EXITCODE=$?
+ kill -TERM 0
+ break
+ done
+else
/usr/share/sandbox/start $HOME/.sandboxrc
- export EXITCODE=$?
- kill -TERM 0
- break
-done
+fi
exit 0
--
2.44.0

2
policycoreutils.spec
View File

@ -44,6 +44,8 @@ Patch0005: 0005-Use-SHA-2-instead-of-SHA-1.patch
Patch0006: 0006-python-sepolicy-Fix-spec-file-dependencies.patch Patch0006: 0006-python-sepolicy-Fix-spec-file-dependencies.patch
Patch0007: 0007-sandbox-do-not-fail-without-xmodmap.patch Patch0007: 0007-sandbox-do-not-fail-without-xmodmap.patch
Patch0008: 0008-sandbox-do-not-run-window-manager-if-it-s-not-a-sess.patch Patch0008: 0008-sandbox-do-not-run-window-manager-if-it-s-not-a-sess.patch
Patch0009: 0009-seunshare-Add-P-pipewiresocket-W-waylandsocket-optio.patch
Patch0010: 0010-sandbox-Add-support-for-Wayland.patch
# Patch list end # Patch list end
Obsoletes: policycoreutils < 2.0.61-2 Obsoletes: policycoreutils < 2.0.61-2