diff options
-rw-r--r-- | meson.build | 1 | ||||
-rw-r--r-- | staging/security-context/README | 4 | ||||
-rw-r--r-- | staging/security-context/engines.md | 14 | ||||
-rw-r--r-- | staging/security-context/security-context-v1.xml | 171 |
4 files changed, 190 insertions, 0 deletions
diff --git a/meson.build b/meson.build index 3b97f85..17fe21f 100644 --- a/meson.build +++ b/meson.build @@ -43,6 +43,7 @@ staging_protocols = { 'ext-idle-notify': ['v1'], 'ext-session-lock': ['v1'], 'fractional-scale': ['v1'], + 'security-context': ['v1'], 'single-pixel-buffer': ['v1'], 'tearing-control': ['v1'], 'xdg-activation': ['v1'], diff --git a/staging/security-context/README b/staging/security-context/README new file mode 100644 index 0000000..d12007d --- /dev/null +++ b/staging/security-context/README @@ -0,0 +1,4 @@ +security_context protocol + +Maintainers: +Simon Ser <contact@emersion.fr> diff --git a/staging/security-context/engines.md b/staging/security-context/engines.md new file mode 100644 index 0000000..dc5452a --- /dev/null +++ b/staging/security-context/engines.md @@ -0,0 +1,14 @@ +# security-context-v1 engines + +This document describes how some specific engine implementations populate the +metadata in security-context-v1. + +## [Flatpak] + +* `sandbox_engine` is always set to `flatpak`. +* `app_id` is the Flatpak application ID (in reverse-DNS style). It is always + set. +* `instance_id` is the Flatpak instance ID of the running sandbox. It is always + set. + +[Flatpak]: https://flatpak.org/ diff --git a/staging/security-context/security-context-v1.xml b/staging/security-context/security-context-v1.xml new file mode 100644 index 0000000..c5de6cb --- /dev/null +++ b/staging/security-context/security-context-v1.xml @@ -0,0 +1,171 @@ +<?xml version="1.0" encoding="UTF-8"?> +<protocol name="security_context_v1"> + <copyright> + Copyright © 2021 Simon Ser + + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the "Software"), + to deal in the Software without restriction, including without limitation + the rights to use, copy, modify, merge, publish, distribute, sublicense, + and/or sell copies of the Software, and to permit persons to whom the + Software is furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice (including the next + paragraph) shall be included in all copies or substantial portions of the + Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + DEALINGS IN THE SOFTWARE. + </copyright> + + <interface name="wp_security_context_manager_v1" version="1"> + <description summary="client security context manager"> + This interface allows a client to register a new Wayland connection to + the compositor and attach a security context to it. + + This is intended to be used by sandboxes. Sandbox engines attach a + security context to all connections coming from inside the sandbox. The + compositor can then restrict the features that the sandboxed connections + can use. + + Compositors should forbid nesting multiple security contexts by not + exposing wp_security_context_manager_v1 global to clients with a security + context attached, or by sending the nested protocol error. Nested + security contexts are dangerous because they can potentially allow + privilege escalation of a sandboxed client. + + Warning! The protocol described in this file is currently in the testing + phase. Backward compatible changes may be added together with the + corresponding interface version bump. Backward incompatible changes can + only be done by creating a new major version of the extension. + </description> + + <enum name="error"> + <entry name="invalid_listen_fd" value="1" + summary="listening socket FD is invalid"/> + <entry name="nested" value="2" + summary="nested security contexts are forbidden"/> + </enum> + + <request name="destroy" type="destructor"> + <description summary="destroy the manager object"> + Destroy the manager. This doesn't destroy objects created with the + manager. + </description> + </request> + + <request name="create_listener"> + <description summary="create a new security context"> + Creates a new security context with a socket listening FD. + + The compositor will accept new client connections on listen_fd. + listen_fd must be ready to accept new connections when this request is + sent by the client. In other words, the client must call bind(2) and + listen(2) before sending the FD. + + close_fd is a FD closed by the client when the compositor should stop + accepting new connections on listen_fd. + + The compositor must continue to accept connections on listen_fd when + the Wayland client which created the security context disconnects. + </description> + <arg name="id" type="new_id" interface="wp_security_context_v1"/> + <arg name="listen_fd" type="fd" summary="listening socket FD"/> + <arg name="close_fd" type="fd" summary="FD closed when done"/> + </request> + </interface> + + <interface name="wp_security_context_v1" version="1"> + <description summary="client security context"> + The security context allows a client to register a new client and attach + security context metadata to the connections. + + When both are set, the combination of the application ID and the sandbox + engine must uniquely identify an application. The same application ID + will be used across instances (e.g. if the application is restarted, or + if the application is started multiple times). + + When both are set, the combination of the instance ID and the sandbox + engine must uniquely identify a running instance of an application. + </description> + + <enum name="error"> + <entry name="already_used" value="1" + summary="security context has already been committed"/> + <entry name="already_set" value="2" + summary="metadata has already been set"/> + <entry name="invalid_metadata" value="3" + summary="metadata is invalid"/> + </enum> + + <request name="destroy" type="destructor"> + <description summary="destroy the security context object"> + Destroy the security context object. + </description> + </request> + + <request name="set_sandbox_engine"> + <description summary="set the sandbox engine"> + Attach a unique sandbox engine name to the security context. + + A list of well-known engines is maintained at: + https://gitlab.freedesktop.org/wayland/wayland-protocols/-/blob/main/staging/security-context/engines.md + + It is a protocol error to call this request twice. The already_set + error is sent in this case. + </description> + <arg name="name" type="string" summary="the sandbox engine name"/> + </request> + + <request name="set_app_id"> + <description summary="set the application ID"> + Attach an application ID to the security context. + + The application ID is an opaque, sandbox-specific identifier for an + application. See the well-known engines document for more details: + https://gitlab.freedesktop.org/wayland/wayland-protocols/-/blob/main/staging/security-context/engines.md + + The compositor may use the application ID to group clients belonging to + the same security context application. + + Whether this request is optional or not depends on the sandbox engine used. + + It is a protocol error to call this request twice. The already_set + error is sent in this case. + </description> + <arg name="app_id" type="string" summary="the application ID"/> + </request> + + <request name="set_instance_id"> + <description summary="set the instance ID"> + Attach an instance ID to the security context. + + The instance ID is an opaque, sandbox-specific identifier for a running + instance of an application. See the well-known engines document for + more details: + https://gitlab.freedesktop.org/wayland/wayland-protocols/-/blob/main/staging/security-context/engines.md + + Whether this request is optional or not depends on the sandbox engine used. + + It is a protocol error to call this request twice. The already_set + error is sent in this case. + </description> + <arg name="instance_id" type="string" summary="the instance ID"/> + </request> + + <request name="commit"> + <description summary="register the security context"> + Atomically register the new client and attach the security context + metadata. + + It's a protocol error to send any request other than "destroy" after + this request. In this case, the already_used error is sent. + </description> + </request> + </interface> +</protocol> |