[PATCH wayland v3 0/7] Allow passing fd when adding socket for display

Bryce Harrington bryce at osg.samsung.com
Mon Dec 7 22:49:12 PST 2015 

This patchset adds functionality to allow system-level control over
handing out file descriptors for sockets, to allow tighter security when
running a Wayland compositor under a Wayland session server.

A Wayland session service is run with system daemon permission levels,
and individual Wayland sessions are launched from within it.  These
sub-sessions can then be run with a tightened set of permissions such
being restricted to the actual user home directory and restricted from
accessing another application's resources, and thus otherwise handled as
just another Wayland client application.  These 'home applications' (as
they're referred to in Tizen) could then be provided by third
party to users (e.g. downloaded from an app store) without having to be
granted undue levels of trust.

In Tizen, this system is implemented using Enlightenment as the Wayland
session service.  Simplified Mandatory Access Control Kernel (Smack) is
used to enforce security policy.  Cynara is used as the security
daemon.  (See https://wiki.tizen.org/wiki/Security/Tizen_3.X_Overview
for more detail.)

One implication of this security policy is that applications (including
the home application) cannot share sockets, and can only connect to
system-level sockets.  This means that Enlightenment needs to create and
own the sockets used by the untrusted Wayland home applications, and to
do that, we require the ability to pass socket file descriptors through
the Wayland API when adding a socket for a Wayland display.

---
v2:
 + Drop tab corrections
 + Add patch to move if statement into assert

v3:
 + Removed wl_os_socket_check_cloexec
 + Removed wl_display_add_socket_fd_auto
 + Replaced _wl_display_add_socket
 + Rewrote wl_display_add_socket_fd


Bryce Harrington (7):
  socket-test: Fix some comment typos
  socket-test: Refactor if check into the assert
  os: Expose set_cloexec_or_close with a namespaced name
  tests: Add test case for wl_os_set_cloexec_or_close
  server: Restructure _wl_display_add_socket() to take an explicit fd
    argument
  server: Add new API for adding a socket with an existing fd
  socket-test: Add cases for sockets using existing fd's

 src/wayland-os.c          | 24 +++++++++++-----
 src/wayland-os.h          |  3 ++
 src/wayland-server-core.h |  3 ++
 src/wayland-server.c      | 70 +++++++++++++++++++++++++++++++++++++++++------
 tests/os-wrappers-test.c  | 45 ++++++++++++++++++++++++++++++
 tests/socket-test.c       | 39 +++++++++++++++++++++-----
 6 files changed, 162 insertions(+), 22 deletions(-)

-- 
1.9.1

More information about the wayland-devel mailing list