[RFC wayland-protocols v2] Introduce the restricted_registry protocol
Giulio Camuffo
giuliocamuffo at gmail.com
Wed Nov 25 06:10:04 PST 2015
This new extension is used by clients wanting to execute priviledged
actions such as taking a screenshot.
The usual way of granting special priviledged to apps is to fork and
exec them in the compositor, and then checking if the client is the
known one when it binds the restricted global interface. This works
but is quite limited, as it doesn't allow the compositor to ask the
user if the app is trusted, because it can't wait for the answer in
the bind function as that would block the compositor.
This new protocol instead allows the answer to come after some time
without blocking the compositor or the client.
---
v2: renamed to restricted_registry.
It now replaces wl_registry entirely for the restricted interfaces
and hence it makes it lets clients know for sure that the globals
in wl_registry are not restricted, and which are the restricted
ones.
Makefile.am | 1 +
.../restricted-registry/restricted-registry-v1.xml | 148 +++++++++++++++++++++
2 files changed, 149 insertions(+)
create mode 100644 unstable/restricted-registry/restricted-registry-v1.xml
diff --git a/Makefile.am b/Makefile.am
index a32e977..bfe9a6a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -5,6 +5,7 @@ unstable_protocols = \
unstable/text-input/text-input-unstable-v1.xml \
unstable/input-method/input-method-unstable-v1.xml \
unstable/xdg-shell/xdg-shell-unstable-v5.xml \
+ unstable/authorizer/authorizer-unstable-v1.xml
$(NULL)
nobase_dist_pkgdata_DATA = \
diff --git a/unstable/restricted-registry/restricted-registry-v1.xml b/unstable/restricted-registry/restricted-registry-v1.xml
new file mode 100644
index 0000000..8c9224f
--- /dev/null
+++ b/unstable/restricted-registry/restricted-registry-v1.xml
@@ -0,0 +1,148 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<protocol name="restricted_registry_v1">
+
+ <copyright>
+ Copyright © 2015 Giulio Camuffo.
+
+ Permission to use, copy, modify, distribute, and sell this
+ software and its documentation for any purpose is hereby granted
+ without fee, provided that the above copyright notice appear in
+ all copies and that both that copyright notice and this permission
+ notice appear in supporting documentation, and that the name of
+ the copyright holders not be used in advertising or publicity
+ pertaining to distribution of the software without specific,
+ written prior permission. The copyright holders make no
+ representations about the suitability of this software for any
+ purpose. It is provided "as is" without express or implied
+ warranty.
+
+ THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS
+ SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ FITNESS, IN NO EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
+ AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
+ ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
+ THIS SOFTWARE.
+ </copyright>
+
+ <interface name="zwp_restricted_registry_v1" version="1">
+ <description summary="authorize clients to use certain interfaces">
+ This global interface acts as a wl_registry for restricted interfaces.
+
+ The globals advertized through this extension are not available
+ through the normal wl_registry, and are not bindable by all the
+ clients.
+ When the clients creates a new zwp_restricted_registry_v1 object,
+ it will advertize the existing restricted globals through the global
+ event. These globals are not immediately bindable, but the client
+ needs to be authorized first. To do so, the clients should send
+ the authorize request for each global it whishes to bind, and then
+ notify the compositor it whishes to be authorized by using the
+ commit_authorization request. The compositor will then process the
+ request and then send the list of authorized globals with the
+ global_authorized event, followed by the authorization_done event.
+ The client can bind the authorized globals when they are advertized
+ but trying to bind any other will trigger a protocol error killing
+ the client.
+
+ The list of restricted interfaces is compositor dependant, but must
+ not include the core interfaces defined in wayland.xml.
+ </description>
+
+ <enum name="error">
+ <description summary="zwp_restricted_registry_v1 error codes">
+ These errors can be emitted in response of zwp_restricted_registry_v1
+ requests.
+ </description>
+ <entry name="unauthorized" value="0"
+ summary="the client is not authorized to bind the specified global"/>
+ </enum>
+
+ <request name="destroy" type="destructor">
+ <description summary="destroy this zwp_restricted_registry_v1 object">
+ Destroy this object. Any bound object will continue to live.
+ </description>
+ </request>
+
+ <request name="bind">
+ <description summary="bind an object to the display">
+ Binds a new, client-created object to the server using the
+ specified name as the identifier.
+ The global must have been authorized prior to binding it
+ by using the authorize request, otherwise the server will
+ send a protocol error.
+ </description>
+ <arg name="name" type="uint" summary="unique name for the object"/>
+ <arg name="id" type="new_id"/>
+ </request>
+
+ <request name="authorize">
+ <description summary="authorize a global interface">
+ The authorize request allows the client to ask the compositor for
+ authorization to bind a restricted global interface.
+ </description>
+ <arg name="name" type="uint"/>
+ </request>
+
+ <request name="commit_authorization">
+ <description summary="issue the authorization requests">
+ This request notifies the compositor that the client has requested
+ all the authorizations for the globals it wants to bind. No other
+ authorize request can be sent after this.
+ The compositor will decide which globals the client is authorized
+ to bind and send them out using the global_authorized event, followed
+ by the authorization_done event.
+ </description>
+ </request>
+
+ <event name="global">
+ <description summary="announce global object">
+ Notify the client of global objects.
+
+ The event notifies the client that a global object with
+ the given name is now available, and it implements the
+ given version of the given interface.
+ </description>
+ <arg name="name" type="uint"/>
+ <arg name="interface" type="string"/>
+ <arg name="version" type="uint"/>
+ </event>
+
+ <event name="global_remove">
+ <description summary="announce removal of global object">
+ Notify the client of removed global objects.
+
+ This event notifies the client that the global identified
+ by name is no longer available. If the client bound to
+ the global using the bind request, the client should now
+ destroy that object.
+
+ The object remains valid and requests to the object will be
+ ignored until the client destroys it, to avoid races between
+ the global going away and a client sending a request to it.
+ </description>
+ <arg name="name" type="uint"/>
+ </event>
+
+ <event name="global_authorized">
+ <description summary="the client can bind this global object">
+ Notify the client that it was authorized to bind this global.
+ Only now can the client bind it succesfully.
+ </description>
+ <arg name="name" type="uint"/>
+ <arg name="interface" type="string"/>
+ <arg name="version" type="uint"/>
+ </event>
+
+ <event name="authorization_done">
+ <description summary="the authorization process is completed">
+ This event notifies the client that the authorization process
+ is done. Any authorized global was advertized through the
+ global_authorized event, and any other global the client binds
+ will trigger a protocol error.
+ </description>
+ </event>
+
+ </interface>
+</protocol>
--
2.6.2
More information about the wayland-devel
mailing list