[RFC wayland-protocols v2] Introduce the restricted_registry protocol

Mariusz Ceier mceier+wayland at gmail.com
Wed Nov 25 08:41:28 PST 2015 

Hi,
   It's missing README, but otherwise it looks good to me:

Reviewed-by: Mariusz Ceier <mceier+wayland at gmail.com>

Mariusz Ceier

On 25 November 2015 at 15:10, Giulio Camuffo <giuliocamuffo at gmail.com>
wrote:

> This new extension is used by clients wanting to execute priviledged
> actions such as taking a screenshot.
> The usual way of granting special priviledged to apps is to fork and
> exec them in the compositor, and then checking if the client is the
> known one when it binds the restricted global interface. This works
> but is quite limited, as it doesn't allow the compositor to ask the
> user if the app is trusted, because it can't wait for the answer in
> the bind function as that would block the compositor.
> This new protocol instead allows the answer to come after some time
> without blocking the compositor or the client.
> ---
>
> v2: renamed to restricted_registry.
>     It now replaces wl_registry entirely for the restricted interfaces
>     and hence it makes it lets clients know for sure that the globals
>     in wl_registry are not restricted, and which are the restricted
>     ones.
>
>
>  Makefile.am                                        |   1 +
>  .../restricted-registry/restricted-registry-v1.xml | 148
> +++++++++++++++++++++
>  2 files changed, 149 insertions(+)
>  create mode 100644 unstable/restricted-registry/restricted-registry-v1.xml
>
> diff --git a/Makefile.am b/Makefile.am
> index a32e977..bfe9a6a 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -5,6 +5,7 @@ unstable_protocols =
>                       \
>         unstable/text-input/text-input-unstable-v1.xml
>       \
>         unstable/input-method/input-method-unstable-v1.xml
>       \
>         unstable/xdg-shell/xdg-shell-unstable-v5.xml
>       \
> +       unstable/authorizer/authorizer-unstable-v1.xml
>         $(NULL)
>
>  nobase_dist_pkgdata_DATA =
>      \
> diff --git a/unstable/restricted-registry/restricted-registry-v1.xml
> b/unstable/restricted-registry/restricted-registry-v1.xml
> new file mode 100644
> index 0000000..8c9224f
> --- /dev/null
> +++ b/unstable/restricted-registry/restricted-registry-v1.xml
> @@ -0,0 +1,148 @@
> +<?xml version="1.0" encoding="UTF-8"?>
> +<protocol name="restricted_registry_v1">
> +
> +  <copyright>
> +    Copyright © 2015 Giulio Camuffo.
> +
> +    Permission to use, copy, modify, distribute, and sell this
> +    software and its documentation for any purpose is hereby granted
> +    without fee, provided that the above copyright notice appear in
> +    all copies and that both that copyright notice and this permission
> +    notice appear in supporting documentation, and that the name of
> +    the copyright holders not be used in advertising or publicity
> +    pertaining to distribution of the software without specific,
> +    written prior permission.  The copyright holders make no
> +    representations about the suitability of this software for any
> +    purpose.  It is provided "as is" without express or implied
> +    warranty.
> +
> +    THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS
> +    SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
> +    FITNESS, IN NO EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY
> +    SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> +    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
> +    AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
> +    ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
> +    THIS SOFTWARE.
> +  </copyright>
> +
> +  <interface name="zwp_restricted_registry_v1" version="1">
> +    <description summary="authorize clients to use certain interfaces">
> +      This global interface acts as a wl_registry for restricted
> interfaces.
> +
> +      The globals advertized through this extension are not available
> +      through the normal wl_registry, and are not bindable by all the
> +      clients.
> +      When the clients creates a new zwp_restricted_registry_v1 object,
> +      it will advertize the existing restricted globals through the global
> +      event. These globals are not immediately bindable, but the client
> +      needs to be authorized first. To do so, the clients should send
> +      the authorize request for each global it whishes to bind, and then
> +      notify the compositor it whishes to be authorized by using the
> +      commit_authorization request. The compositor will then process the
> +      request and then send the list of authorized globals with the
> +      global_authorized event, followed by the authorization_done event.
> +      The client can bind the authorized globals when they are advertized
> +      but trying to bind any other will trigger a protocol error killing
> +      the client.
> +
> +      The list of restricted interfaces is compositor dependant, but must
> +      not include the core interfaces defined in wayland.xml.
> +    </description>
> +
> +    <enum name="error">
> +      <description summary="zwp_restricted_registry_v1 error codes">
> +        These errors can be emitted in response of
> zwp_restricted_registry_v1
> +        requests.
> +      </description>
> +      <entry name="unauthorized" value="0"
> +             summary="the client is not authorized to bind the specified
> global"/>
> +    </enum>
> +
> +    <request name="destroy" type="destructor">
> +      <description summary="destroy this zwp_restricted_registry_v1
> object">
> +        Destroy this object. Any bound object will continue to live.
> +      </description>
> +    </request>
> +
> +    <request name="bind">
> +      <description summary="bind an object to the display">
> +        Binds a new, client-created object to the server using the
> +        specified name as the identifier.
> +        The global must have been authorized prior to binding it
> +        by using the authorize request, otherwise the server will
> +        send a protocol error.
> +      </description>
> +      <arg name="name" type="uint" summary="unique name for the object"/>
> +      <arg name="id" type="new_id"/>
> +    </request>
> +
> +    <request name="authorize">
> +      <description summary="authorize a global interface">
> +        The authorize request allows the client to ask the compositor for
> +        authorization to bind a restricted global interface.
> +      </description>
> +      <arg name="name" type="uint"/>
> +    </request>
> +
> +    <request name="commit_authorization">
> +      <description summary="issue the authorization requests">
> +        This request notifies the compositor that the client has requested
> +        all the authorizations for the globals it wants to bind. No other
> +        authorize request can be sent after this.
> +        The compositor will decide which globals the client is authorized
> +        to bind and send them out using the global_authorized event,
> followed
> +        by the authorization_done event.
> +      </description>
> +    </request>
> +
> +    <event name="global">
> +      <description summary="announce global object">
> +        Notify the client of global objects.
> +
> +        The event notifies the client that a global object with
> +        the given name is now available, and it implements the
> +        given version of the given interface.
> +      </description>
> +      <arg name="name" type="uint"/>
> +      <arg name="interface" type="string"/>
> +      <arg name="version" type="uint"/>
> +    </event>
> +
> +    <event name="global_remove">
> +      <description summary="announce removal of global object">
> +        Notify the client of removed global objects.
> +
> +        This event notifies the client that the global identified
> +        by name is no longer available.  If the client bound to
> +        the global using the bind request, the client should now
> +        destroy that object.
> +
> +        The object remains valid and requests to the object will be
> +        ignored until the client destroys it, to avoid races between
> +        the global going away and a client sending a request to it.
> +      </description>
> +      <arg name="name" type="uint"/>
> +    </event>
> +
> +    <event name="global_authorized">
> +      <description summary="the client can bind this global object">
> +        Notify the client that it was authorized to bind this global.
> +        Only now can the client bind it succesfully.
> +      </description>
> +      <arg name="name" type="uint"/>
> +      <arg name="interface" type="string"/>
> +      <arg name="version" type="uint"/>
> +    </event>
> +
> +    <event name="authorization_done">
> +      <description summary="the authorization process is completed">
> +        This event notifies the client that the authorization process
> +        is done. Any authorized global was advertized through the
> +        global_authorized event, and any other global the client binds
> +        will trigger a protocol error.
> +      </description>
> +    </event>
> +
> +  </interface>
> +</protocol>
> --
> 2.6.2
>
> _______________________________________________
> wayland-devel mailing list
> wayland-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/wayland-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/wayland-devel/attachments/20151125/753ce83c/attachment.html>

More information about the wayland-devel mailing list