File 0001-Use-Xauthority-for-Xwayland.patch of Package kwin5

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-Use-Xauthority-for-Xwayland.patch of Package kwin5

From 04366a23329b4afd73a9c3f5a979d41bf7485ce5 Mon Sep 17 00:00:00 2001
From: Fabian Vogt <fabian@ritter-vogt.de>
Date: Sat, 17 Mar 2018 23:25:56 +0100
Subject: [PATCH] Use Xauthority for Xwayland authorization

Currently Xwayland only looks at the uid of the application connecting to it.
Using Xauthority gives more flexibility here, by having a token which can be
passed around. This is what kdesu and ssh's X-forwarding expect.

According to the Xsecurity man page, this is more secure than
"xhost +si:localuser:root" as non-root processes can actually appear as root
to the X server in certain circumstances.

To deal with hostname changes, FamilyWild is used for Xauthority, but for Xsm
XAUTHLOCALHOSTNAME is also set (boo#1177835, downstream patch in xtrans).
---
 CMakeLists.txt   |   1 +
 xwl/xwayland.cpp | 104 ++++++++++++++++++++++++++++++++++++++++++++++-
 xwl/xwayland.h   |   2 +
 3 files changed, 105 insertions(+), 2 deletions(-)

Index: kwin-5.15.80git.20210115T233025~907480037/CMakeLists.txt
===================================================================
--- kwin-5.15.80git.20210115T233025~907480037.orig/CMakeLists.txt	2021-01-17 01:11:13.637271623 +0100
+++ kwin-5.15.80git.20210115T233025~907480037/CMakeLists.txt	2021-01-17 01:12:36.521052780 +0100
@@ -649,6 +649,7 @@
     XCB::SYNC
     XCB::XCB
     XCB::XFIXES
+    ${X11_Xau_LIB}
 
     Libinput::Libinput
     UDev::UDev
Index: kwin-5.15.80git.20210115T233025~907480037/xwl/xwayland.cpp
===================================================================
--- kwin-5.15.80git.20210115T233025~907480037.orig/xwl/xwayland.cpp	2021-01-17 01:11:04.653491261 +0100
+++ kwin-5.15.80git.20210115T233025~907480037/xwl/xwayland.cpp	2021-01-17 01:11:13.637271623 +0100
@@ -38,6 +38,8 @@
 #include <sys/socket.h>
 #include <cerrno>
 #include <cstring>
+#include <iostream>
+#include <X11/Xauth.h>
 
 static QByteArray readDisplay(int pipe)
 {
@@ -76,6 +78,73 @@
     stop();
 }
 
+static QByteArray getRandomData(qint64 bytes)
+{
+    QFile random(QStringLiteral("/dev/urandom"));
+    if (!random.open(QIODevice::ReadOnly))
+        return {};
+
+    QByteArray data;
+    data.resize(bytes);
+    while (bytes) {
+        auto bytesRead = random.read(data.data() + data.size() - bytes, bytes);
+        if (bytesRead == -1)
+            return {};
+
+        bytes -= bytesRead;
+    }
+
+    return data;
+}
+
+static bool addCookieToFile(QString filename, QString display, QString &hostname)
+{
+    QByteArray cookie = getRandomData(16);
+    QByteArray displayUtf8 = display.toUtf8();
+
+    if(displayUtf8.size() < 2 || displayUtf8[0] != ':' || cookie.count() != 16) {
+        return false;
+    }
+
+    FILE *authFp = fopen(qPrintable(filename), "wb");
+    if (authFp == nullptr) {
+        return false;
+    }
+
+    char localhost[HOST_NAME_MAX + 1] = "";
+    if (gethostname(localhost, HOST_NAME_MAX) < 0) {
+        strcpy(localhost, "localhost");
+    }
+
+    hostname = QString::fromUtf8(localhost);
+
+    Xauth auth = {};
+    char cookieName[] = "MIT-MAGIC-COOKIE-1";
+
+    auth.family = FamilyLocal;
+    auth.address = localhost;
+    auth.address_length = strlen(auth.address);
+    auth.number = displayUtf8.data() + 1;
+    auth.number_length = strlen(auth.number);
+    auth.name = cookieName;
+    auth.name_length = sizeof(cookieName) - 1;
+    auth.data = cookie.data();
+    auth.data_length = cookie.count();
+
+    if (XauWriteAuth(authFp, &auth) == 0) {
+        fclose(authFp);
+        return false;
+    }
+
+    auth.family = FamilyWild;
+    auth.address_length = 0;
+    bool success = XauWriteAuth(authFp, &auth) != 0 && fflush(authFp) != EOF;
+
+    fclose(authFp);
+
+    return success;
+}
+
 QProcess *Xwayland::process() const
 {
     return m_xwaylandProcess;
@@ -87,6 +156,16 @@
         return;
     }
 
+    QString dir = QStandardPaths::writableLocation(QStandardPaths::RuntimeLocation);
+    if (!dir.isEmpty()) {
+        m_xwaylandAuthority.setFileTemplate(dir + QStringLiteral("/xauth_XXXXXX"));
+        m_xwaylandAuthority.open();
+    }
+
+    if (m_xwaylandAuthority.fileName().isEmpty()) {
+        std::cerr << "Warning: Could not create a Xauthority file for Xwayland." << std::endl;
+    }
+
     int pipeFds[2];
     if (pipe(pipeFds) != 0) {
         qCWarning(KWIN_XWL, "Failed to create pipe to start Xwayland: %s", strerror(errno));
@@ -129,11 +208,15 @@
     env.insert("WAYLAND_SOCKET", QByteArray::number(wlfd));
     env.insert("EGL_PLATFORM", QByteArrayLiteral("DRM"));
     m_xwaylandProcess->setProcessEnvironment(env);
-    m_xwaylandProcess->setArguments({QStringLiteral("-displayfd"),
+    QStringList args{QStringLiteral("-displayfd"),
                            QString::number(pipeFds[1]),
                            QStringLiteral("-rootless"),
                            QStringLiteral("-wm"),
-                           QString::number(fd)});
+                           QString::number(fd)};
+    if (!m_xwaylandAuthority.fileName().isEmpty()) {
+        args << QStringLiteral("-auth") << m_xwaylandAuthority.fileName();
+    }
+    m_xwaylandProcess->setArguments(args);
     connect(m_xwaylandProcess, &QProcess::errorOccurred, this, &Xwayland::handleXwaylandError);
     connect(m_xwaylandProcess, &QProcess::started, this, &Xwayland::handleXwaylandStarted);
     connect(m_xwaylandProcess, QOverload<int, QProcess::ExitStatus>::of(&QProcess::finished),
@@ -331,6 +414,23 @@
 
 bool Xwayland::createX11Connection()
 {
+    if (!m_xwaylandAuthority.fileName().isEmpty()) {
+        QString hostname;
+        if (addCookieToFile(m_xwaylandAuthority.fileName(), m_displayName, hostname)) {
+            setenv("XAUTHORITY", qPrintable(m_xwaylandAuthority.fileName()), 1);
+            setenv("XAUTHLOCALHOSTNAME", qPrintable(hostname), 1);
+            auto env = m_app->processStartupEnvironment();
+            env.insert(QStringLiteral("XAUTHORITY"), m_xwaylandAuthority.fileName());
+            env.insert(QStringLiteral("XAUTHLOCALHOSTNAME"), hostname);
+            m_app->setProcessStartupEnvironment(env);
+        }
+        else {
+            qCWarning(KWIN_XWL) << "Could not generate Xauthority entry";
+            // We can't authenticate using it so the server must not see any entries either
+            m_xwaylandAuthority.resize(0);
+        }
+    }
+
     xcb_connection_t *connection = xcb_connect_to_fd(m_xcbConnectionFd, nullptr);
 
     const int errorCode = xcb_connection_has_error(connection);
Index: kwin-5.15.80git.20210115T233025~907480037/xwl/xwayland.h
===================================================================
--- kwin-5.15.80git.20210115T233025~907480037.orig/xwl/xwayland.h	2021-01-17 01:11:04.653491261 +0100
+++ kwin-5.15.80git.20210115T233025~907480037/xwl/xwayland.h	2021-01-17 01:11:13.637271623 +0100
@@ -15,6 +15,7 @@
 #include <QFutureWatcher>
 #include <QProcess>
 #include <QSocketNotifier>
+#include <QTemporaryFile>
 
 namespace KWin
 {
@@ -102,6 +103,7 @@
     QProcess *m_xwaylandProcess = nullptr;
     QSocketNotifier *m_socketNotifier = nullptr;
     QTimer *m_resetCrashCountTimer = nullptr;
+    QTemporaryFile m_xwaylandAuthority;
     QByteArray m_displayName;
     QFutureWatcher<QByteArray> *m_watcher = nullptr;
     ApplicationWaylandAbstract *m_app;

Places

File 0001-Use-Xauthority-for-Xwayland.patch of Package kwin5

Places