Re: [PATCH 2/2] Support for adjusting socket access rights to allow group of users to connect to the socket.

2014-11-24 Thread Jussi Laako 

On 19.11.2014 16:22, Pekka Paalanen wrote:

When a session compositor is started, you can already use
WAYLAND_SOCKET environment variable to pass an opened connection to it.
If your system compositor forks session compositors, no problem. If
something else starts your session compositors, you need a wrapper
program to pre-create a connection to the socket file in the shared
directory (that is not your XDG_RUNTIME_DIR) and then exec the session
compositor.


We are running system compositor under one special user session, in this 
case user genivi. This is normal session other than it is not visible 
to logind (pam_systemd is not called).


Then, in our login manager (TLM), other seats are set to wait for the 
system compositor lock file to appear before logging in default (guest) 
user sessions. These are normal sessions visible to logind and weston 
for each seat runs inside the user session. When user is logged out, the 
weston instance is terminated and restarted for the next user session.


Passing WAYLAND_SOCKET environment from a user session of user X to 
another newly created user sessions Y and Z is not very straightforward 
operation... Also lifetime of the Y and Z vary and new sessions will be 
spawned after one is terminated while the system compositor persists.


___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/wayland-devel

Re: [PATCH 2/2] Support for adjusting socket access rights to allow group of users to connect to the socket.

2014-11-19 Thread Pekka Paalanen 
(Fixing CC lists, please use reply-to-all in the future...)

On Wed, 22 Oct 2014 10:55:25 +0300
Jussi Laako jussi.la...@linux.intel.com wrote:

 On 20.10.2014 18:13, Daniel Stone wrote:
  Each to their own; I don't think it's necessarily any more complex than
  split compositors, since at some point you have to deal with input
  splitting anyway, and if you want both security (i.e. random users not
  opening random devices) and performance (i.e. no unnecessary hops
  through input compositor for events), you end up having to deal with
  input splitting in your system compositor anyway.
 
 Access control is no different whether you have 1 weston or 3 westons 
 running.
 
 It is about amount of changes needed, fairly small patch vs almost 
 complete weston rewrite...

Yeah, we've had long discussions about this with Imran.

The problem here is doing multi-seat with a single GPU (multi-head), so
for output they need a central compositor.

Running one session compositor per seat, on top of a system compositor,
has some significant advantages:
- each session compositor can be from each user's favourite DE
- there is no need to add restrictions into the shared compositor, like
  preventing pointers or windows from traveling to other users'
  outputs, if you do evdev pass-through
- advertising globals in the protocol can be per-seat, rather than
  every app seeing every seat's output globals

I'm sure there are more, but yes, adding all that isolation into Weston
to share the same compositor instance between all physical seats would
be quite an ordeal. You can't really create, say, multiple
weston_compositor instances, because that means multiple
drm_compositors, which means the GPU sharing part would be hard. And if
you share weston_compositor, then adding the isolation is hard.


Like said, environment variables are not really good here. You can
already, without modifications to libwayland-server, create your custom
sockets like I explained in the earlier thread: just create the socket,
watch the fd in your event loop, accept connections and call
wl_client_create(). You duplicate a bit of code from libwayland-server,
but you have total control on where and how the socket is created, and
you know explicitly from which socket a client comes from.

This would be used by the system compositor to offer sockets for the
session compositors to connect to, right?

When a session compositor is started, you can already use
WAYLAND_SOCKET environment variable to pass an opened connection to it.
If your system compositor forks session compositors, no problem. If
something else starts your session compositors, you need a wrapper
program to pre-create a connection to the socket file in the shared
directory (that is not your XDG_RUNTIME_DIR) and then exec the session
compositor.

Would that solve all the problems you were trying to solve with these
two patches?


Thanks,
pq
___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/wayland-devel

Re: [PATCH 2/2] Support for adjusting socket access rights to allow group of users to connect to the socket.

2014-10-22 Thread Jussi Laako 

On 20.10.2014 18:13, Daniel Stone wrote:

Each to their own; I don't think it's necessarily any more complex than
split compositors, since at some point you have to deal with input
splitting anyway, and if you want both security (i.e. random users not
opening random devices) and performance (i.e. no unnecessary hops
through input compositor for events), you end up having to deal with
input splitting in your system compositor anyway.


Access control is no different whether you have 1 weston or 3 westons 
running.


It is about amount of changes needed, fairly small patch vs almost 
complete weston rewrite...


___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/wayland-devel

Re: [PATCH 2/2] Support for adjusting socket access rights to allow group of users to connect to the socket.

2014-10-20 Thread Jussi Laako 

On 17.10.2014 20:00, Jason Ekstrand wrote:

On Thu, Oct 16, 2014 at 9:23 AM, Imran Zaman imran.za...@gmail.com
mailto:imran.za...@gmail.com wrote:

This is used for nested compositor architectures.


Could you please provide a little more explanation than that.  What kind
of nesting are you doing?


We have one system compositor using DRM backend and then nested 
compositors for each user using wayland backend.


This is in order to share single GPU with multiple display outputs among 
multiple users.



Also, why are you doing this through environment variables and not
something explicit?  For instance, the compositor can easily grab the
socket and chmod it.  It has the privileges and knows what socket it is.


This is related to the other patch that allows modifying location of the 
server/client socket location. I thought that the access control is best 
being close to the place where socket is created. Otherwise it is hard 
to follow what is going on if the related code is scattered across modules.


___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/wayland-devel

Re: [PATCH 2/2] Support for adjusting socket access rights to allow group of users to connect to the socket.

2014-10-20 Thread Daniel Stone 
Hi,

On 20 October 2014 15:19, Jussi Laako jussi.la...@linux.intel.com wrote:

 On 17.10.2014 20:00, Jason Ekstrand wrote:

 Could you please provide a little more explanation than that.  What kind
 of nesting are you doing?


 We have one system compositor using DRM backend and then nested
 compositors for each user using wayland backend.

 This is in order to share single GPU with multiple display outputs among
 multiple users.


Makes sense, although you can already enforce isolation with a single
shared compositor ...


  Also, why are you doing this through environment variables and not
 something explicit?  For instance, the compositor can easily grab the
 socket and chmod it.  It has the privileges and knows what socket it is.


 This is related to the other patch that allows modifying location of the
 server/client socket location. I thought that the access control is best
 being close to the place where socket is created. Otherwise it is hard to
 follow what is going on if the related code is scattered across modules.


Doing it through environment variables is just plain nasty though; I really
don't like this patch. I'd much rather see an explicit call, or users
creating the appropriate fd and then just passing it to the lib.

Cheers,
Daniel
___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/wayland-devel

Re: [PATCH 2/2] Support for adjusting socket access rights to allow group of users to connect to the socket.

2014-10-20 Thread Jussi Laako 

On 20.10.2014 17:26, Daniel Stone wrote:

Makes sense, although you can already enforce isolation with a single
shared compositor ...


Only weston can access the DRM compositor socket since it's the only one 
having group privileges for doing it. So each user has their own 
contained environment. DRM compositor is using fullscreen-shell and 
nested ones are using what ever other shell they wish.


We looked into input methods splitting with a shared compositor but it 
was getting a bit too complex. So now each nested compositor will manage 
their own set of input devices.


So we have a functional setup with two displays, two mice, two keyboards 
and a touch screen. With the current approach. Two users have two mouse 
pointers and can type on the keyboard same time and window focus 
management and such works without modifications.



Doing it through environment variables is just plain nasty though; I
really don't like this patch. I'd much rather see an explicit call, or
users creating the appropriate fd and then just passing it to the lib.


OK, then I think it would be better to move the socket creation out from 
libwayland and just pass the socket descriptor to libwayland.


___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/wayland-devel

Re: [PATCH 2/2] Support for adjusting socket access rights to allow group of users to connect to the socket.

2014-10-20 Thread Daniel Stone 
Hi,

On 20 October 2014 16:06, Jussi Laako jussi.la...@linux.intel.com wrote:

 On 20.10.2014 17:26, Daniel Stone wrote:

 Makes sense, although you can already enforce isolation with a single
 shared compositor ...


 Only weston can access the DRM compositor socket since it's the only one
 having group privileges for doing it. So each user has their own contained
 environment. DRM compositor is using fullscreen-shell and nested ones are
 using what ever other shell they wish.


weston-launch should be taking care of the privileges for you anyway ...


 We looked into input methods splitting with a shared compositor but it was
 getting a bit too complex. So now each nested compositor will manage their
 own set of input devices.

 So we have a functional setup with two displays, two mice, two keyboards
 and a touch screen. With the current approach. Two users have two mouse
 pointers and can type on the keyboard same time and window focus management
 and such works without modifications.


Each to their own; I don't think it's necessarily any more complex than
split compositors, since at some point you have to deal with input
splitting anyway, and if you want both security (i.e. random users not
opening random devices) and performance (i.e. no unnecessary hops through
input compositor for events), you end up having to deal with input
splitting in your system compositor anyway.

Cheers,
Daniel
___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/wayland-devel

Re: [PATCH 2/2] Support for adjusting socket access rights to allow group of users to connect to the socket.

2014-10-17 Thread Jason Ekstrand 
On Thu, Oct 16, 2014 at 9:23 AM, Imran Zaman imran.za...@gmail.com wrote:

 This is used for nested compositor architectures.


Could you please provide a little more explanation than that.  What kind of
nesting are you doing?

Also, why are you doing this through environment variables and not
something explicit?  For instance, the compositor can easily grab the
socket and chmod it.  It has the privileges and knows what socket it is.

--Jason Ekstrand



 Signed-off-by: Imran Zaman imran.za...@gmail.com
 ---
  src/wayland-server.c | 27 +++
  1 file changed, 27 insertions(+)

 diff --git a/src/wayland-server.c b/src/wayland-server.c
 index 09e8903..721fabe 100644
 --- a/src/wayland-server.c
 +++ b/src/wayland-server.c
 @@ -39,6 +39,8 @@
  #include fcntl.h
  #include sys/file.h
  #include sys/stat.h
 +#include sys/types.h
 +#include grp.h
  #include ffi.h

  #include wayland-private.h
 @@ -1117,6 +1119,10 @@ static int
  _wl_display_add_socket(struct wl_display *display, struct wl_socket *s)
  {
 socklen_t size;
 +   const char *socket_mode_str;
 +   const char *socket_group_str;
 +   const struct group *socket_group;
 +   unsigned socket_mode;

 s-fd = wl_os_socket_cloexec(PF_LOCAL, SOCK_STREAM, 0);
 if (s-fd  0) {
 @@ -1134,6 +1140,27 @@ _wl_display_add_socket(struct wl_display *display,
 struct wl_socket *s)
 return -1;
 }

 +   socket_group_str = getenv(WAYLAND_SERVER_GROUP);
 +   if (socket_group_str != NULL) {
 +   socket_group = getgrnam(socket_group_str);
 +   if (socket_group != NULL) {
 +   if (chown(s-addr.sun_path,
 +   -1, socket_group-gr_gid) != 0)
 +   wl_log(chown(\%s\) failed: %s,
 +   s-addr.sun_path,
 +   strerror(errno));
 +   }
 +   }
 +   socket_mode_str = getenv(WAYLAND_SERVER_MODE);
 +   if (socket_mode_str != NULL) {
 +   if (sscanf(socket_mode_str, %o, socket_mode)  0)
 +   if (chmod(s-addr.sun_path, socket_mode) != 0) {
 +   wl_log(chmod(\%s\) failed: %s,
 +   s-addr.sun_path,
 +   strerror(errno));
 +   }
 +   }
 +
 s-source = wl_event_loop_add_fd(display-loop, s-fd,
  WL_EVENT_READABLE,
  socket_data, display);
 --
 1.9.1

 ___
 wayland-devel mailing list
 wayland-devel@lists.freedesktop.org
 http://lists.freedesktop.org/mailman/listinfo/wayland-devel

___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/wayland-devel

[PATCH 2/2] Support for adjusting socket access rights to allow group of users to connect to the socket.

2014-10-16 Thread Imran Zaman 
This is used for nested compositor architectures.

Signed-off-by: Imran Zaman imran.za...@gmail.com
---
 src/wayland-server.c | 27 +++
 1 file changed, 27 insertions(+)

diff --git a/src/wayland-server.c b/src/wayland-server.c
index 09e8903..721fabe 100644
--- a/src/wayland-server.c
+++ b/src/wayland-server.c
@@ -39,6 +39,8 @@
 #include fcntl.h
 #include sys/file.h
 #include sys/stat.h
+#include sys/types.h
+#include grp.h
 #include ffi.h
 
 #include wayland-private.h
@@ -1117,6 +1119,10 @@ static int
 _wl_display_add_socket(struct wl_display *display, struct wl_socket *s)
 {
socklen_t size;
+   const char *socket_mode_str;
+   const char *socket_group_str;
+   const struct group *socket_group;
+   unsigned socket_mode;
 
s-fd = wl_os_socket_cloexec(PF_LOCAL, SOCK_STREAM, 0);
if (s-fd  0) {
@@ -1134,6 +1140,27 @@ _wl_display_add_socket(struct wl_display *display, 
struct wl_socket *s)
return -1;
}
 
+   socket_group_str = getenv(WAYLAND_SERVER_GROUP);
+   if (socket_group_str != NULL) {
+   socket_group = getgrnam(socket_group_str);
+   if (socket_group != NULL) {
+   if (chown(s-addr.sun_path,
+   -1, socket_group-gr_gid) != 0)
+   wl_log(chown(\%s\) failed: %s,
+   s-addr.sun_path,
+   strerror(errno));
+   }
+   }
+   socket_mode_str = getenv(WAYLAND_SERVER_MODE);
+   if (socket_mode_str != NULL) {
+   if (sscanf(socket_mode_str, %o, socket_mode)  0)
+   if (chmod(s-addr.sun_path, socket_mode) != 0) {
+   wl_log(chmod(\%s\) failed: %s,
+   s-addr.sun_path,
+   strerror(errno));
+   }
+   }
+
s-source = wl_event_loop_add_fd(display-loop, s-fd,
 WL_EVENT_READABLE,
 socket_data, display);
-- 
1.9.1

___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/wayland-devel