From patchwork Tue May 14 10:56:48 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petr Lautrbach <lautrbach@redhat.com>
X-Patchwork-Id: 13663999
X-Patchwork-Delegate: plautrba@redhat.com
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0FB2812FB12
	for <selinux@vger.kernel.org>; Tue, 14 May 2024 10:57:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=170.10.129.124
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715684227; cv=none;
 b=bAVgm7qIaAj/50faqJd2hRlfWPzcwlG5VItGpZQao/+tX2y0DaQP1Y98/i+ZP4V5xbMQl8ytnbOJvBOmejTVNuBeNuKY89WsXiin66qg6Gp467R/PeNOYI3WepaEoL183MNJvz3WynfPuMyfKcpc4/PVliM5BrduO5wMyGFJxIg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715684227; c=relaxed/simple;
	bh=UmRQHMOBh1ao+uinKZLhCjz+tzj3jl8KP62Fv9Hysto=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-type;
 b=gaZm447WcU+4oGAQg9/5KeCZ4TWpOTQ7fX0V+dqpYena4Ya8ywmc6BVJAM8jwyWI2vvxc2nTvOrhGOoyETjtmipwfihf1sb7M8h5V3YnYU61KieWJ03Z1dFTRj6v/XYTkdVkAw5OczHPiurr8vFcVUl8dfN5L2A2riQjyU1htd4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=redhat.com;
 spf=pass smtp.mailfrom=redhat.com;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=WgZn8vey; arc=none smtp.client-ip=170.10.129.124
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="WgZn8vey"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1715684224;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=wm/kLhpgUcErf1kQOIGmSSf/GJq4n3CfD9g1B7+4oNE=;
	b=WgZn8veyTV5Lzb+M7utpSgnz2/OOUKG6X94A8TFdFeldrReDdHfhRBR9OHqt35wbaig+pS
	15OrEGp0COSl6dt0593+7Sbfj4lndcE3eFaUgR055R8UYqizdE3GjI0q93Ji/9Vf1YzybW
	gTKXvq2etfXzk7iQuFpyRD1Sr92N8SY=
Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73])
 by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-357-0CIxMo3gP0CXFQ9tgjBmgQ-1; Tue,
 14 May 2024 06:57:03 -0400
X-MC-Unique: 0CIxMo3gP0CXFQ9tgjBmgQ-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D70CA1C00049
	for <selinux@vger.kernel.org>; Tue, 14 May 2024 10:57:02 +0000 (UTC)
Received: from localhost.localdomain (unknown [10.45.224.74])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 8831C40C6EB7;
	Tue, 14 May 2024 10:57:01 +0000 (UTC)
From: Petr Lautrbach <lautrbach@redhat.com>
To: selinux@vger.kernel.org
Cc: Petr Lautrbach <lautrbach@redhat.com>
Subject: [PATCH 1/4] sandbox: do not fail without xmodmap
Date: Tue, 14 May 2024 12:56:48 +0200
Message-ID: <20240514105651.225925-1-lautrbach@redhat.com>
Precedence: bulk
X-Mailing-List: selinux@vger.kernel.org
List-Id: <selinux.vger.kernel.org>
List-Subscribe: <mailto:selinux+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:selinux+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-type: text/plain
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
 sandbox/sandbox | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sandbox/sandbox b/sandbox/sandbox
index fe631a92cecd..c2ae4de69128 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -479,7 +479,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
 
                     xmodmapfile = self.__homedir + "/.xmodmap"
                     xd = open(xmodmapfile, "w")
-                    subprocess.Popen(["/usr/bin/xmodmap", "-pke"], stdout=xd).wait()
+                    try:
+                        subprocess.Popen(["/usr/bin/xmodmap", "-pke"], stdout=xd).wait()
+                    except:
+                        pass
                     xd.close()
 
                     self.__setup_sandboxrc(self.__options.wm)

From patchwork Tue May 14 10:56:49 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petr Lautrbach <lautrbach@redhat.com>
X-Patchwork-Id: 13664001
X-Patchwork-Delegate: plautrba@redhat.com
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1501B12FB36
	for <selinux@vger.kernel.org>; Tue, 14 May 2024 10:57:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=170.10.129.124
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715684238; cv=none;
 b=RSC58XzMYq95CS7ukq4wDkf2Aulsbh4TZOS5Md9hxYw1ED1P9EMwgTeNLVzEpOtSRBFgeJvm+ZHb3/Nvt570aRw8Z+Ot2ZOQNF3u2RAfF/p2sW28inHxTNdVAX8/X0b9L8VrxeXCpz671gZqsr+60B8ApRrBxZEH7VVEstTvPd4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715684238; c=relaxed/simple;
	bh=GES66brHB9LzP/L8k03xqKHZ6Uh70dcSMl0XK4azpHw=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-type;
 b=Rv2HQpjf3RqXEhZcgPlQeHs5qVkex9DjOAI0pbpZwJgfOem9Xfw23daEqggXjg9sg0r2n1CtirV4u24NdwECpseiAoDitCYtC0ZNEA1fCnQulvLGC1Svbs+wnr3v0ETT4h7e9UYkeuuHfjEuazMXddKkZ2s4cOabv/KObsN1XdA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=redhat.com;
 spf=pass smtp.mailfrom=redhat.com;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=iKYaNFGb; arc=none smtp.client-ip=170.10.129.124
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="iKYaNFGb"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1715684235;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=p1E5OX98QIipxMgARRnovryNEY536IeF8a1yeU8kkt4=;
	b=iKYaNFGbD7IamRXunW0TfZKjMGJ1+MKY9wbcKDV5yydRHAfvW1EDlGqgzM6AntWX6+WWNO
	IQFT3k60JhJURyudLLgqqLdeoLbn4tGn4ljjSAo0xUi/fgpcNlVRPp4OuSm834RHo+/Ulr
	RJ/d1gpCfoDf/yQ54nYnrMCISbTdBb4=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-593-LgQb8ewMN1WMQ2hwOjHK4Q-1; Tue, 14 May 2024 06:57:04 -0400
X-MC-Unique: LgQb8ewMN1WMQ2hwOjHK4Q-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D020A8030B5
	for <selinux@vger.kernel.org>; Tue, 14 May 2024 10:57:03 +0000 (UTC)
Received: from localhost.localdomain (unknown [10.45.224.74])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 1C57740C6CB7;
	Tue, 14 May 2024 10:57:02 +0000 (UTC)
From: Petr Lautrbach <lautrbach@redhat.com>
To: selinux@vger.kernel.org
Cc: Petr Lautrbach <lautrbach@redhat.com>
Subject: [PATCH 2/4] sandbox: do not run window manager if it's not a session
Date: Tue, 14 May 2024 12:56:49 +0200
Message-ID: <20240514105651.225925-2-lautrbach@redhat.com>
In-Reply-To: <20240514105651.225925-1-lautrbach@redhat.com>
References: <20240514105651.225925-1-lautrbach@redhat.com>
Precedence: bulk
X-Mailing-List: selinux@vger.kernel.org
List-Id: <selinux.vger.kernel.org>
List-Subscribe: <mailto:selinux+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:selinux+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-type: text/plain
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
 sandbox/sandbox | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/sandbox/sandbox b/sandbox/sandbox
index c2ae4de69128..1e96f93e4a92 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -285,15 +285,12 @@ class Sandbox:
             fd.write("""#! /bin/sh
 #TITLE: %s
 # /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
-%s &
-WM_PID=$!
 if which dbus-run-session >/dev/null 2>&1; then
     dbus-run-session -- %s
 else
     dbus-launch --exit-with-session %s
 fi
-kill -TERM $WM_PID  2> /dev/null
-""" % (command, wm, command, command))
+""" % (command, command, command))
         fd.close()
         os.chmod(execfile, 0o700)
 

From patchwork Tue May 14 10:56:50 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petr Lautrbach <lautrbach@redhat.com>
X-Patchwork-Id: 13664007
X-Patchwork-Delegate: plautrba@redhat.com
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1AD0613959F
	for <selinux@vger.kernel.org>; Tue, 14 May 2024 11:03:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=170.10.133.124
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715684600; cv=none;
 b=uqPJtvOD2GawYuPek+lzisGTB6I4zoFWiraeQiHkOni8PyGllEExCeBS+418EnCVyW3O0moRzBohWmuCm4l5XmUzDPVwZFuiQaViJVl9AwRnbk9YOTuSkMEgIxQmtnE8OyaywfqeHwjYhQ6zbMhOzSrE88eRQjMYYg/w4P76nTE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715684600; c=relaxed/simple;
	bh=cKvom9PAbwssC6eKGnRX6gbC18N5Ex6U555kRAm+RhU=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-type;
 b=E6yH62pBP1HmPSC/TFeS03pW/FbAItj/bM6medLCkHAcSAclX4wYFfZC3ooTkweb5PfEH5Jl1t6z6y/fmiOHitpIvNYxbzsWwtG4TlcI/q86DeFwkDwjq1nn9uKWG2gi5+YgsUCmaLAa0x9s9hFCjE1LklQ/KTJdZnE0BUUDXfg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=redhat.com;
 spf=pass smtp.mailfrom=redhat.com;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=RFdfF7ft; arc=none smtp.client-ip=170.10.133.124
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="RFdfF7ft"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1715684598;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=W2qtFTgZ0VmP9wCf3VY3PC9llPmqGSnvOMuGGLQQpDM=;
	b=RFdfF7ftm9olozSiZVTfkiqOdN0QYnifg8mbFbD5bZqgGV/6Bn9ojZpLtFM2/O2vtEBXry
	YTuLShH6osEW7aXlI50fCJ/FX4o3UdJX19Zutq73H9SGjsP7lx3njhYFxxW/dH09fjovsj
	5QgbwsyBwPWf0FDkIUeOxVtGRPg1zSM=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-500-cKNY86-lPeW3qLve6yFyow-1; Tue, 14 May 2024 06:57:05 -0400
X-MC-Unique: cKNY86-lPeW3qLve6yFyow-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C8CA61848630
	for <selinux@vger.kernel.org>; Tue, 14 May 2024 10:57:04 +0000 (UTC)
Received: from localhost.localdomain (unknown [10.45.224.74])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 14DA740C6EB7;
	Tue, 14 May 2024 10:57:03 +0000 (UTC)
From: Petr Lautrbach <lautrbach@redhat.com>
To: selinux@vger.kernel.org
Cc: Petr Lautrbach <lautrbach@redhat.com>
Subject: [PATCH 3/4] seunshare: Add [ -P pipewiresocket ] [ -W waylandsocket ]
 options
Date: Tue, 14 May 2024 12:56:50 +0200
Message-ID: <20240514105651.225925-3-lautrbach@redhat.com>
In-Reply-To: <20240514105651.225925-1-lautrbach@redhat.com>
References: <20240514105651.225925-1-lautrbach@redhat.com>
Precedence: bulk
X-Mailing-List: selinux@vger.kernel.org
List-Id: <selinux.vger.kernel.org>
List-Subscribe: <mailto:selinux+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:selinux+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-type: text/plain
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2

Mount /run/user/UID/<waylandsocket> or /run/user/UID/<pipewiresocket>
inside unshared /run/user/UID directory

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
 sandbox/seunshare.c | 120 +++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 113 insertions(+), 7 deletions(-)

diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
index 1d38ea92b9ae..106f625fcba5 100644
--- a/sandbox/seunshare.c
+++ b/sandbox/seunshare.c
@@ -52,7 +52,8 @@
 
 #define BUF_SIZE 1024
 #define DEFAULT_PATH "/usr/bin:/bin"
-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -r runuserdir ] [ -Z CONTEXT ] -- executable [args] ")
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] \
+[ -r runuserdir ] [ -P pipewiresocket ] [ -W waylandsocket ] [ -Z CONTEXT ] -- executable [args] ")
 
 static int verbose = 0;
 static int child = 0;
@@ -265,6 +266,10 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
 		is_tmp = 1;
 	}
 
+	if (strncmp("/run/user", dst, 9) == 0) {
+		flags = flags | MS_REC;
+	}
+
 	/* mount directory */
 	if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
 		fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
@@ -289,6 +294,31 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
 
 }
 
+/**
+ * Mount directory and check that we mounted the right directory.
+ */
+static int seunshare_mount_file(const char *src, const char *dst)
+{
+	int flags = 0;
+
+	if (verbose)
+		printf(_("Mounting %s on %s\n"), src, dst);
+
+	if (access(dst, F_OK) == -1) {
+		 FILE *fptr;
+         fptr = fopen(dst, "w");
+		 fclose(fptr);
+	}
+	/* mount file */
+	if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
+		fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
+		return -1;
+	}
+
+	return 0;
+
+}
+
 /*
    If path is empty or ends with  "/." or "/.. return -1 else return 0;
  */
@@ -616,6 +646,8 @@ killall (const char *execcon)
 int main(int argc, char **argv) {
 	int status = -1;
 	const char *execcon = NULL;
+	const char *pipewire_socket = NULL;
+	const char *wayland_display = NULL;
 
 	int clflag;		/* holds codes for command line flags */
 	int kill_all = 0;
@@ -641,6 +673,8 @@ int main(int argc, char **argv) {
 		{"verbose", 1, 0, 'v'},
 		{"context", 1, 0, 'Z'},
 		{"capabilities", 1, 0, 'C'},
+		{"wayland", 1, 0, 'W'},
+		{"pipewire", 1, 0, 'P'},
 		{NULL, 0, 0, 0}
 	};
 
@@ -670,7 +704,7 @@ int main(int argc, char **argv) {
 	}
 
 	while (1) {
-		clflag = getopt_long(argc, argv, "Ccvh:r:t:Z:", long_options, NULL);
+		clflag = getopt_long(argc, argv, "Ccvh:r:t:W:Z:", long_options, NULL);
 		if (clflag == -1)
 			break;
 
@@ -693,6 +727,12 @@ int main(int argc, char **argv) {
 		case 'C':
 			cap_set = CAPNG_SELECT_CAPS;
 			break;
+		case 'P':
+			pipewire_socket = optarg;
+			break;
+		case 'W':
+			wayland_display = optarg;
+			break;
 		case 'Z':
 			execcon = optarg;
 			break;
@@ -767,8 +807,14 @@ int main(int argc, char **argv) {
 		char *display = NULL;
 		char *LANG = NULL;
 		char *RUNTIME_DIR = NULL;
+		char *XDG_SESSION_TYPE = NULL;
 		int rc = -1;
 		char *resolved_path = NULL;
+		char *wayland_path_s = NULL; /* /tmp/.../wayland-0 */
+		char *wayland_path = NULL; /* /run/user/UID/wayland-0 */
+		char *pipewire_path_s = NULL; /* /tmp/.../pipewire-0 */
+		char *pipewire_path = NULL; /* /run/user/UID/pipewire-0 */
+
 
 		if (unshare(CLONE_NEWNS) < 0) {
 			perror(_("Failed to unshare"));
@@ -805,6 +851,42 @@ int main(int argc, char **argv) {
 			}
 		}
 
+		if ((XDG_SESSION_TYPE = getenv("XDG_SESSION_TYPE")) != NULL) {
+			if ((XDG_SESSION_TYPE = strdup(XDG_SESSION_TYPE)) == NULL) {
+				perror(_("Out of memory"));
+				goto childerr;
+			}
+		}
+
+		if (runuserdir_s && (wayland_display || pipewire_socket)) {
+			if (wayland_display) {
+				if (asprintf(&wayland_path_s, "%s/%s", runuserdir_s, wayland_display) == -1) {
+					perror(_("Out of memory"));
+					goto childerr;
+				}
+
+				if (asprintf(&wayland_path, "%s/%s", RUNTIME_DIR, wayland_display) == -1) {
+					perror(_("Out of memory"));
+					goto childerr;
+				}
+
+				if (seunshare_mount_file(wayland_path, wayland_path_s) == -1)
+					goto childerr;
+			}
+
+			if (pipewire_socket) {
+				if (asprintf(&pipewire_path_s, "%s/%s", runuserdir_s, pipewire_socket) == -1) {
+					perror(_("Out of memory"));
+					goto childerr;
+				}
+				if (asprintf(&pipewire_path, "%s/pipewire-0", RUNTIME_DIR) == -1) {
+					perror(_("Out of memory"));
+					goto childerr;
+				}
+				seunshare_mount_file(pipewire_path, pipewire_path_s);
+			}
+		}
+
 		/* mount homedir, runuserdir and tmpdir, in this order */
 		if (runuserdir_s &&	seunshare_mount(runuserdir_s, RUNTIME_DIR,
 			&st_runuserdir_s) != 0) goto childerr;
@@ -816,10 +898,21 @@ int main(int argc, char **argv) {
 		if (drop_privs(uid) != 0) goto childerr;
 
 		/* construct a new environment */
-		if ((display = getenv("DISPLAY")) != NULL) {
-			if ((display = strdup(display)) == NULL) {
-				perror(_("Out of memory"));
-				goto childerr;
+
+		if (XDG_SESSION_TYPE && strcmp(XDG_SESSION_TYPE, "wayland") == 0) {
+			if (wayland_display == NULL && (wayland_display = getenv("WAYLAND_DISPLAY")) != NULL) {
+				if ((wayland_display = strdup(wayland_display)) == NULL) {
+					perror(_("Out of memory"));
+					goto childerr;
+				}
+			}
+		}
+		else {
+			if ((display = getenv("DISPLAY")) != NULL) {
+				if ((display = strdup(display)) == NULL) {
+					perror(_("Out of memory"));
+					goto childerr;
+				}
 			}
 		}
 
@@ -835,8 +928,16 @@ int main(int argc, char **argv) {
 			perror(_("Failed to clear environment"));
 			goto childerr;
 		}
-		if (display)
+		if (display) {
 			rc |= setenv("DISPLAY", display, 1);
+		}
+		if (wayland_display) {
+			rc |= setenv("WAYLAND_DISPLAY", wayland_display, 1);
+		}
+
+		if (XDG_SESSION_TYPE)
+			rc |= setenv("XDG_SESSION_TYPE", XDG_SESSION_TYPE, 1);
+
 		if (LANG)
 			rc |= setenv("LANG", LANG, 1);
 		if (RUNTIME_DIR)
@@ -874,9 +975,14 @@ int main(int argc, char **argv) {
 		fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
 childerr:
 		free(resolved_path);
+		free(wayland_path);
+		free(wayland_path_s);
+		free(pipewire_path);
+		free(pipewire_path_s);
 		free(display);
 		free(LANG);
 		free(RUNTIME_DIR);
+		free(XDG_SESSION_TYPE);
 		exit(-1);
 	}
 

From patchwork Tue May 14 10:56:51 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petr Lautrbach <lautrbach@redhat.com>
X-Patchwork-Id: 13664000
X-Patchwork-Delegate: plautrba@redhat.com
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3F17712FB29
	for <selinux@vger.kernel.org>; Tue, 14 May 2024 10:57:13 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=170.10.133.124
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715684235; cv=none;
 b=fgB8dn+nAb6BcT2LBidJ+pdiTrcI1OEdP+ah5SPeSxtj5v+/ikPS7NKnwe8BrYXx8MdXP4UCuZaBJaP+L5Sk9rjgBVfjyybE1W3ysHk9zktL5tsXZxOvdb01LVKQautCh1db2bTtfpPbk/N/DBL7U+0zf2NiQ9W6dBQM5rQFL0M=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715684235; c=relaxed/simple;
	bh=OVpiDMfeyMrlakZA6VVjk+/XgyTeWmpLJSoSCmHsDu0=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-type;
 b=WdbHkQvcpIKVC96rH/PfOsvUbjPbEeJXfljYcn9sriWLrlaQJNAq8IYJLxM20pX+/VoDmh1/KrOQB/Y0dh7Z+lpWmIY7Yiy5waNcg+sJT/Sljwajo+4iV31jXz7IxWWj3BSsmk493kCbEvFELy/eCVAFUmZzaxNB8RJWIotRXQY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=redhat.com;
 spf=pass smtp.mailfrom=redhat.com;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=D2GoCVno; arc=none smtp.client-ip=170.10.133.124
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="D2GoCVno"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1715684232;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=UC+DMerd/iiwRYb8sKbGuXSAAWFrYrK4qHrFiMnqFho=;
	b=D2GoCVnoqmDYIPzZwyCLefOGjvhqndoJB6/yFjxmv0XDI44Ns9fMGr7HuXN8HlX+5dWGMR
	jtQC7qlh44/iEWfGI8OIwtFKxaAO4+5rYGRHErZrGgo8ay1Y7ARJoWbhyL2xRYJ35WeMTp
	vHOz1koQE3ur1lRMcgyY79bQuioqL3c=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-558--DwCm6FVPsqtVcJb2F1h9g-1; Tue, 14 May 2024 06:57:06 -0400
X-MC-Unique: -DwCm6FVPsqtVcJb2F1h9g-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C1B0E8029EC
	for <selinux@vger.kernel.org>; Tue, 14 May 2024 10:57:05 +0000 (UTC)
Received: from localhost.localdomain (unknown [10.45.224.74])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 0E6BF40C6CB6;
	Tue, 14 May 2024 10:57:04 +0000 (UTC)
From: Petr Lautrbach <lautrbach@redhat.com>
To: selinux@vger.kernel.org
Cc: Petr Lautrbach <lautrbach@redhat.com>
Subject: [PATCH 4/4] sandbox: Add support for Wayland
Date: Tue, 14 May 2024 12:56:51 +0200
Message-ID: <20240514105651.225925-4-lautrbach@redhat.com>
In-Reply-To: <20240514105651.225925-1-lautrbach@redhat.com>
References: <20240514105651.225925-1-lautrbach@redhat.com>
Precedence: bulk
X-Mailing-List: selinux@vger.kernel.org
List-Id: <selinux.vger.kernel.org>
List-Subscribe: <mailto:selinux+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:selinux+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-type: text/plain
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2

- use XWayland for X application if it's run in Wayland session
- run Wayland apps directly if it's run in Wayland session
- add sandbox -Y option to run run Wayland application

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
 sandbox/sandbox     | 26 ++++++++++++++++++++++++--
 sandbox/sandboxX.sh | 36 ++++++++++++++++++++++++------------
 2 files changed, 48 insertions(+), 14 deletions(-)

diff --git a/sandbox/sandbox b/sandbox/sandbox
index 1e96f93e4a92..e3fd6119ed4d 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -344,6 +344,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
                           action="callback", callback=self.__x_callback,
                           default=False, help=_("run X application within a sandbox"))
 
+        parser.add_option("-Y", dest="Y_ind",
+                          action="callback", callback=self.__x_callback,
+                          default=False, help=_("run Wayland application within a sandbox"))
+
         parser.add_option("-H", "--homedir",
                           action="callback", callback=self.__validdir,
                           type="string",
@@ -457,6 +461,16 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
         selinux.chcon(self.__runuserdir, self.__filecon, recursive=True)
         selinux.setfscreatecon(None)
 
+    def __is_wayland_app(self):
+        binary = shutil.which(self.__paths[0])
+        if binary is None:
+            return True
+        output = subprocess.run(['ldd', binary], capture_output=True)
+        for line in str(output.stdout, "utf-8").split('\n'):
+            if line.find("libwayland") != -1:
+                return True
+        return False
+
     def __execute(self):
         try:
             cmds = [SEUNSHARE, "-Z", self.__execcon]
@@ -465,7 +479,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
             if self.__mount:
                 cmds += ["-t", self.__tmpdir, "-h", self.__homedir, "-r", self.__runuserdir]
 
-                if self.__options.X_ind:
+                if self.__options.X_ind or self.__options.Y_ind:
                     if self.__options.dpi:
                         dpi = self.__options.dpi
                     else:
@@ -474,6 +488,9 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
                         from gi.repository import Gtk
                         dpi = str(Gtk.Settings.get_default().props.gtk_xft_dpi / 1024)
 
+                    if os.environ.get('WAYLAND_DISPLAY') is not None:
+                        cmds += ["-W", os.environ["WAYLAND_DISPLAY"]]
+
                     xmodmapfile = self.__homedir + "/.xmodmap"
                     xd = open(xmodmapfile, "w")
                     try:
@@ -484,7 +501,12 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
 
                     self.__setup_sandboxrc(self.__options.wm)
 
-                    cmds += ["--", SANDBOXSH, self.__options.windowsize, dpi]
+                    if self.__options.Y_ind or self.__is_wayland_app():
+                        WN = "yes"
+                    else:
+                        WN = "no"
+
+                    cmds += ["--", SANDBOXSH, WN, self.__options.windowsize, dpi]
                 else:
                     cmds += ["--"] + self.__paths
                 return subprocess.Popen(cmds).wait()
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
index eaa500d08143..28169182ce42 100644
--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
@@ -2,8 +2,9 @@
 trap "" TERM
 context=`id -Z | secon -t -l -P`
 export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
-[ -z $1 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$1"
-[ -z $2 ] && export DPI="96" || export DPI="$2"
+[ -z $1 ] && export WAYLAND_NATIVE="no" || export WAYLAND_NATIVE="$1"
+[ -z $2 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$2"
+[ -z $3 ] && export DPI="96" || export DPI="$3"
 trap "exit 0" HUP
 
 mkdir -p ~/.config/openbox
@@ -20,16 +21,27 @@ cat > ~/.config/openbox/rc.xml << EOF
 </openbox_config>
 EOF
 
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
-    export DISPLAY=:$D
-    cat > ~/seremote << __EOF
-#!/bin/sh
-DISPLAY=$DISPLAY "\$@"
+if [ "$WAYLAND_NATIVE" == "no" ]; then
+    if [ -z "$WAYLAND_DISPLAY" ]; then
+        DISPLAY_COMMAND='/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null'
+    else
+        DISPLAY_COMMAND='/usr/bin/Xwayland -terminate -dpi $DPI -retro -geometry $SCREENSIZE -decorate -displayfd 5 5>&1 2>/dev/null'
+    fi
+    eval $DISPLAY_COMMAND | while read D; do
+        export DISPLAY=:$D
+        cat > ~/seremote << __EOF
+#!/bin/bash -x
+export DISPLAY=$DISPLAY
+export WAYLAND_DISPLAY=$WAYLAND_DISPLAY
+"\$@"
 __EOF
-    chmod +x ~/seremote
+        chmod +x ~/seremote
+        /usr/share/sandbox/start $HOME/.sandboxrc
+        export EXITCODE=$?
+        kill -TERM 0
+        break
+    done
+else
     /usr/share/sandbox/start $HOME/.sandboxrc
-    export EXITCODE=$?
-    kill -TERM 0
-    break
-done
+fi
 exit 0