dix: Translate _NET_WM_PID for sandboxed apps
The EMWH protocol states that X11 clients should set the _NET_WM_PID property to contain the process ID of the client owning the window. This definition however predates the ability to have sandboxed applications, where the client itself doesn't know its actual PID in the global PID namespace. As a result, a sandboxed application cannot set its _NET_WM_PID property correctly. To avoid that issue, the Xserver can detect whenever that property is set and change the value to the actual PID determined from the socket with the local client on the fly. Please note that this affects basically any X11 client trying to set the _NET_WM_PID property on its X11 window, not just X11 applications running in a sandbox. This also ensures that a client does not set some other process' PID to abuse the _NET_WM_PID mechanism and force kill another process. Also, if the XRes extension is not enabled (either at build time or at run time), or if the SECURITY extension is enabled, the _NET_WM_PID is left unchanged because that could possibly give the sandboxed clients a way to know their actual global PID. v2: * Recreate atom of server regeneration (Michel Dänzer) * Update PID value from dixChangeWindowProperty (Michel Dänzer) v3: * Init atom in main() at each server regeneration (Peter Hutterer) v4: * Explicitly check for non-local clients instead of relying on GetClientPid() to return a negative value (Michel Dänzer). v5: * Use a CARD32 v6: * Remove spurious empty line (Peter Hutterer) v7: * Do nothing if XRes is disabled or XSECURITY is enabled Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Michel Dänzer <mdaenzer@redhat.com> Closes: xorg/xserver#1022 See-also: https://github.com/containers/bubblewrap/issues/373