Allow exposing select priviledged protocols to security-contexts

Use case

wp_security_context_manager_v1 allows creating a new socket for unprivileged clients.

In some situations, I would like to grant one such client access to a single privileged global. E.g.: I want to allow a client to use the screencopy global, but not layer-shell (or viceversa).

Proposed solution

Implement a protocol which exposes a new global: unveil_manager_v1. This global has two methods:

• manage_context. Takes as argument a new_id and creates a new unveil_context.
• destroy

An unveil_context implements the following methods:

• set_sandbox_engine. May only be called before unveil_global.
• set_app_id. May only be called before unveil_global.
• set_instance_id. May only be called before unveil_global.
• unveil_global. Takes as argument global_id: int: the id of a global object that is to be exposed to the sandboxed client. This is the id of the global object as seen by the client sending this request.
• destroy.

Once unveil_global is called, the compositor shall expose the specified global to sandboxed clients matching the sandbox_engine, app_id and instance_id. This is done by the compositor simply emitting a wl_registry::global event for clients under matching security contexts.

This shall be a privileged protocol, since it can grant clients in a secure context access to (individual) privileged protocols.

If set_instance_id is never called, then all instances matching the sandbox_engine and app_id will be granted access. It is unclear what the appropriate behaviour would be to never calling set_app_id; tentatively, it should be a protocol error.

See also

• !68 (merged)