A SPICE agent communicates with the host OS to provide nifty features
like clipboard sharing :^)
This patch implements only plain-text clipboard sharing.
See: github.com/freedesktop/spice-protocol/blob/master/spice/vd_agent.h
Adds new service FileSystemAccessServer which allows programs to
request a file descriptor for any file on the file system.
The user can be prompted to choose the path with a FilePicker, or the
path can be provided by the application which will show a MessageBox
showing the pid and name of the calling process and allows the user to
approve or deny the request.
This also adds the ability to query how many virtual desktops are
set up, and for the Taskbar to be notified when the active virtual
desktop has changed.
This will run all the tests that are children of this service with
deadly UBSAN, ensuring we don't get any UBSAN regressions in on-target
tests anymore. :^)
An Overlay is similar to a transparent window, but has less overhead
and does not get rendered within the window stack. Basically, the area
that an Overlay occupies forces transparency rendering for any window
underneath, which allows us to render them flicker-free.
This also adds a new API that allows displaying the screen numbers,
e.g. while the user configures the screen layout in DisplaySettings
Because other things like drag&drop or the window-size label are not
yet converted to use this new mechanism, they will be drawn over the
screen-number currently.
This allows WindowServer to use multiple framebuffer devices and
compose the desktop with any arbitrary layout. Currently, it is assumed
that it is configured contiguous and non-overlapping, but this should
eventually be enforced.
To make rendering efficient, each window now also tracks on which
screens it needs to be rendered. This way we don't have to iterate all
the windows for each screen but instead use the same rendering loop and
then only render to the screen (or screens) that the window actually
uses.
Adds Sectigo RSA Domain, Extended, and Organization cert subjects
to ca_certs.ini. These are the new names for the old Comodo CA
certs that are already trusted.
Some of these were using 660 permissions which meant that other users
in the "users" group could connect to anon's service processes.
Let's tighten things up by not allowing that. :^)
https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/
V1_chap08.html
TMPDIR This variable shall represent a pathname of a directory made
available for programs that need a place to create temporary
files.
Ports like PHP benefit from having this environment variable set, and
there exist a lot of scripts that assume the presence of such an
environment variable.
Since this program is setuid-root, it should be as simple as possible.
To that end, remove `/etc/plsusers` and use filesystem permissions to
achieve the same thing. `/bin/pls` is now only executable by `root` or
members of the `wheel` group.
Also remove all the logic that went to great lengths to `unveil()` a
minimal set of filesystem paths that may be used for the command.
The complexity-to-benefit ratio did not seem justified, and I think
we're better off keeping this simple.
Finally, remove pledge promises the moment they are no longer needed.
Changes to the system font settings are now persisted in /etc.
Note that you still need to restart the system for changes to fully
apply in all programs.
This service daemon will act as an intermediary between the Inspector
program and the inspectable programs it wants to inspect.
Programs can make themselves available for inspection by connecting
to /tmp/portal/inspectables using the Core::EventLoop RPC protocol.
After looking closely at this, I realized that we've been running
all the service processes under separate user accounts even though
there's actually no need to.
Since we already use pledge() and unveil() to limit the scope and
access of these programs, separating them to another UID doesn't
achieve anything meaningful. So let's bring them back to the "anon"
user account and simplify things.
Programs affected:
- ImageDecoder
- RequestServer
- WebContent
- WebSocket
Longer term, I'd like for all of these to get spawned for the current
desktop user somehow, possibly by some kind of session manager, or
perhaps by the Browser program itself. But for now they remain under
SystemServer's control.
I can't say I like starting yet another thing on boot... but now that
LookupServer provides mDNS (and optionaly DNS) services to other hosts,
we have to start it on boot, not when the first local client connects.
We had some inconsistencies before:
- Sometimes "The", sometimes "the"
- Sometimes trailing ".", sometimes no trailing "."
I picked the most common one (lowecase "the", trailing ".") and applied
it to all copyright headers.
By using the exact same string everywhere we can ensure nothing gets
missed during a global search (and replace), and that these
inconsistencies are not spread any further (as copyright headers are
commonly copied to new files).
The current ProtocolServer was really only used for requests, and with
the recent introduction of the WebSocket service, long-lasting
connections with another server are not part of it. To better reflect
this, this commit renames it to RequestServer.
This commit also changes the existing 'protocol' portal to 'request',
the existing 'protocol' user and group to 'request', and most mentions
of the 'download' aspect of the request to 'request' when relevant, to
make everything consistent across the system.
Note that LibProtocol still exists as-is, but the more generic Client
class and the more specific Download class have both been renamed to a
more accurate RequestClient and Request to match the new names.
This commit only change names, not behaviors.
The WebSocket service isolates communication with a WebSocket to its
own isolated process. Similar to other isolating services, it has its
own user and group.
This is useful for CI where we don't want to spend a minute and a half
benchmarking Vector::append, and we don't have a good way to pass
test-specific arguments yet. :)
With this patch the window manager related functionality is split out
onto a new endpoint pair named WindowManagerServer/Client. This allows
window manager functionality to be potentially privilege separated in
the future. To this end, a new client named WMConnectionClient
is used to maintain a window manager connection. When a process
connects to the endpoint and greets the WindowServer as a window manager
(via Window::make_window_manager(int)), they're subscribed to the events
they requested via the WM event mask.
This patch also removes the hardcoding of the Taskbar WindowType to
receive WM events automatically. However, being a window manager still
requires having an active window, at the moment.
