From e9c772e265b2293af031c79f4bbc99b5847dfe3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tor=20Hedin=20Br=C3=B8nner?= <torhedinbronner@gmail.com>
Date: Sat, 19 Oct 2019 13:26:05 +0200
Subject: [PATCH] drop inheritable
Adapted from https://gitlab.gnome.org/GNOME/mutter/commit/c53c47ae123b03cc66044d2b846342123ecb3a01
We only want to drop inheritable though, to prevent the ambient set leaking further than gnome-shell.
---
config.h.meson | 3 +++
meson.build | 5 +++++
meson_options.txt | 6 ++++++
src/core/main.c | 11 +++++++++++
src/meson.build | 1 +
5 files changed, 26 insertions(+)
diff --git a/config.h.meson b/config.h.meson
index 0bab71848..202fb7ed1 100644
--- a/config.h.meson
+++ b/config.h.meson
@@ -58,6 +58,9 @@
/* Xwayland applications allowed to issue keyboard grabs */
#mesondefine XWAYLAND_GRAB_DEFAULT_ACCESS_RULES
+/* Defined if libcap-ng is available */
+#mesondefine HAVE_LIBCAPNG
+
/* XKB base prefix */
#mesondefine XKB_BASE
diff --git a/meson.build b/meson.build
index 3322bd3b1..01c8020fa 100644
--- a/meson.build
+++ b/meson.build
@@ -35,6 +35,7 @@ libstartup_notification_req = '>= 0.7'
libcanberra_req = '>= 0.26'
libwacom_req = '>= 0.13'
atk_req = '>= 2.5.3'
+libcapng_req = '>= 0.7.9'
# optional version requirements
udev_req = '>= 228'
@@ -131,6 +131,7 @@ ice_dep = dependency('ice')
atk_dep = dependency('atk', version: atk_req)
libcanberra_dep = dependency('libcanberra', version: libcanberra_req)
dbus_dep = dependency('dbus-1')
+libcapng_dep = dependency('libcap-ng', required: get_option('libcapng'))
# For now always require X11 support
have_x11 = true
@@ -256,6 +258,7 @@ have_core_tests = false
have_cogl_tests = false
have_clutter_tests = false
have_installed_tests = false
+have_libcapng = libcapng_dep.found()
if have_tests
have_core_tests = get_option('core_tests')
@@ -361,6 +364,7 @@ cdata.set('HAVE_LIBWACOM', have_libwacom)
cdata.set('HAVE_SM', have_sm)
cdata.set('HAVE_STARTUP_NOTIFICATION', have_startup_notification)
cdata.set('HAVE_INTROSPECTION', have_introspection)
+cdata.set('HAVE_LIBCAPNG', have_libcapng)
cdata.set('HAVE_PROFILER', have_profiler)
xkb_base = xkeyboard_config_dep.get_pkgconfig_variable('xkb_base')
@@ -465,6 +465,7 @@ output = [
' Introspection............ ' + have_introspection.to_string(),
' Profiler................. ' + have_profiler.to_string(),
' Xwayland initfd.......... ' + have_xwayland_initfd.to_string(),
+ ' libcap-ng................ ' + have_libcapng.to_string(),
'',
' Tests:',
'',
diff --git a/meson_options.txt b/meson_options.txt
index 73aa7adde..8bfaacd9a 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -152,3 +152,9 @@ option('xwayland_grab_default_access_rules',
value: 'gnome-boxes,remote-viewer,virt-viewer,virt-manager,vinagre,vncviewer,Xephyr',
description: 'Comma delimited list of applications ressources or class allowed to issue X11 grabs in Xwayland'
)
+
+option('libcapng',
+ type: 'feature',
+ value: 'auto',
+ description: 'Enable libcap-ng support'
+)
diff --git a/src/core/main.c b/src/core/main.c
index 7f4f666d2..b27968f13 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -66,6 +66,10 @@
#include <girepository.h>
#endif
+#ifdef HAVE_LIBCAPNG
+#include <cap-ng.h>
+#endif
+
#if defined(HAVE_NATIVE_BACKEND) && defined(HAVE_WAYLAND)
#include <systemd/sd-login.h>
#endif /* HAVE_WAYLAND && HAVE_NATIVE_BACKEND */
@@ -670,5 +674,12 @@ int
meta_run (void)
{
meta_start ();
+
+#ifdef HAVE_LIBCAPNG
+ capng_clear(CAPNG_SELECT_BOTH);
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_NICE);
+ capng_apply(CAPNG_SELECT_BOTH);
+#endif
+
meta_run_main_loop ();
meta_finalize ();
diff --git a/src/meson.build b/src/meson.build
index 90d80734f..a9fffa2c2 100644
--- a/src/meson.build
+++ b/src/meson.build
@@ -18,6 +18,7 @@ mutter_pkg_deps = [
glib_dep,
gsettings_desktop_schemas_dep,
gtk3_dep,
+ libcapng_dep,
pango_dep,
]
--
2.23.0
