mirror of
https://github.com/flatpak/flatpak.git
synced 2026-03-30 04:43:24 -04:00
0402e1614c
1. For security context creation, only relies on WAYLAND_DISPLAY, do not use WAYLAND_SOCKET since the file descriptor defined by WAYLAND_SOCKET can be only consumed once. 2. Due to the incompatiblity between WAYLAND_SOCKET and the security context, add a new permission --socket=inherit-wayland-socket to limit the usage of WAYLAND_SOCKET to an opt-in feature. Only when this flag is set, WAYLAND_SOCKET will be passed to the sandbox. 3. When WAYLAND_SOCKET is not inherited, set FD_CLOEXEC to avoid it to be leaked the to sandbox. Closes: #5614
94 KiB
94 KiB