From ba3b85a8fea0151e74de50e841a7f16f9b077a56 Mon Sep 17 00:00:00 2001

From: Benjamin Berg <bberg@redhat.com>

Date: Mon, 27 Jul 2020 22:22:32 +0200

Subject: [PATCH 2/4] gdesktopappinfo: Move launched applications into

 transient scope

Try to move the spawned executable into its own systemd scope. To avoid

possible race conditions and ensure proper accounting, we delay the

execution of the real command until after the DBus call to systemd has

finished.

From the two approaches we can take here, this is better in the sense

that we have a child that the API consumer can watch. API consumers

should not be doing this, however, gnome-session needs to watch children

during session startup. Until gnome-session is fixed, we will not be

able to change this.

The alternative approach is to delegate launching itself to systemd by

creating a transient .service unit instead. This is cleaner and has e.g.

the advantage that systemd will take care of log redirection and similar

issues.

Note that this patch is incomplete. The DBus call is done in a "fire and

forget" manner, which is fine in most cases, but means that "gio open"

will fail to move the child into the new scope as gio quits before the

DBus call finishes.

---

 gio/gdesktopappinfo.c | 264 ++++++++++++++++++++++++++++++++++++------

 1 file changed, 227 insertions(+), 37 deletions(-)

diff --git a/gio/gdesktopappinfo.c b/gio/gdesktopappinfo.c

index 1a4b97918..afdcd42ac 100644

--- a/gio/gdesktopappinfo.c

+++ b/gio/gdesktopappinfo.c

@@ -2730,6 +2730,148 @@ notify_desktop_launch (GDBusConnection  *session_bus,

 #define _SPAWN_FLAGS_DEFAULT (G_SPAWN_SEARCH_PATH)

+#if defined(__linux__) && !defined(__BIONIC__)

+typedef struct {

+  int pipe[2];

+  GSpawnChildSetupFunc user_setup;

+  gpointer             user_setup_data;

+} SpawnWrapperData;

+

+static void

+launch_uris_with_spawn_delay_exec (gpointer user_data)

+{

+  SpawnWrapperData *data = user_data;

+

+  /* Clear CLOEXEC again, as that was set due to

+   * G_SPAWN_LEAVE_DESCRIPTORS_OPEN not being set. */

+  fcntl (data->pipe[0], F_SETFD, 0);

+

+  /* No need to close read side, we have CLOEXEC set. */

+

+  if (data->user_setup)

+    data->user_setup (data->user_setup_data);

+}

+

+static gchar *

+systemd_unit_name_escape (const gchar *in)

+{

+  /* Adapted from systemd source */

+  GString * const str = g_string_sized_new (strlen (in));

+

+  for (; *in; in++)

+    {

+      if (g_ascii_isalnum (*in) || *in == ':' || *in == '_' || *in == '.')

+        g_string_append_c (str, *in);

+      else

+        g_string_append_printf (str, "\\x%02x", *in);

+    }

+  return g_string_free (str, FALSE);

+}

+

+static void

+create_systemd_scope (GDBusConnection    *session_bus,

+                      GDesktopAppInfo    *info,

+                      gint                pid,

+                      GAsyncReadyCallback callback,

+                      gpointer            user_data)

+{

+  GVariantBuilder builder;

+  const char *app_name = g_get_application_name ();

+  char *appid = NULL;

+  char *appid_escaped = NULL;

+  char *snid_escaped = NULL;

+  char *unit_name = NULL;

+

+  /* In this order:

+   *  1. Actual application ID from file

+   *  2. Stripping the .desktop from the desktop ID

+   *  3. Fall back to using the binary name

+   */

+  if (info->app_id)

+    appid = g_strdup (info->app_id);

+  else if (info->desktop_id && g_str_has_suffix (info->desktop_id, ".desktop"))

+    appid = g_strndup (info->desktop_id, strlen (info->desktop_id) - 8);

+  else

+    appid = g_path_get_basename (info->binary);

+

+  appid_escaped = systemd_unit_name_escape (appid);

+

+  /* Generate a name conforming to

+   *   https://systemd.io/DESKTOP_ENVIRONMENTS/

+   * We use the PID to disambiguate, as that should be unique enough.

+   */

+  unit_name = g_strdup_printf ("app-glib-%s-%d.scope", appid_escaped, pid);

+

+  g_variant_builder_init (&builder, G_VARIANT_TYPE ("(ssa(sv)a(sa(sv)))"));

+  g_variant_builder_add (&builder, "s", unit_name);

+  g_variant_builder_add (&builder, "s", "fail");

+

+  g_variant_builder_open (&builder, G_VARIANT_TYPE ("a(sv)"));

+

+  /* Add a generic human readable description, can be changed at will. */

+  if (app_name)

+    g_variant_builder_add (&builder,

+                           "(sv)",

+                           "Description",

+                           g_variant_new_take_string (g_strdup_printf ("Application launched by %s",

+                                                                       app_name)));

+  g_variant_builder_add (&builder,

+                         "(sv)",

+                         "PIDs",

+                          g_variant_new_fixed_array (G_VARIANT_TYPE_UINT32, &pid, 1, 4));

+  /* Default to let systemd garbage collect failed applications we launched. */

+  g_variant_builder_add (&builder,

+                         "(sv)",

+                         "CollectMode",

+                          g_variant_new_string ("inactive-or-failed"));

+

+  g_variant_builder_close (&builder);

+

+  g_variant_builder_open (&builder, G_VARIANT_TYPE ("a(sa(sv))"));

+  g_variant_builder_close (&builder);

+

+  g_dbus_connection_call (session_bus,

+                          "org.freedesktop.systemd1",

+                          "/org/freedesktop/systemd1",

+                          "org.freedesktop.systemd1.Manager",

+                          "StartTransientUnit",

+                          g_variant_builder_end (&builder),

+                          G_VARIANT_TYPE ("(o)"),

+                          G_DBUS_CALL_FLAGS_NO_AUTO_START,

+                          1000,

+                          NULL,

+                          callback,

+                          user_data);

+

+  g_free (appid);

+  g_free (appid_escaped);

+  g_free (snid_escaped);

+  g_free (unit_name);

+}

+

+static void

+systemd_scope_created_cb (GObject      *object,

+                          GAsyncResult *result,

+                          gpointer      user_data)

+{

+  GVariant *res = NULL;

+  GError *error = NULL;

+

+  res = g_dbus_connection_call_finish (G_DBUS_CONNECTION (object), result, &error);

+  if (error != NULL)

+    {

+      g_debug ("Failed to move new child into scope: %s", error->message);

+      g_error_free (error);

+    }

+

+  /* Unblock the waiting wrapper binary. */

+  close (GPOINTER_TO_INT (user_data));

+

+  if (res)

+    g_variant_unref (res);

+}

+#endif

+

 static gboolean

 g_desktop_app_info_launch_uris_with_spawn (GDesktopAppInfo            *info,

                                            GDBusConnection            *session_bus,

@@ -2750,13 +2892,14 @@ g_desktop_app_info_launch_uris_with_spawn (GDesktopAppInfo            *info,

   GList *old_uris;

   GList *dup_uris;

-  char **argv, **envp;

+  GStrv argv = NULL, envp = NULL;

+  GStrv wrapped_argv = NULL;

+  GList *launched_uris = NULL;

+  char *sn_id = NULL;

   int argc;

   g_return_val_if_fail (info != NULL, FALSE);

-  argv = NULL;

-

   if (launch_context)

     envp = g_app_launch_context_get_environment (launch_context);

   else

@@ -2770,27 +2913,19 @@ g_desktop_app_info_launch_uris_with_spawn (GDesktopAppInfo            *info,

   do

     {

       GPid pid;

-      GList *launched_uris;

       GList *iter;

-      char *sn_id = NULL;

-      char **wrapped_argv;

       int i;

-      gsize j;

-      const gchar * const wrapper_argv[] =

-        {

-          "/bin/sh",

-          "-e",

-          "-u",

-          "-c", "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"",

-          "sh",  /* argv[0] for sh */

-        };

+#if defined(__linux__) && !defined(__BIONIC__)

+      SpawnWrapperData wrapper_data;

+#endif

+      GSpawnChildSetupFunc setup = user_setup;

+      gpointer             setup_data = user_setup_data;

       old_uris = dup_uris;

       if (!expand_application_parameters (info, exec_line, &dup_uris, &argc, &argv, error))

-        goto out;

+        return FALSE;

       /* Get the subset of URIs we're launching with this process */

-      launched_uris = NULL;

       for (iter = old_uris; iter != NULL && iter != dup_uris; iter = iter->next)

         launched_uris = g_list_prepend (launched_uris, iter->data);

       launched_uris = g_list_reverse (launched_uris);

@@ -2799,7 +2934,7 @@ g_desktop_app_info_launch_uris_with_spawn (GDesktopAppInfo            *info,

         {

           g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_FAILED,

                                _("Unable to find terminal required for application"));

-          goto out;

+          return FALSE;

         }

       if (info->filename)

@@ -2808,7 +2943,6 @@ g_desktop_app_info_launch_uris_with_spawn (GDesktopAppInfo            *info,

                                  info->filename,

                                  TRUE);

-      sn_id = NULL;

       if (launch_context)

         {

           GList *launched_files = create_files_for_uris (launched_uris);

@@ -2837,38 +2971,93 @@ g_desktop_app_info_launch_uris_with_spawn (GDesktopAppInfo            *info,

        * with a wrapper program (grep the GLib git history for

        * `gio-launch-desktop` for an example of this which could be

        * resurrected). */

-      wrapped_argv = g_new (char *, argc + G_N_ELEMENTS (wrapper_argv) + 1);

+      wrapped_argv = g_new (char *, argc + 6 + 1);

+

+      wrapped_argv[0] = g_strdup ("/bin/sh");

+      wrapped_argv[1] = g_strdup ("-e");

+      wrapped_argv[2] = g_strdup ("-u");

+      wrapped_argv[3] = g_strdup ("-c");

+      /* argument 4 is filled in below */

+      wrapped_argv[5] = g_strdup ("sh");

-      for (j = 0; j < G_N_ELEMENTS (wrapper_argv); j++)

-        wrapped_argv[j] = g_strdup (wrapper_argv[j]);

       for (i = 0; i < argc; i++)

-        wrapped_argv[i + G_N_ELEMENTS (wrapper_argv)] = g_steal_pointer (&argv[i]);

+        wrapped_argv[i + 6] = g_steal_pointer (&argv[i]);

+

+      wrapped_argv[i + 6] = NULL;

+      g_clear_pointer (&argv, g_free);

+

+#if defined(__linux__) && !defined(__BIONIC__)

+      /* Create pipes, if we use a setup func, then set cloexec,

+       * otherwise our wrapper script will close both sides. */

+      if (!g_unix_open_pipe (wrapper_data.pipe, 0, NULL))

+        {

+          g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_FAILED,

+                               _("Unable to create pipe for systemd synchronization"));

+          return FALSE;

+        }

+

+      /* Set CLOEXEC on the write pipe, so we don't need to deal with it in the child. */

+      fcntl (wrapper_data.pipe[1], F_SETFD, FD_CLOEXEC);

-      wrapped_argv[i + G_N_ELEMENTS (wrapper_argv)] = NULL;

-      g_free (argv);

-      argv = NULL;

+      if (!(spawn_flags & G_SPAWN_LEAVE_DESCRIPTORS_OPEN))

+        {

+          /* In this case, we use a setup function (which could probably also

+           * overwrite envp to set GIO_LAUNCHED_DESKTOP_FILE_PID).

+           *

+           * Note that this does not incur an additional cost because

+           * G_SPAWN_LEAVE_DESCRIPTOR_OPEN must be set in order to use

+           * posix_spawn. */

+          wrapper_data.user_setup = setup;

+          wrapper_data.user_setup_data = setup_data;

+

+          setup = launch_uris_with_spawn_delay_exec;

+          setup_data = &wrapper_data;

+        }

+

+      wrapped_argv[4] = g_strdup_printf ("export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; cat <&%1$d; exec \"$@\" %1$d<&-",

+                                         wrapper_data.pipe[0]);

+#else

+      wrapped_argv[4] = g_strdup ("export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"");

+#endif

       if (!g_spawn_async_with_fds (info->path,

                                    wrapped_argv,

                                    envp,

                                    spawn_flags,

-                                   user_setup,

-                                   user_setup_data,

+                                   setup,

+                                   setup_data,

                                    &pid,

                                    stdin_fd,

                                    stdout_fd,

                                    stderr_fd,

                                    error))

         {

+#if defined(__linux__) && !defined(__BIONIC__)

+          close (wrapper_data.pipe[0]);

+          close (wrapper_data.pipe[1]);

+#endif

+

           if (sn_id)

             g_app_launch_context_launch_failed (launch_context, sn_id);

-          g_free (sn_id);

-          g_list_free (launched_uris);

-

           goto out;

         }

+#if defined(__linux__) && !defined(__BIONIC__)

+      /* We close write side asynchronously later on when the dbus call

+       * to systemd finishes. */

+      close (wrapper_data.pipe[0]);

+

+      if (session_bus)

+        create_systemd_scope (session_bus,

+                              info,

+                              pid,

+                              systemd_scope_created_cb,

+                              GINT_TO_POINTER (wrapper_data.pipe[1]));

+      else

+        close (wrapper_data.pipe[1]);

+#endif

+

       if (pid_callback != NULL)

         pid_callback (info, pid, pid_callback_data);

@@ -2893,19 +3082,20 @@ g_desktop_app_info_launch_uris_with_spawn (GDesktopAppInfo            *info,

                              sn_id,

                              launched_uris);

-      g_free (sn_id);

-      g_list_free (launched_uris);

-

-      g_strfreev (wrapped_argv);

-      wrapped_argv = NULL;

+      g_clear_pointer (&sn_id, g_free);

+      g_clear_pointer (&launched_uris, g_list_free);

+      g_clear_pointer (&wrapped_argv, g_strfreev);

     }

   while (dup_uris != NULL);

   completed = TRUE;

- out:

+out:

   g_strfreev (argv);

   g_strfreev (envp);

+  g_clear_pointer (&wrapped_argv, g_strfreev);

+  g_list_free (launched_uris);

+  g_free (sn_id);

   return completed;

 }

-- 

2.31.1