Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

camera: fix permission check in OpenPipeWireRemote #1572

Merged
merged 1 commit into from
Jan 16, 2025
Merged

camera: fix permission check in OpenPipeWireRemote #1572

merged 1 commit into from
Jan 16, 2025

Conversation

mcatanzaro
Copy link
Contributor

6cd99b0 changed the logic that the camera portal uses to look up permissions for the AccessCamera method. Applications first call AccessCamera to ensure they have camera permission and to prompt the user if permission is missing, then they call OpenPipeWireRemote, which fails if permission is missing. The permission lookup logic needs to be the same in both places. Currently when running Snapshot launched by GNOME Shell (rather than launched in a terminal), Snapshot passes AccessCamera's permission check, then fails OpenPipeWireRemote's permission check, causing camera access to be denied without allowing the user to grant permission.

Also, since the same commit the code uses the XdpAppInfo on a secondary thread. I suspect this is unsafe, and the original code avoided doing so; therefore, let's be careful and move this logic to the main thread so that the secondary thread only receives a copy of the app ID, as before.

https://gitlab.gnome.org/GNOME/snapshot/-/issues/267

@mcatanzaro
camera: fix permission check in OpenPipeWireRemote
05b1e4f 
6cd99b0 changed the logic that the
camera portal uses to look up permissions for the AccessCamera method.
Applications first call AccessCamera to ensure they have camera
permission and to prompt the user if permission is missing, then they
call OpenPipeWireRemote, which fails if permission is missing. The
permission lookup logic needs to be the same in both places. Currently
when running Snapshot launched by GNOME Shell (rather than launched in a
terminal), Snapshot passes AccessCamera's permission check, then fails
OpenPipeWireRemote's permission check, causing camera access to be
denied without allowing the user to grant permission.

Also, since the same commit the code uses the XdpAppInfo on a secondary
thread. I suspect this is unsafe, and the original code avoided doing
so; therefore, let's be careful and move this logic to the main thread
so that the secondary thread only receives a copy of the app ID, as
before.

https://gitlab.gnome.org/GNOME/snapshot/-/issues/267
@mcatanzaro mcatanzaro mentioned this pull request Jan 15, 2025
Merged
@mcatanzaro
Copy link
Contributor Author

@grulja mentioned in the Snapshot issue:

I see other portals accessing request->app_info from the secondary thread. I think your patch is correct and don't see any potential problem with it. The only thing that is probably missing is moving REQUEST_AUTOLOCK (request) up before calling query_permission_sync() in handle_access_camera_in_thread_func().

Hi maintainers, do we really need the g_object_set_data()/g_object_get_data()? It has been there since the camera portal was first introduced by @jadahl.

Then I guess the lock is just in the wrong place and should also be fixed. I can do that in this pull request if you prefer.

@grulja
Copy link
Contributor

grulja commented Jan 16, 2025
edited
Loading

@grulja mentioned in the Snapshot issue:

I see other portals accessing request->app_info from the secondary thread. I think your patch is correct and don't see any potential problem with it. The only thing that is probably missing is moving REQUEST_AUTOLOCK (request) up before calling query_permission_sync() in handle_access_camera_in_thread_func().

Hi maintainers, do we really need the g_object_set_data()/g_object_get_data()? It has been there since the camera portal was first introduced by @jadahl.

Then I guess the lock is just in the wrong place and should also be fixed. I can do that in this pull request if you prefer.

I don't know why it has been done like that and I'm certainly not a glib expect so most of the API is a stranger to me, but this

xdg-desktop-portal/src/account.c

Line 103 in 7928c83

ruri = xdp_register_document (image, xdp_app_info_get_id (request->app_info), XDP_DOCUMENT_FLAG_NONE, &error);
looks like a similar case.

Anyway, it looks good to me, with the suggestion to hold the lock around request before calling query_permission_sync().

@mcatanzaro
Copy link
Contributor Author

Discussed with Georges on Matrix:

  • I need to move the locking, like you suggest
  • I will avoid using XdpAppInfo on the secondary thread; we suggest filing a bug report for the case in account.c

@mcatanzaro
Copy link
Contributor Author

I need to move the locking, like you suggest

This broke test-camera, so I'll remove this change.

@mcatanzaro mcatanzaro force-pushed the mcatanzaro/snapshot#267 branch from ec9ccc1 to 05b1e4f Compare January 16, 2025 18:33
@GeorgesStavracas GeorgesStavracas added this pull request to the merge queue Jan 16, 2025
Merged via the queue into flatpak:main with commit 316b950 Jan 16, 2025
10 checks passed
@mcatanzaro mcatanzaro mentioned this pull request Jan 16, 2025
Merged
@GeorgesStavracas GeorgesStavracas added the portal: camera Camera portal label Jan 20, 2025
@GeorgesStavracas GeorgesStavracas added this to the 1.20 milestone Jan 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GeorgesStavracas GeorgesStavracas GeorgesStavracas approved these changes

Assignees
No one assigned
Labels
portal: camera Camera portal
Projects
No open projects
Triage
Status: Triaged
Milestone
1.20
Development

Successfully merging this pull request may close these issues.
3 participants
@mcatanzaro @grulja @GeorgesStavracas