wayland: Drop isTrustedOrigin check

The rationale behind the check was sandboxed apps could have a different mount namespace to kwin, therefore lying about the executable path was doable. Moving forward anything sandboxed will have a security context app Id. Anything not sandboxed can circumvent these checks anyway. This significantly improves application launch time.
2023-11-13 10:38:08 +00:00 · 2023-11-13 10:38:08 +00:00 · 4016406e1e
commit 4016406e1e
parent aec896acc0
1 changed files with 0 additions and 37 deletions
--- a/src/wayland_server.cpp
+++ b/src/wayland_server.cpp
@ -77,7 +77,6 @@
 #include "xdgshellwindow.h"

 // Qt
-#include <QCryptographicHash>
 #include <QDir>
 #include <QFileInfo>

@ -104,31 +103,6 @@ public:
    {
    }

-    static QByteArray sha256(const QString &fileName)
-    {
-        QFile f(fileName);
-        if (f.open(QFile::ReadOnly)) {
-            QCryptographicHash hash(QCryptographicHash::Sha256);
-            if (hash.addData(&f)) {
-                return hash.result();
-            }
-        }
-        return QByteArray();
-    }
-
-    bool isTrustedOrigin(ClientConnection *client) const
-    {
-        const auto fullPathSha = sha256(client->executablePath());
-        const auto localSha = sha256(QLatin1String("/proc/") + QString::number(client->processId()) + QLatin1String("/exe"));
-        const bool trusted = !localSha.isEmpty() && fullPathSha == localSha;
-
-        if (!trusted) {
-            qCWarning(KWIN_CORE) << "Could not trust" << client->executablePath() << "sha" << localSha << fullPathSha;
-        }
-
-        return trusted;
-    }
-
    QStringList fetchRequestedInterfaces(ClientConnection *client) const
    {
        if (!client->securityContextAppId().isEmpty()) {
@ -201,17 +175,6 @@ public:
            }
        }

-        {
-            auto trustedOrigin = client->property("isPrivileged");
-            if (trustedOrigin.isNull()) {
-                trustedOrigin = isTrustedOrigin(client);
-                client->setProperty("isPrivileged", trustedOrigin);
-            }
-
-            if (!trustedOrigin.toBool()) {
-                return false;
-            }
-        }
        qCDebug(KWIN_CORE) << "authorized" << client->executablePath() << interfaceName;
        return true;
    }