Sensitive Wayland protocols such as wlr_screencopy and wlr_data_control
(clipboard managment) are now blocked by default inside security
contexts (e.g. flatpak 1.15.6 or later).
User configuration of the allowlist/blocklist is TODO.
As discussed with ifreund on irc. This avoids extra allocation in case
of all_outputs and confusion in case of active_outputs (because with the
Output embedded in the Node, i thought its value was copied instead of
its pointer).
Outputs that are part of the layout but currently disabled (e.g. due
to use of wlr-output-power-management) are not correctly handled as
river currently waits for them to present a new locked frame before
sending the locked event.
This new frame never comes however since the output is disabled. Fix
this by maintaining the correct Output.lock_render_state as outputs
are enabled/disabled.
Additionally add missing maybeLock() calls to handle the case that all
outputs in the layout are disabled.
If the client commits a protocol error or otherwise crashes before the
session has been fully locked, we currently try to send the locked event
without checking if the client has been destroyed.
This commit adds the necessary if statement.
Currently we send the locked event after rendering and commit of blank
or lock surfaces buffers on all outputs. However, this is technically
not enough to ensure that the buffers have been presented.
Instead, listen to the wlr_output present event to ensure that no
normal, "unlocked" content is possibly visible.
Currently the session lock client has no 100% safe way to know when it
is safe to suspend after requesting that the session be locked.
For a suspend to be safe the compositor must have either blanked or
rendered a lock surface on all outputs before suspending. This is
because the current framebuffer on suspend appears to be saved and
displayed again after suspend, at least on my Linux system.
If a new "locked" frame for all outputs is not rendered before suspend,
an "unlocked" frame or frames will likely be briefly displayed on resume
before the lock surfaces are rendered or the screen is blanked.
To fix this, wait until a lock surface has been rendered on all outputs,
or if that times out until all outputs have been blanked, before sending
the locked event to the client.
Resolving this race on the compositor side without protocol changes
is the most effective way to avoid this potential information leak,
regardless of which session lock client is used.
