general: Add child launcher that can detect their windows
Allowing code from inside mutter to create a child process and delegate on it some of its tasks is something very useful. This can be done easily with the g_subprocess and g_subprocess_launcher classes already available in GLib and GObject.
Unfortunately, although the child process can be a graphical program, currently it is not possible for the inner code to identify the windows created by the child in a secure manner (this is: being able to ensure that a malicious program won't be able to trick the inner code into thinking it is a child process launched by it).
Under X11 this is not a problem, because any program has full control over their windows, but under Wayland it is a different story: a program can't neither force their window to be kept at the top (like a docker program does) or at the bottom (like a program for desktop icons does), nor hide it from the list of windows. This means that it is not possible for a "classic", non-priviledged program, to fulfill these tasks, and it can be done only from code inside mutter (like a gnome-shell extension).
Also, having to create an extension for any priviledged graphical element is an stopper for a lot of programmers who already know GTK+ but doesn't know Clutter.
This patch wants to offer a solution to this problem, by offering a new class that allows to launch a child process from inside mutter, and check whether a window belongs or not to that process. Thanks to this, it allows to create extensions that launch a child process, and when that process creates a window, the extension can confirm in a secure way that the window really belongs to that process launched by it, so it can give to that window "superpowers" like being kept at the bottom of the desktop, not being listed in the list of windows or shown in the Activities panel...
Several examples of the usefulness of this are that, with it, it is possible to write programs that implements:
- desktop icons
- a dock
- a top or bottom bar ...
all in a secure manner, avoiding insecure programs to do the same. In fact, even if the same code is launched manually, it won't have those privileges, only the specific process launched from inside mutter.
Since this is only needed under Wayland, the detection only works under it; but to simplify the code in the extensions, it is possible to use the new class to launch a child process both from Wayland and X11, but an exception will be generated if the code tries to check a window from X11. It only will return TRUE or FALSE under Wayland.
The main reason to create this patch is to be able to run a desktop icons program under Wayland in a secure manner.
It is divided into two commits: the first one implements only launching a child process and detecting if a window belongs to it, and the second one adds support for opening several bidirectional sockets for communicating with the child process, passing the ID to it through the command line or using environment variables, as preferred by the programmer.
It is complemented by !733
An example of an extension that would benefit from this is Desktop-Icons-ng (currently it uses a tricky way to detect the window in a secure way).