From eb26ea5e1bb0c6fc978aae5db99ed3427b34175b Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Florian=20M=C3=BCllner?= <fmuellner@gnome.org>

Date: Fri, 1 Apr 2022 19:40:31 +0200

Subject: [PATCH 01/12] shell/global: Expose shim context property

Parts of the following commits rely on the ShellGlobal:context

property that was added in GNOME 41 to expose the MetaContext

(likewise a GNOME 41 addition).

To prepare for that, expose a small shim object as context

property that mimicks the expected upstream API.

---

 src/shell-global.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++

 1 file changed, 92 insertions(+)

diff --git a/src/shell-global.c b/src/shell-global.c

index 24e771f52..805c73145 100644

--- a/src/shell-global.c

+++ b/src/shell-global.c

@@ -47,6 +47,9 @@

 static ShellGlobal *the_object = NULL;

+#define SHIM_TYPE_META_CONTEXT shim_meta_context_get_type ()

+G_DECLARE_FINAL_TYPE (ShimMetaContext, shim_meta_context, SHIM, META_CONTEXT, GObject)

+

 struct _ShellGlobal {

   GObject parent;

@@ -54,6 +57,7 @@ struct _ShellGlobal {

   MetaBackend *backend;

   MetaDisplay *meta_display;

+  ShimMetaContext *meta_context;

   MetaWorkspaceManager *workspace_manager;

   Display *xdisplay;

@@ -92,6 +96,7 @@ enum {

   PROP_SESSION_MODE,

   PROP_BACKEND,

+  PROP_CONTEXT,

   PROP_DISPLAY,

   PROP_WORKSPACE_MANAGER,

   PROP_SCREEN_WIDTH,

@@ -235,6 +240,9 @@ shell_global_get_property(GObject         *object,

     case PROP_BACKEND:

       g_value_set_object (value, global->backend);

       break;

+    case PROP_CONTEXT:

+      g_value_set_object (value, global->meta_context);

+      break;

     case PROP_DISPLAY:

       g_value_set_object (value, global->meta_display);

       break;

@@ -514,6 +522,13 @@ shell_global_class_init (ShellGlobalClass *klass)

                                                         "MetaBackend object",

                                                         META_TYPE_BACKEND,

                                                         G_PARAM_READABLE | G_PARAM_STATIC_STRINGS));

+  g_object_class_install_property (gobject_class,

+                                   PROP_CONTEXT,

+                                   g_param_spec_object ("context",

+                                                        "Context",

+                                                        "MetaContext object",

+                                                        G_TYPE_OBJECT,

+                                                        G_PARAM_READABLE | G_PARAM_STATIC_STRINGS));

   g_object_class_install_property (gobject_class,

                                    PROP_DISPLAY,

                                    g_param_spec_object ("display",

@@ -996,6 +1011,7 @@ _shell_global_set_plugin (ShellGlobal *global,

   display = meta_plugin_get_display (plugin);

   global->meta_display = display;

+  global->meta_context = g_object_new (SHIM_TYPE_META_CONTEXT, NULL);

   global->workspace_manager = meta_display_get_workspace_manager (display);

   global->stage = CLUTTER_STAGE (meta_get_stage_for_display (display));

@@ -1888,3 +1904,79 @@ _shell_global_locate_pointer (ShellGlobal *global)

 {

   g_signal_emit (global, shell_global_signals[LOCATE_POINTER], 0);

 }

+

+enum {

+  SHIM_PROP_0,

+

+  SHIM_PROP_UNSAFE_MODE,

+

+  N_SHIM_PROPS

+};

+

+static GParamSpec *shim_obj_props [N_SHIM_PROPS];

+

+struct _ShimMetaContext

+{

+  GObject parent_instance;

+};

+

+G_DEFINE_TYPE (ShimMetaContext, shim_meta_context, G_TYPE_OBJECT);

+

+static void

+shim_meta_context_get_property (GObject    *object,

+                                guint       prop_id,

+                                GValue     *value,

+                                GParamSpec *pspec)

+{

+  switch (prop_id)

+    {

+    case SHIM_PROP_UNSAFE_MODE:

+      {

+        gboolean unsafe_mode;

+

+        g_object_get (meta_get_backend (), "unsafe-mode", &unsafe_mode, NULL);

+        g_value_set_boolean (value, unsafe_mode);

+      }

+      break;

+    default:

+      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);

+    }

+}

+

+static void

+shim_meta_context_set_property (GObject      *object,

+                                guint         prop_id,

+                                const GValue *value,

+                                GParamSpec   *pspec)

+{

+  switch (prop_id)

+    {

+    case SHIM_PROP_UNSAFE_MODE:

+      g_object_set_property (G_OBJECT (meta_get_backend ()), "unsafe-mode", value);

+      break;

+    default:

+      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);

+    }

+}

+

+static void

+shim_meta_context_class_init (ShimMetaContextClass *klass)

+{

+  GObjectClass *object_class = G_OBJECT_CLASS (klass);

+

+  object_class->get_property = shim_meta_context_get_property;

+  object_class->set_property = shim_meta_context_set_property;

+

+  shim_obj_props[SHIM_PROP_UNSAFE_MODE] =

+    g_param_spec_boolean ("unsafe-mode",

+                          "unsafe mode",

+                          "Unsafe mode",

+                          FALSE,

+                          G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);

+  g_object_class_install_properties (object_class, N_SHIM_PROPS, shim_obj_props);

+}

+

+static void

+shim_meta_context_init (ShimMetaContext *self)

+{

+}

-- 

2.35.1

From 20fcc7bc78a3c227304e89deddc57266e560175c Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Florian=20M=C3=BCllner?= <fmuellner@gnome.org>

Date: Thu, 2 Sep 2021 17:15:36 +0200

Subject: [PATCH 02/12] panel: Show warning indicator when unsafe-mode is on

MetaContext added an unsafe-mode property, which we will use to restrict

a number of privileged operations unless it is enabled. It is meant to

only be enabled temporarily for development/debugging purposes, so add

a scary icon to the top bar as a reminder to turn it off again.

https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/3943

Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1970>

---

 js/ui/panel.js | 16 ++++++++++++++++

 1 file changed, 16 insertions(+)

diff --git a/js/ui/panel.js b/js/ui/panel.js

index 380480744..c57c3ba8e 100644

--- a/js/ui/panel.js

+++ b/js/ui/panel.js

@@ -641,6 +641,20 @@ class PanelCorner extends St.DrawingArea {

     }

 });

+const UnsafeModeIndicator = GObject.registerClass(

+class UnsafeModeIndicator extends PanelMenu.SystemIndicator {

+    _init() {

+        super._init();

+

+        this._indicator = this._addIndicator();

+        this._indicator.icon_name = 'channel-insecure-symbolic';

+

+        global.context.bind_property('unsafe-mode',

+            this._indicator, 'visible',

+            GObject.BindingFlags.SYNC_CREATE);

+    }

+});

+

 var AggregateLayout = GObject.registerClass(

 class AggregateLayout extends Clutter.BoxLayout {

     _init(params = {}) {

@@ -702,6 +716,7 @@ class AggregateMenu extends PanelMenu.Button {

         this._location = new imports.ui.status.location.Indicator();

         this._nightLight = new imports.ui.status.nightLight.Indicator();

         this._thunderbolt = new imports.ui.status.thunderbolt.Indicator();

+        this._unsafeMode = new UnsafeModeIndicator();

         this._indicators.add_child(this._remoteAccess);

         this._indicators.add_child(this._thunderbolt);

@@ -713,6 +728,7 @@ class AggregateMenu extends PanelMenu.Button {

             this._indicators.add_child(this._bluetooth);

         this._indicators.add_child(this._rfkill);

         this._indicators.add_child(this._volume);

+        this._indicators.add_child(this._unsafeMode);

         this._indicators.add_child(this._power);

         this._indicators.add_child(this._powerProfiles);

-- 

2.35.1

From 158eeebc1d3a243e75de550cf5711e38a9f77f7f Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Florian=20M=C3=BCllner?= <fmuellner@gnome.org>

Date: Thu, 17 Jun 2021 01:50:50 +0200

Subject: [PATCH 03/12] shellDBus: Use MetaContext:unsafe-mode to restrict

 Eval()

The Eval() method is unarguably the most sensitive D-Bus method

we expose, since it allows running arbitrary code in the compositor.

It is currently tied to the `development-tools` settings that is

enabled by default. As users have become accustomed to the built-in

commands that are enabled by the same setting (restart, lg, ...),

that default cannot easily be changed.

In order to restrict the method without affecting the rather harmless

commands, guard it by the new MetaContext:unsafe-mode property instead

of the setting.

https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/3943

Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1970>

---

 js/ui/shellDBus.js | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/js/ui/shellDBus.js b/js/ui/shellDBus.js

index 734ca4fc7..5a6edec74 100644

--- a/js/ui/shellDBus.js

+++ b/js/ui/shellDBus.js

@@ -54,7 +54,7 @@ var GnomeShell = class {

      *

      */

     Eval(code) {

-        if (!global.settings.get_boolean('development-tools'))

+        if (!global.context.unsafe_mode)

             return [false, ''];

         let returnValue;

-- 

2.35.1

From 0882e04a11fe8db7abf05a5d7c786664dc54ad4f Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Florian=20M=C3=BCllner?= <fmuellner@gnome.org>

Date: Thu, 2 Sep 2021 16:23:38 +0200

Subject: [PATCH 04/12] introspect: Make invocation check error-based

If we throw an error when the invocation isn't allowed instead of

returning false, we can simply return that error instead of duplicating

the error handling.

Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1970>

---

 js/misc/introspect.js | 26 ++++++++++++++------------

 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/js/misc/introspect.js b/js/misc/introspect.js

index e46a7e8c5..318955be2 100644

--- a/js/misc/introspect.js

+++ b/js/misc/introspect.js

@@ -134,21 +134,23 @@ var IntrospectService = class {

                 type == Meta.WindowType.UTILITY;

     }

-    _isInvocationAllowed(invocation) {

+    _checkInvocation(invocation) {

         if (this._isIntrospectEnabled())

-            return true;

+            return;

         if (this._isSenderAllowed(invocation.get_sender()))

-            return true;

+            return;

-        return false;

+        throw new GLib.Error(Gio.DBusError,

+            Gio.DBusError.ACCESS_DENIED,

+            'App introspection not allowed');

     }

     GetRunningApplicationsAsync(params, invocation) {

-        if (!this._isInvocationAllowed(invocation)) {

-            invocation.return_error_literal(Gio.DBusError,

-                                            Gio.DBusError.ACCESS_DENIED,

-                                            'App introspection not allowed');

+        try {

+            this._checkInvocation(invocation);

+        } catch (e) {

+            invocation.return_gerror(e);

             return;

         }

@@ -160,10 +162,10 @@ var IntrospectService = class {

         let apps = this._appSystem.get_running();

         let windowsList = {};

-        if (!this._isInvocationAllowed(invocation)) {

-            invocation.return_error_literal(Gio.DBusError,

-                                            Gio.DBusError.ACCESS_DENIED,

-                                            'App introspection not allowed');

+        try {

+            this._checkInvocation(invocation);

+        } catch (e) {

+            invocation.return_gerror(e);

             return;

         }

-- 

2.35.1

From 33c3c3846f62cc4737f0029455f9dcd838876bca Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Florian=20M=C3=BCllner?= <fmuellner@gnome.org>

Date: Wed, 1 Sep 2021 21:18:42 +0200

Subject: [PATCH 05/12] introspect: Use MetaContext:unsafe-mode instead of

 setting

The property was added precisely for this purpose, except that its

name isn't tied to the introspect API.

https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/3943

Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1970>

---

 js/misc/introspect.js | 12 +-----------

 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/js/misc/introspect.js b/js/misc/introspect.js

index 318955be2..967e7b830 100644

--- a/js/misc/introspect.js

+++ b/js/misc/introspect.js

@@ -1,8 +1,6 @@

 /* exported IntrospectService */

 const { Gio, GLib, Meta, Shell, St } = imports.gi;

-const INTROSPECT_SCHEMA = 'org.gnome.shell';

-const INTROSPECT_KEY = 'introspect';

 const APP_ALLOWLIST = ['org.freedesktop.impl.portal.desktop.gtk'];

 const INTROSPECT_DBUS_API_VERSION = 3;

@@ -33,10 +31,6 @@ var IntrospectService = class {

                                     this._syncRunningApplications();

                                 });

-        this._introspectSettings = new Gio.Settings({

-            schema_id: INTROSPECT_SCHEMA,

-        });

-

         let tracker = Shell.WindowTracker.get_default();

         tracker.connect('notify::focus-app',

                         () => {

@@ -70,10 +64,6 @@ var IntrospectService = class {

         return app.get_windows().some(w => w.transient_for == null);

     }

-    _isIntrospectEnabled() {

-        return this._introspectSettings.get_boolean(INTROSPECT_KEY);

-    }

-

     _isSenderAllowed(sender) {

         return [...this._allowlistMap.values()].includes(sender);

     }

@@ -135,7 +125,7 @@ var IntrospectService = class {

     }

     _checkInvocation(invocation) {

-        if (this._isIntrospectEnabled())

+        if (global.context.unsafe_mode)

             return;

         if (this._isSenderAllowed(invocation.get_sender()))

-- 

2.35.1

From 4238128ba403da2cc788b0b249ee34acbea5d743 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Florian=20M=C3=BCllner?= <fmuellner@gnome.org>

Date: Wed, 1 Sep 2021 21:25:26 +0200

Subject: [PATCH 06/12] data: Remove now unused "introspect" setting

https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/3943

Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1970>

---

 data/org.gnome.shell.gschema.xml.in | 8 --------

 1 file changed, 8 deletions(-)

diff --git a/data/org.gnome.shell.gschema.xml.in b/data/org.gnome.shell.gschema.xml.in

index d5ea1e35f..6f1c424ba 100644

--- a/data/org.gnome.shell.gschema.xml.in

+++ b/data/org.gnome.shell.gschema.xml.in

@@ -104,14 +104,6 @@

         number can be used to effectively disable the dialog.

       </description>

     </key>

-    <key name="introspect" type="b">

-      <default>false</default>

-      <summary>Enable introspection API</summary>

-      <description>

-        Enables a D-Bus API that allows to introspect the application state of

-        the shell.

-      </description>

-    </key>

     <key name="app-picker-layout" type="aa{sv}">

       <default>

         [{

-- 

2.35.1

From f6af47b55fa2a52c7cdfecf1bb7e83d7f435a6bd Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Florian=20M=C3=BCllner?= <fmuellner@gnome.org>

Date: Wed, 16 Jun 2021 19:09:42 +0200

Subject: [PATCH 07/12] introspect: Split out DBusSenderChecker

Restricting callers to a list of allowed senders is useful for

other D-Bus services as well, so split out the existing code

into a reusable class.

https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/3943

Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1970>

---

 js/misc/introspect.js | 30 ++++-------------------

 js/misc/util.js       | 56 ++++++++++++++++++++++++++++++++++++++++++-

 2 files changed, 59 insertions(+), 27 deletions(-)

diff --git a/js/misc/introspect.js b/js/misc/introspect.js

index 967e7b830..e9d9260c0 100644

--- a/js/misc/introspect.js

+++ b/js/misc/introspect.js

@@ -6,6 +6,7 @@ const APP_ALLOWLIST = ['org.freedesktop.impl.portal.desktop.gtk'];

 const INTROSPECT_DBUS_API_VERSION = 3;

 const { loadInterfaceXML } = imports.misc.fileUtils;

+const { DBusSenderChecker } = imports.misc.util;

 const IntrospectDBusIface = loadInterfaceXML('org.gnome.Shell.Introspect');

@@ -40,14 +41,7 @@ var IntrospectService = class {

         this._syncRunningApplications();

-        this._allowlistMap = new Map();

-        APP_ALLOWLIST.forEach(appName => {

-            Gio.DBus.watch_name(Gio.BusType.SESSION,

-                appName,

-                Gio.BusNameWatcherFlags.NONE,

-                (conn, name, owner) => this._allowlistMap.set(name, owner),

-                (conn, name) => this._allowlistMap.delete(name));

-        });

+        this._senderChecker = new DBusSenderChecker(APP_ALLOWLIST);

         this._settings = St.Settings.get();

         this._settings.connect('notify::enable-animations',

@@ -64,10 +58,6 @@ var IntrospectService = class {

         return app.get_windows().some(w => w.transient_for == null);

     }

-    _isSenderAllowed(sender) {

-        return [...this._allowlistMap.values()].includes(sender);

-    }

-

     _getSandboxedAppId(app) {

         let ids = app.get_windows().map(w => w.get_sandboxed_app_id());

         return ids.find(id => id != null);

@@ -124,21 +114,9 @@ var IntrospectService = class {

                 type == Meta.WindowType.UTILITY;

     }

-    _checkInvocation(invocation) {

-        if (global.context.unsafe_mode)

-            return;

-

-        if (this._isSenderAllowed(invocation.get_sender()))

-            return;

-

-        throw new GLib.Error(Gio.DBusError,

-            Gio.DBusError.ACCESS_DENIED,

-            'App introspection not allowed');

-    }

-

     GetRunningApplicationsAsync(params, invocation) {

         try {

-            this._checkInvocation(invocation);

+            this._senderChecker.checkInvocation(invocation);

         } catch (e) {

             invocation.return_gerror(e);

             return;

@@ -153,7 +131,7 @@ var IntrospectService = class {

         let windowsList = {};

         try {

-            this._checkInvocation(invocation);

+            this._senderChecker.checkInvocation(invocation);

         } catch (e) {

             invocation.return_gerror(e);

             return;

diff --git a/js/misc/util.js b/js/misc/util.js

index 802398d18..e6c183fbf 100644

--- a/js/misc/util.js

+++ b/js/misc/util.js

@@ -2,7 +2,7 @@

 /* exported findUrls, spawn, spawnCommandLine, spawnApp, trySpawnCommandLine,

             formatTime, formatTimeSpan, createTimeLabel, insertSorted,

             ensureActorVisibleInScrollView, wiggle, lerp, GNOMEversionCompare,

-            Highlighter */

+            DBusSenderChecker, Highlighter */

 const { Clutter, Gio, GLib, Shell, St, GnomeDesktop } = imports.gi;

 const Gettext = imports.gettext;

@@ -479,6 +479,60 @@ function GNOMEversionCompare(version1, version2) {

     return 0;

 }

+var DBusSenderChecker = class {

+    /**

+     * @param {string[]} allowList - list of allowed well-known names

+     */

+    constructor(allowList) {

+        this._allowlistMap = new Map();

+

+        this._watchList = allowList.map(name => {

+            return Gio.DBus.watch_name(Gio.BusType.SESSION,

+                name,

+                Gio.BusNameWatcherFlags.NONE,

+                (conn_, name_, owner) => this._allowlistMap.set(name, owner),

+                () => this._allowlistMap.delete(name));

+        });

+    }

+

+    /**

+     * @param {string} sender - the bus name that invoked the checked method

+     * @returns {bool}

+     */

+    _isSenderAllowed(sender) {

+        return [...this._allowlistMap.values()].includes(sender);

+    }

+

+    /**

+     * Check whether the bus name that invoked @invocation maps

+     * to an entry in the allow list.

+     *

+     * @throws

+     * @param {Gio.DBusMethodInvocation} invocation - the invocation

+     * @returns {void}

+     */

+    checkInvocation(invocation) {

+        if (global.context.unsafe_mode)

+            return;

+

+        if (this._isSenderAllowed(invocation.get_sender()))

+            return;

+

+        throw new GLib.Error(Gio.DBusError,

+            Gio.DBusError.ACCESS_DENIED,

+            '%s is not allowed'.format(invocation.get_method_name()));

+    }

+

+    /**

+     * @returns {void}

+     */

+    destroy() {

+        for (const id in this._watchList)

+            Gio.DBus.unwatch_name(id);

+        this._watchList = [];

+    }

+};

+

 /* @class Highlighter Highlight given terms in text using markup. */

 var Highlighter = class {

     /**

-- 

2.35.1

From c6679a876a3c73c2c691333a5b987e27965231f3 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Florian=20M=C3=BCllner?= <fmuellner@gnome.org>

Date: Thu, 17 Jun 2021 15:29:42 +0200

Subject: [PATCH 08/12] shellDBus: Implement all methods asynchronously

In order to restrict callers, we will need access to the invocation,

not just the unpacked method parameters.

https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/3943

Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1970>

---

 js/ui/shellDBus.js | 31 ++++++++++++++++++++++++++++---

 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/js/ui/shellDBus.js b/js/ui/shellDBus.js

index 5a6edec74..aa5b4dc3c 100644

--- a/js/ui/shellDBus.js

+++ b/js/ui/shellDBus.js

@@ -72,11 +72,26 @@ var GnomeShell = class {

         return [success, returnValue];

     }

-    FocusSearch() {

+    /**

+     * Focus the overview's search entry

+     *

+     * @param {...any} params - method parameters

+     * @param {Gio.DBusMethodInvocation} invocation - the invocation

+     * @returns {void}

+     */

+    FocusSearchAsync(params, invocation) {

         Main.overview.focusSearch();

+        invocation.return_value(null);

     }

-    ShowOSD(params) {

+    /**

+     * Show OSD with the specified parameters

+     *

+     * @param {...any} params - method parameters

+     * @param {Gio.DBusMethodInvocation} invocation - the invocation

+     * @returns {void}

+     */

+    ShowOSDAsync([params], invocation) {

         for (let param in params)

             params[param] = params[param].deep_unpack();

@@ -97,6 +112,7 @@ var GnomeShell = class {

             icon = Gio.Icon.new_for_string(serializedIcon);

         Main.osdWindowManager.show(monitorIndex, icon, label, level, maxLevel);

+        invocation.return_value(null);

     }

     /**

@@ -118,10 +134,19 @@ var GnomeShell = class {

         }

         Main.overview.selectApp(id);

+        invocation.return_value(null);

     }

-    ShowApplications() {

+    /**

+     * Show the overview's app grid

+     *

+     * @param {...any} params - method parameters

+     * @param {Gio.DBusMethodInvocation} invocation - the invocation

+     * @returns {void}

+     */

+    ShowApplicationsAsync(params, invocation) {

         Main.overview.show(ControlsState.APP_GRID);

+        invocation.return_value(null);

     }

     GrabAcceleratorAsync(params, invocation) {

-- 

2.35.1

From 3ad733997eecb069be543f1a4452d7a7916a0962 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Florian=20M=C3=BCllner?= <fmuellner@gnome.org>

Date: Thu, 17 Jun 2021 15:29:42 +0200

Subject: [PATCH 09/12] shellDBus: Restrict callers

The org.gnome.Shell interface provides a private API to other core

components to implement desktop functionalities like Settings or

global keybindings. It is not meant as a public API, so limit it

to a set of expected callers.

https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/3943

Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1970>

---

 js/ui/shellDBus.js | 76 ++++++++++++++++++++++++++++++++++++++++++++++

 1 file changed, 76 insertions(+)

diff --git a/js/ui/shellDBus.js b/js/ui/shellDBus.js

index aa5b4dc3c..c511314f9 100644

--- a/js/ui/shellDBus.js

+++ b/js/ui/shellDBus.js

@@ -10,6 +10,7 @@ const Main = imports.ui.main;

 const Screenshot = imports.ui.screenshot;

 const { loadInterfaceXML } = imports.misc.fileUtils;

+const { DBusSenderChecker } = imports.misc.util;

 const { ControlsState } = imports.ui.overviewControls;

 const GnomeShellIface = loadInterfaceXML('org.gnome.Shell');

@@ -20,6 +21,11 @@ var GnomeShell = class {

         this._dbusImpl = Gio.DBusExportedObject.wrapJSObject(GnomeShellIface, this);

         this._dbusImpl.export(Gio.DBus.session, '/org/gnome/Shell');

+        this._senderChecker = new DBusSenderChecker([

+            'org.gnome.ControlCenter',

+            'org.gnome.SettingsDaemon.MediaKeys',

+        ]);

+

         this._extensionsService = new GnomeShellExtensions();