Require an explicit unlock call in SessionLock

The entire reason unlock_and_destroy is distinct from destroy is to avoid accidental unlock operations. The current SCTK implementation carefully undoes this work by unlocking on drop, even if that drop is due to a panic or careless drop of the lock object. Add an explicit unlock call so that screen lockers can indicate when they intend to unlock (generally after some kind of authentication has happened).
Smithay · Mar 1, 2024 · ace6907 · ace6907
1 parent f3587a9
commit ace6907
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 10 deletions.
diff --git a/examples/session_lock.rs b/examples/session_lock.rs
@@ -86,8 +86,8 @@ impl SessionLockHandler for AppData {
         // After 5 seconds, destroy lock
         self.loop_handle
             .insert_source(Timer::from_duration(Duration::from_secs(5)), |_, _, app_data| {
-                // Destroy the session lock
-                app_data.session_lock.take();
+                // Unlock the lock
+                app_data.session_lock.take().unwrap().unlock();
                 // Sync connection to make sure compostor receives destroy
                 app_data.conn.roundtrip().unwrap();
                 // Then we can exit

diff --git a/src/session_lock/mod.rs b/src/session_lock/mod.rs
@@ -89,19 +89,18 @@ pub struct SessionLockInner {
 
 impl Drop for SessionLockInner {
     fn drop(&mut self) {
-        if self.locked.load(Ordering::SeqCst) {
-            self.session_lock.unlock_and_destroy();
-        } else {
-            self.session_lock.destroy();
-        }
+        // This does nothing if unlock() was called.  It may trigger a protocol error if unlock was
+        // not called; this is an application bug, and choosing not to unlock here results in us
+        // failing secure.
+        self.session_lock.destroy();
     }
 }
 
 /// A session lock
 ///
-/// The lock is destroyed on drop, which must be done after `locked` or `finished`
-/// is received.
-#[must_use]
+/// Once a lock is created, you must wait for either a `locked` or `finished` event before
+/// destroying this object.  If you get a `locked` event, you must explicitly call `unlock` prior
+/// to dropping this object.
 #[derive(Debug, Clone)]
 pub struct SessionLock(Arc<SessionLockInner>);
 
@@ -113,6 +112,12 @@ impl SessionLock {
     pub fn is_locked(&self) -> bool {
         self.0.locked.load(Ordering::SeqCst)
     }
+
+    pub fn unlock(&self) {
+        if self.0.locked.load(Ordering::SeqCst) {
+            self.0.session_lock.unlock_and_destroy();
+        }
+    }
 }
 
 #[derive(Debug)]