From 593b4d550d5569997c65dc1226238da04d4ea61a Mon Sep 17 00:00:00 2001
From: Robert Mader <robert.mader@posteo.de>
Date: Mon, 6 Sep 2021 19:33:17 +0200
Subject: [PATCH] Pipewire: Use xdg-portal provided file descriptor

The documentation for `OpenPipeWireRemote()` says:
> Open a file descriptor to the PipeWire remote where the camera nodes
> are available. The file descriptor should be used to create a
> pw_core object, by using pw_context_connect_fd.

In `InitPipeWire()` we already successfully requested the FD, but then
went on and used the unrestricted default socket.
This does not matter in non-sandboxed environments, as the stream we
want to use is available from both FDs. In flatpak sandboxes, however,
this requires to give full Pipewire access to the application.

Fix this by simply using the right, restricted FD, and while on it,
also make sure to not leak it.

This change has already landed in downstream in Firefox, see
https://phabricator.services.mozilla.com/D122904
https://phabricator.services.mozilla.com/D124508

Bug: webrtc:13152
Change-Id: I3f8995c54c797e1a90a980f231e496a13cbe65b4
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/230803
Reviewed-by: Joe Downing <joedow@chromium.org>
Commit-Queue: Joe Downing <joedow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#34983}
---
 AUTHORS                                                 | 1 +
 modules/desktop_capture/linux/base_capturer_pipewire.cc | 6 +++++-
 modules/desktop_capture/linux/pipewire03.sigs           | 1 +
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/AUTHORS b/AUTHORS
index 645b9f3f2e..2315b65c60 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -88,6 +88,7 @@ Raman Budny <budnyjj@gmail.com>
 Ramprakash Jelari <ennajelari@gmail.com>
 Riku Voipio <riku.voipio@linaro.org>
 Robert Bares <robert@bares.me>
+Robert Mader <robert.mader@posteo.de>
 Robert Nagy <robert.nagy@gmail.com>
 Ryan Yoakum <ryoakum@skobalt.com>
 Sarah Thompson <sarah@telergy.com>
diff --git a/modules/desktop_capture/linux/base_capturer_pipewire.cc b/modules/desktop_capture/linux/base_capturer_pipewire.cc
index 7212ad383e..8c3977278d 100644
--- a/modules/desktop_capture/linux/base_capturer_pipewire.cc
+++ b/modules/desktop_capture/linux/base_capturer_pipewire.cc
@@ -348,6 +348,10 @@ BaseCapturerPipeWire::~BaseCapturerPipeWire() {
     g_object_unref(proxy_);
     proxy_ = nullptr;
   }
+
+  if (pw_fd_ != -1) {
+    close(pw_fd_);
+  }
 }
 
 void BaseCapturerPipeWire::InitPortal() {
@@ -385,7 +389,7 @@ void BaseCapturerPipeWire::InitPipeWire() {
     return;
   }
 
-  pw_core_ = pw_context_connect(pw_context_, nullptr, 0);
+  pw_core_ = pw_context_connect_fd(pw_context_, pw_fd_, nullptr, 0);
   if (!pw_core_) {
     RTC_LOG(LS_ERROR) << "Failed to connect PipeWire context";
     return;
diff --git a/modules/desktop_capture/linux/pipewire03.sigs b/modules/desktop_capture/linux/pipewire03.sigs
index 78d241f40c..44e4100db1 100644
--- a/modules/desktop_capture/linux/pipewire03.sigs
+++ b/modules/desktop_capture/linux/pipewire03.sigs
@@ -44,3 +44,4 @@ pw_loop * pw_thread_loop_get_loop(pw_thread_loop *loop);
 void pw_context_destroy(pw_context *context);
 pw_context *pw_context_new(pw_loop *main_loop, pw_properties *props, size_t user_data_size);
 pw_core * pw_context_connect(pw_context *context, pw_properties *properties, size_t user_data_size);
+pw_core * pw_context_connect_fd(pw_context *context, int fd, pw_properties *properties, size_t user_data_size);