See libseccomp.
It shouldn't be too hard to wrap this in ctypes or Cython.
After we have started the server, created its log file, the vfb and all the clients, there is no need for having permission to create any more (as long as we can still send signals to clients). (the only exception might be the setxkbmap
call we still make to setup the keyboard for new clients, the client code has already had this replaced with native xkb calls in r6931, alternatively we can look at xkbcommon
#371)
Client side, the same caveat applies: we currently have a setxkbmap
fallback, which we could probably get rid of.
Found that there are already some nice Cython bindings in libseccomp
: python/seccomp.pyx - they're just not packaged anywhere, but since the license is LGPL, we can just copy it into our source tree for now.
Hurdles for implementation:
Maybe the proxy instance process is a good candidate, as it does nothing but forward data between already opened connections. (except for the nvenc / opencl case...)
And we now have the ability to start new commands on the fly, etc..
Too much of a moving target.
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/622