xwayland: Restrict allow commit to the window manager

Xwayland offers a way for the window and compositing manager to hold the
surface commits through an X11 property _XWAYLAND_ALLOW_COMMITS.

Xwayland, however, does not actually check if the X11 client changing
the value of that property is indeed the X11 window manager, so any X11
client can potentially interfere with the Wayland surface mechanism.

Restrict access to the _XWAYLAND_ALLOW_COMMITS property to read-only,
except for the X11 window manager and the Xserver itself.

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.com>

hw/xwayland/xwayland-screen.c

@@ -167,12 +167,33 @@ xwl_property_callback(CallbackListPtr *pcbl, void *closure,
         xwl_window_update_property(xwl_window, rec);
 }
 
+#define readOnlyPropertyAccessMask (DixReadAccess |\
+                                    DixGetAttrAccess |\
+                                    DixListPropAccess |\
+                                    DixGetPropAccess)
+
 static void
 xwl_access_property_callback(CallbackListPtr *pcbl, void *closure,
                              void *calldata)
 {
+    XacePropertyAccessRec *rec = calldata;
+    PropertyPtr prop = *rec->ppProp;
+    ClientPtr client = rec->client;
+    Mask access_mode = rec->access_mode;
+    ScreenPtr pScreen = closure;
+    struct xwl_screen *xwl_screen = xwl_screen_get(pScreen);
+
+    if (prop->propertyName == xwl_screen->allow_commits_prop) {
+        /* Only the WM and the Xserver itself */
+        if (client != serverClient &&
+            client->index != xwl_screen->wm_client_id &&
+            (access_mode & ~readOnlyPropertyAccessMask) != 0)
+            rec->status = BadAccess;
+    }
 }
 
+#undef readOnlyPropertyAccessMask
+
 static void
 xwl_root_window_finalized_callback(CallbackListPtr *pcbl,
                                    void *closure,