What we have currently is: whatever initiates a trusted session provides a PID of the process it wants to open the prompt on. The problem there is that trusted helpers need not necessarily know what that PID should be, because the request might come from a scope, which has no UI. Currently the helpers just cheat by going `pidof unity8-dash` and open the session with that.
In the general case it's fine because apps interact with trusted helpers directly, so the helpers can identify the connecting PID (with the exception that upcoming multi-surface support will somewhat break this, as the helper has no way to uniquely identify the surface to relate the session to).
What we need is for the trusted "broker", that scope-registry is, to be able to create a non-spoofable relation between whatever surface displays the data for a particular scope, and pass it down to the scope, which will then pass it to trusted helpers. The exact solution is not clear yet.
In addition, somewhat off-topic, we want to add an optional "type" and "metadata" or "geometry" arguments for a trusted prompt, to allow per-type transitions (immediate use case - media player as trusted prompt should grow from a thumbnail to fullscreen).
Explaining per kgunn's request:
What we have currently is: whatever initiates a trusted session provides a PID of the process it wants to open the prompt on. The problem there is that trusted helpers need not necessarily know what that PID should be, because the request might come from a scope, which has no UI. Currently the helpers just cheat by going `pidof unity8-dash` and open the session with that.
In the general case it's fine because apps interact with trusted helpers directly, so the helpers can identify the connecting PID (with the exception that upcoming multi-surface support will somewhat break this, as the helper has no way to uniquely identify the surface to relate the session to).
What we need is for the trusted "broker", that scope-registry is, to be able to create a non-spoofable relation between whatever surface displays the data for a particular scope, and pass it down to the scope, which will then pass it to trusted helpers. The exact solution is not clear yet.
In addition, somewhat off-topic, we want to add an optional "type" and "metadata" or "geometry" arguments for a trusted prompt, to allow per-type transitions (immediate use case - media player as trusted prompt should grow from a thumbnail to fullscreen).