portal: Add 'sandboxed-a11y-own-names' option

In context of the previous commit, this allows Flatpak apps to spawn
subsandboxes with `--a11y-own-name=DBUS_NAME`, where `DBUS_NAME` must
have the app id as prefix.

For example, `org.webkitgtk.MiniBrowser` would be able to spawn a Web
process using the Flatpak portal, and by passing
`org.webkitgtk.MiniBrowser.Sandboxed.WebProcess0`, this Web process
would be able to own this name in the a11y bus. This allows the Web
process and the main WebKit process to connect their a11y trees across
sandboxes.

data/org.freedesktop.portal.Flatpak.xml

@@ -36,7 +36,7 @@
       bus name org.freedesktop.portal.Flatpak and the object path
       /org/freedesktop/portal/Flatpak.
 
-      This documentation describes version 6 of this interface.
+      This documentation describes version 7 of this interface.
   -->
   <interface name='org.freedesktop.portal.Flatpak'>
     <property name="version" type="u" access="read"/>
@@ -240,6 +240,19 @@
              This was added in version 3 of this interface (available from flatpak 1.6.0 and later).
              </para></listitem>
            </varlistentry>
+           <varlistentry>
+             <term>sandbox-a11y-own-names as</term>
+             <listitem><para>
+               An array of D-Bus names to be owned on the accessibility bus. The
+               names must have the app id as prefix.
+             </para><para>
+               Only applies when `sandbox-flags` contains access to the accessibility
+               bus as well.
+             </para><para>
+               This was added in version 7 of this interface (available from
+               flatpak 1.16.0 and later).
+             </para></listitem>
+           </varlistentry>
            <varlistentry>
              <term>unset-env as</term>
              <listitem><para>

portal/flatpak-portal.c

@@ -783,6 +783,7 @@ handle_spawn (PortalFlatpak         *object,
   g_auto(GStrv) unset_env = NULL;
   g_auto(GStrv) sandbox_expose = NULL;
   g_auto(GStrv) sandbox_expose_ro = NULL;
+  g_auto(GStrv) sandboxed_a11y_own_names = NULL;
   g_autoptr(FlatpakInstance) instance = NULL;
   g_autoptr(GVariant) sandbox_expose_fd = NULL;
   g_autoptr(GVariant) sandbox_expose_fd_ro = NULL;
@@ -800,6 +801,7 @@ handle_spawn (PortalFlatpak         *object,
   glnx_autofd int env_fd = -1;
   const char *flatpak;
   gboolean testing = FALSE;
+  g_autofree char *app_id_prefix = NULL;
 
   child_setup_data.instance_id_fd = -1;
   child_setup_data.env_fd = -1;
@@ -899,6 +901,7 @@ handle_spawn (PortalFlatpak         *object,
   g_variant_lookup (arg_options, "sandbox-expose", "^as", &sandbox_expose);
   g_variant_lookup (arg_options, "sandbox-expose-ro", "^as", &sandbox_expose_ro);
   g_variant_lookup (arg_options, "sandbox-flags", "u", &sandbox_flags);
+  g_variant_lookup (arg_options, "sandboxed-a11y-own-names", "^as", &sandboxed_a11y_own_names);
   sandbox_expose_fd = g_variant_lookup_value (arg_options, "sandbox-expose-fd", G_VARIANT_TYPE ("ah"));
   sandbox_expose_fd_ro = g_variant_lookup_value (arg_options, "sandbox-expose-fd-ro", G_VARIANT_TYPE ("ah"));
   g_variant_lookup (arg_options, "unset-env", "^as", &unset_env);
@@ -945,6 +948,26 @@ handle_spawn (PortalFlatpak         *object,
         }
     }
 
+  app_id_prefix = g_strdup_printf ("%s.", app_id);
+  for (i = 0; sandboxed_a11y_own_names != NULL && sandboxed_a11y_own_names[i] != NULL; i++)
+    {
+      if (!(sandbox_flags & FLATPAK_SPAWN_SANDBOX_FLAGS_ALLOW_A11Y))
+        {
+          g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
+                                                 G_DBUS_ERROR_INVALID_ARGS,
+                                                 "Invalid sandbox a11y own name, accessibility disabled in the sandbox");
+          return G_DBUS_METHOD_INVOCATION_HANDLED;
+        }
+
+      if (!g_str_has_prefix (sandboxed_a11y_own_names[i], app_id_prefix))
+        {
+          g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
+                                                 G_DBUS_ERROR_INVALID_ARGS,
+                                                 "Invalid sandbox a11y own name, doesn't match app id");
+          return G_DBUS_METHOD_INVOCATION_HANDLED;
+        }
+    }
+
   g_info ("Running spawn command %s", arg_argv[0]);
 
   n_fds = 0;
@@ -1099,8 +1122,14 @@ handle_spawn (PortalFlatpak         *object,
         }
       if (sandbox_flags & FLATPAK_SPAWN_SANDBOX_FLAGS_ALLOW_DBUS)
         g_ptr_array_add (flatpak_argv, g_strdup ("--session-bus"));
+
       if (sandbox_flags & FLATPAK_SPAWN_SANDBOX_FLAGS_ALLOW_A11Y)
-        g_ptr_array_add (flatpak_argv, g_strdup ("--a11y-bus"));
+        {
+          g_ptr_array_add (flatpak_argv, g_strdup ("--a11y-bus"));
+
+          for (i = 0; sandboxed_a11y_own_names != NULL && sandboxed_a11y_own_names[i] != NULL; i++)
+            g_ptr_array_add (flatpak_argv, g_strdup_printf ("--a11y-own-name=%s", sandboxed_a11y_own_names[i]));
+        }
     }
   else
     {
@@ -2940,7 +2969,7 @@ on_bus_acquired (GDBusConnection *connection,
   g_dbus_interface_skeleton_set_flags (G_DBUS_INTERFACE_SKELETON (portal),
                                        G_DBUS_INTERFACE_SKELETON_FLAGS_HANDLE_METHOD_INVOCATIONS_IN_THREAD);
 
-  portal_flatpak_set_version (PORTAL_FLATPAK (portal), 6);
+  portal_flatpak_set_version (PORTAL_FLATPAK (portal), 7);
   portal_flatpak_set_supports (PORTAL_FLATPAK (portal), supports);
 
   g_signal_connect (portal, "handle-spawn", G_CALLBACK (handle_spawn), NULL);

tests/test-portal.c

@@ -249,7 +249,7 @@ test_basic (Fixture *f,
   /* We can't easily tell whether EXPOSE_PIDS ought to be set or not */
   g_assert_cmpuint ((portal_flatpak_get_supports (f->proxy) &
                      (~FLATPAK_SPAWN_SUPPORT_FLAGS_EXPOSE_PIDS)), ==, 0);
-  g_assert_cmpuint (portal_flatpak_get_version (f->proxy), ==, 6);
+  g_assert_cmpuint (portal_flatpak_get_version (f->proxy), ==, 7);
 
   handler_id = g_signal_connect (f->proxy, "spawn-exited",
                                  G_CALLBACK (count_successful_exit_cb),