Clipboard: Move the system clipboard to a dedicated service process :^)

This commit moves the clipboard from WindowServer into a new Clipboard
service program. Clipboard runs as the unprivileged "clipboard" user
and with a much tighter pledge than WindowServer.

To keep things working as before, all GUI::Application users now make
a connection to Clipboard after making the connection to WindowServer.
It could be interesting to connect to Clipboard on demand, but right
now that would necessitate expanding every GUI app's pledge to include
"unix" and also unveiling the clipboard portal, which I prefer not to.

3 files changed, 8 insertions, 0 deletions

diff --git a/Base/etc/SystemServer.ini b/Base/etc/SystemServer.ini
index 6ce8893a01..0e9727be55 100644
--- a/Base/etc/SystemServer.ini
+++ b/Base/etc/SystemServer.ini
@@ -46,6 +46,12 @@ Priority=high
 KeepAlive=1
 User=window
 
+[Clipboard]
+Socket=/tmp/portal/clipboard
+SocketPermissions=660
+KeepAlive=1
+User=clipboard
+
 [SystemMenu]
 KeepAlive=1
 User=anon
diff --git a/Base/etc/group b/Base/etc/group
index 6aecd0e7ae..5eafd79298 100644
--- a/Base/etc/group
+++ b/Base/etc/group
@@ -7,4 +7,5 @@ lookup:x:10:protocol,anon
 protocol:x:11:anon
 notify:x:12:anon
 window:x:13:anon,notify
+clipboard:x:14:anon
 users:x:100:anon
diff --git a/Base/etc/passwd b/Base/etc/passwd
index 67cf5d44b3..814e0d6f96 100644
--- a/Base/etc/passwd
+++ b/Base/etc/passwd
@@ -3,5 +3,6 @@ lookup:x:10:10:LookupServer,,,:/:/bin/false
 protocol:x:11:11:ProtocolServer,,,:/:/bin/false
 notify:x:12:12:NotificationServer,,,:/:/bin/false
 window:x:13:13:WindowServer,,,:/:/bin/false
+clipboard:x:14:14:Clipboard,,,:/:/bin/false
 anon:x:100:100:Anonymous,,,:/home/anon:/bin/sh
 nona:x:200:200:Nona,,,:/home/nona:/bin/sh