[RFC] Implementing Wayland Security Module

Manuel Bachmann manuel.bachmann at open.eurogiciel.org
Wed Mar 11 10:51:41 PDT 2015 

Hi Jasper,

"Why are fullscreen and resolution change privileged operations?"

Personally, I think fullscreen should be allowed by default, but could be
disallowed on a per-application-basis ; because a few ones could abuse it
by re-triggering repeatedly (it made a great testcase for the demo,
however).

Regarding resolution change, I'm not even sure it's in WSM ;-), but that's
direct access to the hardware modes ; what about an app changing modes
every 5 seconds while minimized so you cannot easily kill it ? You can
imagine the compositor's default UI would be authorized, but a third-party
app (like a video game) would at least need to ask the first time.

"I will not implement support for WSMs in mutter. I have given my opinion
on why I think technical solutions to security problems and security
policies are bogus before. I won't bother to repeat it here."

We discussed that on IRC, I can understand your position.

Regards,
Manuel

2015-03-09 21:41 GMT+01:00 Jasper St. Pierre <jstpierre at mecheye.net>:

> On Mon, Mar 9, 2015 at 12:52 PM, Manuel Bachmann <
> manuel.bachmann at open.eurogiciel.org> wrote:
>
>> Hi Matthias,
>>
>> "I don't think it makes sense to develop a specific solution just for
>> the portion of application sandboxing that happens to overlap with
>> wayland protocol requests. The same questions need to be answered when
>> a third-party application e.g. wants to open a file or send an email."
>>
>> While it is true that the general security policy concern is a huge
>> topic, and that WSM may seem to be a too-specific solution in an ecosystem
>> where several Linux Security Modules have already been implemented, I
>> think, however, that there is a valid use case for it.
>>
>> We happen to have a more-than-20-years-old ecosystem of GUI applications
>> which were using the X11 protocol. For all these years, they were allowed
>> to exploit this protocol in various ways, which gave us the cool features
>> we could not imagine living without today.
>>
>> Then comes Wayland. It is more secure, but the cool features aren't
>> there. Sure, each compositor can do the way it wants, but application
>> developers are embarrassed . This potentially cripples the user experience
>> and slows down Wayland adoption.
>>
>> WSM is interesting because it only tries to cover GUI applications,
>> which, basically, all have the same needs :
>> - screenshooting, screen recording, color picking....
>> - critical actions on the outputs : fullscreen, resolution change...
>>
>
> Why are fullscreen and resolution change privileged operations?
>
>
>> - access to a central clipboard ;
>>
> - replacing a vital part of the compositor  (virtual keyboard, panel,
>> systray...)
>> - ....
>>
>> A Linux Security Module goes too far, has too many implications, hence
>> why it is rarely deployed excepted on server systems. But WSM is only about
>> GUI apps ; it precisely knows what it wants to be and which problems it
>> tries to address. I think, personally, that WSM has a chance of success
>> because it is pragmatic and has the privilegied timeframe for this.
>>
>
> I will not implement support for WSMs in mutter. I have given my opinion
> on why I think technical solutions to security problems and security
> policies are bogus before. I won't bother to repeat it here.
>
>
>> Regards,
>> Manuel
>>
>> 2015-03-09 14:30 GMT+01:00 Matthias Clasen <matthias.clasen at gmail.com>:
>>
>>> On Mon, Mar 9, 2015 at 1:38 AM, Manuel Bachmann
>>> <manuel.bachmann at open.eurogiciel.org> wrote:
>>>
>>> > Any comments on this ?
>>> >
>>>
>>> I don't think it makes sense to develop a specific solution just for
>>> the portion of application sandboxing that happens to overlap with
>>> wayland protocol requests. The same questions need to be answered when
>>> a third-party application e.g. wants to open a file or send an email.
>>>
>>
>>
>>
>> --
>> Regards,
>>
>>
>>
>> *Manuel BACHMANN Tizen Project VANNES-FR*
>>
>> _______________________________________________
>> wayland-devel mailing list
>> wayland-devel at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/wayland-devel
>>
>>
>
>
> --
>   Jasper
>



-- 
Regards,



*Manuel BACHMANN Tizen Project VANNES-FR*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/wayland-devel/attachments/20150311/bf2d0895/attachment-0001.html>

More information about the wayland-devel mailing list