[RFC] Implementing Wayland Security Module

Jasper St. Pierre jstpierre at mecheye.net
Wed Mar 11 10:55:14 PDT 2015 

How would a game change the mode in the first place? There is no request to
do so.

Anyway, I'm still going to push for a complete solution that isn't tied to
Wayland and also works for DBus, but I can't convince you this is a bad
idea. So, best of luck to you, and I'll shut up now :)
On Mar 11, 2015 10:51 AM, "Manuel Bachmann" <
manuel.bachmann at open.eurogiciel.org> wrote:

> Hi Jasper,
>
> "Why are fullscreen and resolution change privileged operations?"
>
> Personally, I think fullscreen should be allowed by default, but could be
> disallowed on a per-application-basis ; because a few ones could abuse it
> by re-triggering repeatedly (it made a great testcase for the demo,
> however).
>
> Regarding resolution change, I'm not even sure it's in WSM ;-), but that's
> direct access to the hardware modes ; what about an app changing modes
> every 5 seconds while minimized so you cannot easily kill it ? You can
> imagine the compositor's default UI would be authorized, but a third-party
> app (like a video game) would at least need to ask the first time.
>
> "I will not implement support for WSMs in mutter. I have given my opinion
> on why I think technical solutions to security problems and security
> policies are bogus before. I won't bother to repeat it here."
>
> We discussed that on IRC, I can understand your position.
>
> Regards,
> Manuel
>
> 2015-03-09 21:41 GMT+01:00 Jasper St. Pierre <jstpierre at mecheye.net>:
>
>> On Mon, Mar 9, 2015 at 12:52 PM, Manuel Bachmann <
>> manuel.bachmann at open.eurogiciel.org> wrote:
>>
>>> Hi Matthias,
>>>
>>> "I don't think it makes sense to develop a specific solution just for
>>> the portion of application sandboxing that happens to overlap with
>>> wayland protocol requests. The same questions need to be answered when
>>> a third-party application e.g. wants to open a file or send an email."
>>>
>>> While it is true that the general security policy concern is a huge
>>> topic, and that WSM may seem to be a too-specific solution in an ecosystem
>>> where several Linux Security Modules have already been implemented, I
>>> think, however, that there is a valid use case for it.
>>>
>>> We happen to have a more-than-20-years-old ecosystem of GUI applications
>>> which were using the X11 protocol. For all these years, they were allowed
>>> to exploit this protocol in various ways, which gave us the cool features
>>> we could not imagine living without today.
>>>
>>> Then comes Wayland. It is more secure, but the cool features aren't
>>> there. Sure, each compositor can do the way it wants, but application
>>> developers are embarrassed . This potentially cripples the user experience
>>> and slows down Wayland adoption.
>>>
>>> WSM is interesting because it only tries to cover GUI applications,
>>> which, basically, all have the same needs :
>>> - screenshooting, screen recording, color picking....
>>> - critical actions on the outputs : fullscreen, resolution change...
>>>
>>
>> Why are fullscreen and resolution change privileged operations?
>>
>>
>>> - access to a central clipboard ;
>>>
>> - replacing a vital part of the compositor  (virtual keyboard, panel,
>>> systray...)
>>> - ....
>>>
>>> A Linux Security Module goes too far, has too many implications, hence
>>> why it is rarely deployed excepted on server systems. But WSM is only about
>>> GUI apps ; it precisely knows what it wants to be and which problems it
>>> tries to address. I think, personally, that WSM has a chance of success
>>> because it is pragmatic and has the privilegied timeframe for this.
>>>
>>
>> I will not implement support for WSMs in mutter. I have given my opinion
>> on why I think technical solutions to security problems and security
>> policies are bogus before. I won't bother to repeat it here.
>>
>>
>>> Regards,
>>> Manuel
>>>
>>> 2015-03-09 14:30 GMT+01:00 Matthias Clasen <matthias.clasen at gmail.com>:
>>>
>>>> On Mon, Mar 9, 2015 at 1:38 AM, Manuel Bachmann
>>>> <manuel.bachmann at open.eurogiciel.org> wrote:
>>>>
>>>> > Any comments on this ?
>>>> >
>>>>
>>>> I don't think it makes sense to develop a specific solution just for
>>>> the portion of application sandboxing that happens to overlap with
>>>> wayland protocol requests. The same questions need to be answered when
>>>> a third-party application e.g. wants to open a file or send an email.
>>>>
>>>
>>>
>>>
>>> --
>>> Regards,
>>>
>>>
>>>
>>> *Manuel BACHMANN Tizen Project VANNES-FR*
>>>
>>> _______________________________________________
>>> wayland-devel mailing list
>>> wayland-devel at lists.freedesktop.org
>>> http://lists.freedesktop.org/mailman/listinfo/wayland-devel
>>>
>>>
>>
>>
>> --
>>   Jasper
>>
>
>
>
> --
> Regards,
>
>
>
> *Manuel BACHMANN Tizen Project VANNES-FR*
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/wayland-devel/attachments/20150311/d8b0dc90/attachment.html>

More information about the wayland-devel mailing list