Proxying Wayland for security
Carsten Haitzler
raster at rasterman.com
Wed Jul 28 10:30:49 UTC 2021
On Wed, 28 Jul 2021 09:51:53 +0000 Simon Ser <contact at emersion.fr> said:
> Please read the (lengthy) discussion at [1].
>
> [1]: https://gitlab.freedesktop.org/wayland/weston/-/issues/206
>
> In particular, the "get_credentials → PID → executable path" lookup is
> racy. PID re-use allows a malicious process to be recognized as another
> executable.
That is true - but only at cusp points - e.g. PID has exited, but socket has
not been detected as dead yet and PID was recycled. I you do the lookup then,
it'd be a problem.
If you do the lookup first on initial connect, then ensure you do at least one
round-trip to client (send something, it sends back a reply), then that lookup
would be valid (and continue to be valid for the duration of that connection)
because the PID lookup is sandwiched between a connect and an active round-trip
(thus the socket didn't die with the process). The round trip does need to be
some kind of ping that the compositor sends some UUID it generates with random
content and the reply is a pong with that UUID back - thus it can't be spoofed.
Indeed using systemd to get cgroup info from a client fd is also possible. The
point does remain that adding a proxy in becomes problematic.
--
------------- Codito, ergo sum - "I code, therefore I am" --------------
Carsten Haitzler - raster at rasterman.com
More information about the wayland-devel
mailing list