Proxying Wayland for security

Wed Jul 28 10:46:46 UTC 2021

Carsten Haitzler <raster at rasterman.com> writes:

> On Wed, 28 Jul 2021 09:51:53 +0000 Simon Ser <contact at emersion.fr> said:
>
>> Please read the (lengthy) discussion at [1].
>> 
>> [1]: https://gitlab.freedesktop.org/wayland/weston/-/issues/206
>> 
>> In particular, the "get_credentials → PID → executable path" lookup is
>> racy. PID re-use allows a malicious process to be recognized as another
>> executable.
>
> That is true - but only at cusp points - e.g. PID has exited, but socket has
> not been detected as dead yet and PID was recycled. I you do the lookup then,
> it'd be a problem.
>
> If you do the lookup first on initial connect, then ensure you do at least one
> round-trip to client (send something, it sends back a reply), then that lookup
> would be valid (and continue to be valid for the duration of that connection)
> because the PID lookup is sandwiched between a connect and an active round-trip
> (thus the socket didn't die with the process). The round trip does need to be
> some kind of ping that the compositor sends some UUID it generates with random
> content and the reply is a pong with that UUID back - thus it can't be spoofed.

Hmm, I'm having trouble squaring this with Simon's proof of concept
attack[1].  In particular, as that PoC demonstrates, there's guarantee
that the socket will die when the process does, right?  (Because the fd
could be shared with other processes.)

> Indeed using systemd to get cgroup info from a client fd is also possible. The
> point does remain that adding a proxy in becomes problematic.

[1]: https://gitlab.freedesktop.org/wayland/weston/-/issues/206#note_176699
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/wayland-devel/attachments/20210728/7f9c6c92/attachment-0001.sig>