<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css" style="display:none"></style> </head> <body dir="ltr"> <div id="OWAFontStyleDivID" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;"> <style type="text/css" style="">  </style> <div id="OWAFontStyleDivID" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif"> <p></p> <div style="color:rgb(33,33,33)"> <div> <div dir="ltr"> <div>Hi Fabrice,</div> <div><br> </div> <div>> Hi all,</div> <div>> This topic came up in my previous one about window placement, and I'd like to</div> <div>> go further.</div> <div>> So currently there is no such thing as Global shortkeys and keyboard focus,</div> <div>> however let me present a typical real use-case:</div> <div>> [...]</div> <div>> </div> <div>> Now, I've read some vague things about privileged clients, is it still being </div> <div>> considered ?</div> <div><br> </div> <div>Note that most of the formalisation that occurred was done by Martin Peres from</div> <div>Nouveau (and to a lesser extent myself; I'm not a Wayland dev at all though).</div> <div><br> </div> <div>We're hoping to have a number of PoC demos of privileged clients for XDC but are</div> <div>both really really busy with our research (both PhD students). It's not clear if</div> <div>we will have implemented stuff to demonstrate... If you want/need</div> <div>to work on global shortcuts in the next weeks I can make an effort to make our</div> <div>latest discussions and plans available in a concise form.</div> <div><br> </div> <div>> Would it be some Android-like capabilities that the user validates on </div> <div>> installation or the first time they are required by the application ?</div> <div>> What are the plans for these 2 key features ?</div> <div><br> </div> <div>We only discussed what the privileges are. Intercepting global shortcuts is a</div> <div>privilege so your app would need to either:</div> <div>- have a capability to register a global shortcut itself</div> <div>- be entitled by a trusted third party to using a specific global shortcut</div> <div><br> </div> <div>A capability should be granted to a package by a distributor, most likely. This</div> <div>means distros who care about security would setup a process to verify why app</div> <div>devs/packagers want a capability for their app (whilst allowing core projects</div> <div>such as DEs/distro apps to have privileges and be deployable right away).</div> <div><br> </div> <div>The second point is a bit fuzzier, especially for global shortcuts. For some</div> <div>privileged interfaces once apps can be sandboxed on Linux, [and once I've</div> <div>written a decently secure UI embedding protocol *], they can be given widgets</div> <div>from a trusted third-party that the user can interact with to organically grant</div> <div>privileges. Apps should also have some nice APIs for opening and exporting</div> <div>resources in a secure way.</div> <div><br> </div> <div>You can tell that it's hard to find out how to provide a global shortcut UI</div> <div>abstraction that is unambiguous to users, especially since I understand your app</div> <div>will be GUI-less. Xfce has a GUI for assigning global shortcuts to commands, and</div> <div>I believe other DEs do as well. This utility will typically be the one holding a</div> <div>capability for intercepting any global shortcut.</div> <div><br> </div> <div>Your app should normally not qualify for such a privilege, so make your event</div> <div>triggerable via a CLI call and get users to assign the shortcut to your app. If</div> <div>DEs are willing to grant you full global shortcut privileges without assessing</div> <div>who you are, what your app does and in what ways your app can be compromised,</div> <div>they will probably have security issues in the future.</div> <div><br> </div> <div>Feel free to work with distrubotrs to sketch out a process for granting and</div> <div>revoking capabilities to third-party apps, etc. but I think this problem goes</div> <div>well beyond the scope of Wayland privileged interfaces!</div> <div><br> </div> <div>PS: you were the person proposing to let apps know or adjust their position on</div> <div>the screen? This, typically, creates vulnerabilities and makes trusted UI</div> <div>embedding much harder if not compromised. If you have specific use-cases that</div> <div>need to be supported, please come discuss them with us (#wayland-security on</div> <div>Freenode or this ML, I guess) so we can think of secure ways to support your</div> <div>needs without compromising the separation between clients and trusted UIs.</div> <div><br> </div> <div>Thanks,</div> <div>--</div> <div>Steve Dodier-Lazaro</div> <div>PhD student in Information Security</div> <div>University College London</div> <div>Dept. of Computer Science</div> <div>Malet Place Engineering, 6.07</div> <div>Gower Street, London WC1E 6BT</div> <div>OpenPGP : 1B6B1670<br> </div> <br> </div> </div> </div> </div> </div> </body> </html>