Summary of the security discussions around Wayland and privileged clients

Thiago Macieira thiago at kde.org
Thu Feb 20 09:42:45 PST 2014


Em qui 20 fev 2014, às 14:04:42, Pekka Paalanen escreveu:
> FWIW, Weston already does track its children by pid also, so that it
> can respawn them as needed if they e.g. crash.

Some compositors may take advantage of an external process launcher & 
babysitter, like systemd --user.

> > A simpler and more secure solution would be for the compositor to open a 
> > UNIX socket to itself before exec'ing the client. Once opened, it should 
> > be simpler for the compositor to set the client's capabilities to a flag 
> > stored in the structure tracking the client and then execute the 
> > client's binary. When running the exec() syscall, all the FDs that have 
> > not been opened with the ``O_CLOEXEC`` 
> > [flag](http://linux.die.net/man/2/open) will be passed on to the new 
> > process. A run-time parameter of the Wayland client could then be used 
> > to tell which FD represents the unix socket to the Wayland compositor. 
> > An example of such parameter could be ``--wayland-fd=xxx``. The 
> > compositor should however be careful it doesn't leak any un-needed FD to 
> > the new client.
> 
> Weston already implements this, and libwayland-client directly supports
> this with the environment variable WAYLAND_SOCKET. This is documented
> on wl_display_connect(). That is, all Wayland clients automatically
> support this, AFAIK.

This can also be accomplished by having different mount namespaces, so the 
socket name is the same but it's not the same actual socket.

However, in both cases, this means child processes inherit access to the same 
privileged socket.

Unless you meant that the WAYLAND_SOCKET variable can contain a file descriptor 
number. Is that the case? In that case, how should the privileged process 
clear the environment to allow child processes to be launched?

-- 
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
   Software Architect - Intel Open Source Technology Center
      PGP/GPG: 0x6EF45358; fingerprint:
      E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358



More information about the wayland-devel mailing list