Summary of the security discussions around Wayland and privileged clients
Thiago Macieira
thiago at kde.org
Thu Feb 20 09:42:45 PST 2014
Em qui 20 fev 2014, às 14:04:42, Pekka Paalanen escreveu:
> FWIW, Weston already does track its children by pid also, so that it
> can respawn them as needed if they e.g. crash.
Some compositors may take advantage of an external process launcher &
babysitter, like systemd --user.
> > A simpler and more secure solution would be for the compositor to open a
> > UNIX socket to itself before exec'ing the client. Once opened, it should
> > be simpler for the compositor to set the client's capabilities to a flag
> > stored in the structure tracking the client and then execute the
> > client's binary. When running the exec() syscall, all the FDs that have
> > not been opened with the ``O_CLOEXEC``
> > [flag](http://linux.die.net/man/2/open) will be passed on to the new
> > process. A run-time parameter of the Wayland client could then be used
> > to tell which FD represents the unix socket to the Wayland compositor.
> > An example of such parameter could be ``--wayland-fd=xxx``. The
> > compositor should however be careful it doesn't leak any un-needed FD to
> > the new client.
>
> Weston already implements this, and libwayland-client directly supports
> this with the environment variable WAYLAND_SOCKET. This is documented
> on wl_display_connect(). That is, all Wayland clients automatically
> support this, AFAIK.
This can also be accomplished by having different mount namespaces, so the
socket name is the same but it's not the same actual socket.
However, in both cases, this means child processes inherit access to the same
privileged socket.
Unless you meant that the WAYLAND_SOCKET variable can contain a file descriptor
number. Is that the case? In that case, how should the privileged process
clear the environment to allow child processes to be launched?
--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
Software Architect - Intel Open Source Technology Center
PGP/GPG: 0x6EF45358; fingerprint:
E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358
More information about the wayland-devel
mailing list