Summary of the security discussions around Wayland and privileged clients

Sebastian Wick sebastian at sebastianwick.net
Thu Feb 20 11:43:30 PST 2014


Am 2014-02-20 20:02, schrieb Martin Peres:
> Le 20/02/2014 13:04, Pekka Paalanen a écrit :
snip
>> It can be done, but with a little more effort than implied here.
>> Binding to an interace means wl_registry.bind request, and failing 
>> that
>> is always a fatal error, which terminates the client connection. All
>> errors in Wayland are fatal like that.
>> 
>> Instead, the interface should be always bindable, but include explicit
>> protocol to indicate failure in using its requests.
> 
> In this case, we can make something pretty simple, send a signal
> to the application if rights to use this interface has been granted.
> 
> If the application tries to use the interface without having the rights
> to do so, an EPERM signal can be sent (not to be confused with the
> revokation signal that happens when .... rights have been revoked).
> 
> What do you think?

I would like to have a request_permission and a revoke_permission method 
and respectively a permission_granted and a permission_revoked event. An 
application might not need to permission or only needs it for a small 
amount of time.

Slightly unrelated: We also need a way for a program to ask the 
compositor to start a client (and we have to ask ourselves how to handle 
arguments, environment variables etc.).


More information about the wayland-devel mailing list