Summary of the security discussions around Wayland and privileged clients
martin.peres at free.fr
Thu Feb 20 11:59:07 PST 2014
Le 20/02/2014 20:43, Sebastian Wick a écrit :
> Am 2014-02-20 20:02, schrieb Martin Peres:
>> Le 20/02/2014 13:04, Pekka Paalanen a écrit :
>>> It can be done, but with a little more effort than implied here.
>>> Binding to an interace means wl_registry.bind request, and failing that
>>> is always a fatal error, which terminates the client connection. All
>>> errors in Wayland are fatal like that.
>>> Instead, the interface should be always bindable, but include explicit
>>> protocol to indicate failure in using its requests.
>> In this case, we can make something pretty simple, send a signal
>> to the application if rights to use this interface has been granted.
>> If the application tries to use the interface without having the rights
>> to do so, an EPERM signal can be sent (not to be confused with the
>> revokation signal that happens when .... rights have been revoked).
>> What do you think?
> I would like to have a request_permission and a revoke_permission
> method and respectively a permission_granted and a permission_revoked
> event. An application might not need to permission or only needs it
> for a small amount of time.
Yeah, seems good.
> Slightly unrelated: We also need a way for a program to ask the
> compositor to start a client (and we have to ask ourselves how to
> handle arguments, environment variables etc.).
I was thinking about having a semantical approach to that. Something
like "Open the preferred screenshot app" or "Open the preferred screen
video capture app". The preferred apps would be configured by the user
(with default settings from the DE) and could include parameters
passing, but I'm not sure it will happen. Is that something that would
If you really want something generic, then isn't that something systemd
could handle for us? I'm not really sure what you want to achieve here.
More information about the wayland-devel