Summary of the security discussions around Wayland and privileged clients

Thiago Macieira thiago at kde.org
Thu Feb 20 12:41:30 PST 2014 

Em qui 20 fev 2014, às 21:31:59, Martin Peres escreveu:
> > Now, the privileged process wants to launch a sub-process. How will the
> > sub- process connect to the compositor? Remember: WAYLAND_SOCKET contains
> > a file descriptor number that isn't available to the child process.
> 
> Ah, I see. You are suggesting un-setting WAYLAND_SOCKET and using fcntl() to
> set the socket's fd to CLOEXEC?

Setting the socket to O_CLOEXEC is mandatory after you start using it. Two 
processes cannot write to the same streaming socket file descriptor at the same 
time. You might be able to do this with a datagram socket, but that's not the 
case here.

> It is true that multiple process could end up with the same connection and
> I didn't think about that. The problem is the same if an application
> connects
> to the compositor by itself and then forks. Not sure how the compositor
> could detect that :s

It can't. It will get very confused because two applications with independent 
states will start stepping on each other's toes. The best outcome of this 
would be if the compositor detected a problem early on and cut the connection 
to both.

The way I see it, wl_display_connect() must unset the WAYLAND_SOCKET 
environment variable after getting the file descriptor number and it must set 
O_CLOEXEC. The socket is not available to child processes.

But then the question returns: how do child processes connect to the 
compositor, if the environment variable was cleared? How do they find the 
compositor?

Solutions:

1) the compositor MUST have a well-known socket name
  => not an option, since we want to have multiple concurrent compositors

2) wl_display_connect() doesn't clear the environment, but resets it to the 
actual socket name. It needs to get the socket name from somewhere.
  => problem: if it's getting the name from the compositor, this may take a  
  few roundtrips and the process may have decided to start the child process

3) use a different environment variable. One variable contains the traditional 
socket path and the other contains the file descriptor. The latter overrides 
the former.

4) store both settings in WAYLAND_SOCKET. D-Bus does that: 
DBUS_SESSION_BUS_ADDRESS can contain multiple addresses, to be attempted in 
order.

-- 
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
   Software Architect - Intel Open Source Technology Center
      PGP/GPG: 0x6EF45358; fingerprint:
      E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358

More information about the wayland-devel mailing list