Global shortkeys and keyboard focus

Dodier-Lazaro, Steve s.dodier-lazaro.12 at ucl.ac.uk
Fri Jul 4 03:53:30 PDT 2014


Hi Fabrice,

> Hi all,
> This topic came up in my previous one about window placement, and I'd like to
> go further.
> So currently there is no such thing as Global shortkeys and keyboard focus,
> however let me present a typical real use-case:
> [...]
>
> Now, I've read some vague things about privileged clients, is it still being
> considered ?

Note that most of the formalisation that occurred was done by Martin Peres from
Nouveau (and to a lesser extent myself; I'm not a Wayland dev at all though).

We're hoping to have a number of PoC demos of privileged clients for XDC but are
both really really busy with our research (both PhD students). It's not clear if
we will have implemented stuff to demonstrate... If you want/need
to work on global shortcuts in the next weeks I can make an effort to make our
latest discussions and plans available in a concise form.

> Would it be some Android-like capabilities that the user validates on
> installation or the first time they are required by the application ?
> What are the plans for these 2 key features ?

We only discussed what the privileges are. Intercepting global shortcuts is a
privilege so your app would need to either:
- have a capability to register a global shortcut itself
- be entitled by a trusted third party to using a specific global shortcut

A capability should be granted to a package by a distributor, most likely. This
means distros who care about security would setup a process to verify why app
devs/packagers want a capability for their app (whilst allowing core projects
such as DEs/distro apps to have privileges and be deployable right away).

The second point is a bit fuzzier, especially for global shortcuts. For some
privileged interfaces once apps can be sandboxed on Linux, [and once I've
written a decently secure UI embedding protocol *], they can be given widgets
from a trusted third-party that the user can interact with to organically grant
privileges. Apps should also have some nice APIs for opening and exporting
resources in a secure way.

You can tell that it's hard to find out how to provide a global shortcut UI
abstraction that is unambiguous to users, especially since I understand your app
will be GUI-less. Xfce has a GUI for assigning global shortcuts to commands, and
I believe other DEs do as well. This utility will typically be the one holding a
capability for intercepting any global shortcut.

Your app should normally not qualify for such a privilege, so make your event
triggerable via a CLI call and get users to assign the shortcut to your app. If
DEs are willing to grant you full global shortcut privileges without assessing
who you are, what your app does and in what ways your app can be compromised,
they will probably have security issues in the future.

Feel free to work with distrubotrs to sketch out a process for granting and
revoking capabilities to third-party apps, etc. but I think this problem goes
well beyond the scope of Wayland privileged interfaces!

PS: you were the person proposing to let apps know or adjust their position on
the screen? This, typically, creates vulnerabilities and makes trusted UI
embedding much harder if not compromised. If you have specific use-cases that
need to be supported, please come discuss them with us (#wayland-security on
Freenode or this ML, I guess) so we can think of secure ways to support your
needs without compromising the separation between clients and trusted UIs.

Thanks,??
--
Steve Dodier-Lazaro
PhD student in Information Security
University College London
Dept. of Computer Science
Malet Place Engineering, 6.07
Gower Street, London WC1E 6BT
OpenPGP : 1B6B1670?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/wayland-devel/attachments/20140704/d81e0f5e/attachment.html>


More information about the wayland-devel mailing list