cross-client surface references

Bill Spitzak spitzak at
Thu Jul 9 09:13:54 PDT 2015

On 07/09/2015 02:19 AM, Jasper St. Pierre wrote:

> Calling sandboxed_surface_manager.get_surface_for_id(); retrieves that
> surface and deletes the ID from the global namespace.

I thought about having the ID work only once like you propose, but I 
think this means that a client must be able to create unlimited ID's per 
object, and thus a malicious one can fill up the server's map from ID to 
object. The reason more than one ID is needed is so the client can 
launch more than one subclient and let them both use the same object.

Instead I think there can only be one ID for any object. The client that 
created the object can get the key once, repeated attempts are either 
protocol errors or return the same key. A client that uses a key to 
access the object is in the same state as a client that created the 
object and has already asked for the key. A client should only be able 
to use a key once (this is to prevent a client from opening unlimited 
numbers of interfaces to the object, it would have to open a different 
wayland pipe each time and that would probably hit a limit first).

More information about the wayland-devel mailing list