[RFC] Implementing Wayland Security Module
Jasper St. Pierre
jstpierre at mecheye.net
Mon Mar 9 13:41:31 PDT 2015
On Mon, Mar 9, 2015 at 12:52 PM, Manuel Bachmann <
manuel.bachmann at open.eurogiciel.org> wrote:
> Hi Matthias,
>
> "I don't think it makes sense to develop a specific solution just for
> the portion of application sandboxing that happens to overlap with
> wayland protocol requests. The same questions need to be answered when
> a third-party application e.g. wants to open a file or send an email."
>
> While it is true that the general security policy concern is a huge topic,
> and that WSM may seem to be a too-specific solution in an ecosystem where
> several Linux Security Modules have already been implemented, I think,
> however, that there is a valid use case for it.
>
> We happen to have a more-than-20-years-old ecosystem of GUI applications
> which were using the X11 protocol. For all these years, they were allowed
> to exploit this protocol in various ways, which gave us the cool features
> we could not imagine living without today.
>
> Then comes Wayland. It is more secure, but the cool features aren't there.
> Sure, each compositor can do the way it wants, but application developers
> are embarrassed . This potentially cripples the user experience and slows
> down Wayland adoption.
>
> WSM is interesting because it only tries to cover GUI applications, which,
> basically, all have the same needs :
> - screenshooting, screen recording, color picking....
> - critical actions on the outputs : fullscreen, resolution change...
>
Why are fullscreen and resolution change privileged operations?
> - access to a central clipboard ;
>
- replacing a vital part of the compositor (virtual keyboard, panel,
> systray...)
> - ....
>
> A Linux Security Module goes too far, has too many implications, hence why
> it is rarely deployed excepted on server systems. But WSM is only about GUI
> apps ; it precisely knows what it wants to be and which problems it tries
> to address. I think, personally, that WSM has a chance of success because
> it is pragmatic and has the privilegied timeframe for this.
>
I will not implement support for WSMs in mutter. I have given my opinion on
why I think technical solutions to security problems and security policies
are bogus before. I won't bother to repeat it here.
> Regards,
> Manuel
>
> 2015-03-09 14:30 GMT+01:00 Matthias Clasen <matthias.clasen at gmail.com>:
>
>> On Mon, Mar 9, 2015 at 1:38 AM, Manuel Bachmann
>> <manuel.bachmann at open.eurogiciel.org> wrote:
>>
>> > Any comments on this ?
>> >
>>
>> I don't think it makes sense to develop a specific solution just for
>> the portion of application sandboxing that happens to overlap with
>> wayland protocol requests. The same questions need to be answered when
>> a third-party application e.g. wants to open a file or send an email.
>>
>
>
>
> --
> Regards,
>
>
>
> *Manuel BACHMANN Tizen Project VANNES-FR*
>
> _______________________________________________
> wayland-devel mailing list
> wayland-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/wayland-devel
>
>
--
Jasper
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/wayland-devel/attachments/20150309/f450cf3e/attachment.html>
More information about the wayland-devel
mailing list