[PATCH 1/3 v4] wayland-server: Add API to control globals visibility

Olivier Fourdan ofourdan at redhat.com
Tue Oct 18 12:37:56 UTC 2016 

Hi Pekka,

> sorry for taking so long to reply.

Now it's my turn to apologize, I saw your email and then forgot about it!
 
> A recap from earlier emails as I understood them:
> 
> - This patch adds a callback in libwayland-server's wl_registry
>   implementation, that will be called every time a) libwayland-server
>   is about to send an advert of a global to a client, and b) when a
>   client tries to correctly bind a global interface, to determine if
>   that should actually happen. Case b) is needed in case a malicious
>   client guesses the global name and interface correctly.
> 
> - This does not actually have any significant consequences and it does
>   not close any "security holes" that would not be closable/closed
>   already otherwise. It is purely about trimming down the list of
>   globals per client. Essentially it's kind of like an ad hoc
>   implementation of namespaces for globals.
> 
> - It was said that this is quite different to Giulio's plans for
>   privileged/restricted interface negotiation [1].

I agree with all of the above :)

> I do like the simplicity and power of the design: a callback is simple,
> yet the API user (compositor) can do whatever it could ever imagine
> with it.
> 
> We could use this to replace all the existing private interface
> permission checks in Weston.
> 
> Let's think more about this proposal vs. Giulio's privileged interface
> negotiation. I believe the reasons why this cannot be used as a part
> for implementing Giulio's proposal is that to do the negotation, you
> have to create a wl_registry first to get access to the negotiation
> interface. If the negotiation succeeds, then the compositor would
> somehow have to send all the global ads that just became possible for
> the client. That would be quite awkward to implement with wl_registry
> in libwayland-server.
> 
> Revoking permissions for global interfaces that have already been bound
> to is another case wl_registry cannot easily deal with, even though we
> do have wl_registry.remove event that would be just perfect. The
> problem is the interface between libwayland-server and the compositor.
> 
> As much as I'd like to see a common solution to both features, it
> cannot happen with the globals filtering proposed in this patch, I
> believe.
> 
> However, I think it would be possible to avoid all need for globals
> filtering by developing Giulio's proposal. OTOH, it would be more code
> and more work for the simple cases where we do not need negotiation
> after creating the Wayland connection.
> 
> My main worry is that when someone develops Giulio's proposal into a
> standard, this feature will become redundant. I have no other reason to
> dislike this approach.
> 
> Have you looked at [1], what do you think of it?
> 
> I have made some negative comments in that thread, but afterwards I
> have come around a bit, thinking it might be a good approach the
> problems it aims to solve after all.

I think this is two different things, Giulio's authorizer protocol has a different use case, and will be very useful for example in the grabbing keyboard proposal I made some time ago, typically a given client tries to grab the keyboard, the compositor asks the user, etc.

This patch here is more about not even telling the client that we have a given protocol available, but once a protocol is advertised to a client, the authorizer protocol can be used to notify and get the user's consent.

> I'm very happy to see you wrote tests for the new API.
> 
> To get proper validation for the new libwayland-server API, I would
> like to see it used in Weston to replace all the existing privileged
> global checks. To make that fluent, I would like Weston to also use the
> recently added "new client created" callback to set up per-wl_client
> tracking data, a part of which would be flags telling which privileged
> interfaces can be bound or the special role of the client.
> 
> As the only serious request for this patch series, I would like the
> commit message to mention some more benefits we just figured out with
> Jonas in IRC:
> 
> - Hiding interfaces that expose compositor implementation details makes
>   it harder for clients to identify the compositor. Therefore clients
>   are a little less likely to develop compositor-specific workarounds
>   instead of reporting problems upstream.
> 
> - Hiding can be used to diminish the problems from missing namespacing:
>   if two compositors happen to use the same named global with different
>   interfaces for their special-purpose clients, the client expecting
>   the different interface would probably never see it advertised.
> 
> Therefore I think this would be a beneficial addition:
> Acked-by: Pekka Paalanen <pekka.paalanen at collabora.co.uk>

So, if I amend the commit message as above and rebase against current code, I can add your acked-by?

Cheers,
Olivier


> [1]
> https://lists.freedesktop.org/archives/wayland-devel/2015-November/025734.html
> continued in
> https://lists.freedesktop.org/archives/wayland-devel/2015-December/025884.html
>

More information about the wayland-devel mailing list