[PATCH 1/3 v4] wayland-server: Add API to control globals visibility
ppaalanen at gmail.com
Tue Oct 18 13:57:26 UTC 2016
On Tue, 18 Oct 2016 08:37:56 -0400 (EDT)
Olivier Fourdan <ofourdan at redhat.com> wrote:
> Hi Pekka,
> > sorry for taking so long to reply.
> Now it's my turn to apologize, I saw your email and then forgot about it!
> > A recap from earlier emails as I understood them:
> > - This patch adds a callback in libwayland-server's wl_registry
> > implementation, that will be called every time a) libwayland-server
> > is about to send an advert of a global to a client, and b) when a
> > client tries to correctly bind a global interface, to determine if
> > that should actually happen. Case b) is needed in case a malicious
> > client guesses the global name and interface correctly.
> > - This does not actually have any significant consequences and it does
> > not close any "security holes" that would not be closable/closed
> > already otherwise. It is purely about trimming down the list of
> > globals per client. Essentially it's kind of like an ad hoc
> > implementation of namespaces for globals.
> > - It was said that this is quite different to Giulio's plans for
> > privileged/restricted interface negotiation .
> I agree with all of the above :)
> > I'm very happy to see you wrote tests for the new API.
> > To get proper validation for the new libwayland-server API, I would
> > like to see it used in Weston to replace all the existing privileged
> > global checks. To make that fluent, I would like Weston to also use the
> > recently added "new client created" callback to set up per-wl_client
> > tracking data, a part of which would be flags telling which privileged
> > interfaces can be bound or the special role of the client.
> > As the only serious request for this patch series, I would like the
> > commit message to mention some more benefits we just figured out with
> > Jonas in IRC:
> > - Hiding interfaces that expose compositor implementation details makes
> > it harder for clients to identify the compositor. Therefore clients
> > are a little less likely to develop compositor-specific workarounds
> > instead of reporting problems upstream.
> > - Hiding can be used to diminish the problems from missing namespacing:
> > if two compositors happen to use the same named global with different
> > interfaces for their special-purpose clients, the client expecting
> > the different interface would probably never see it advertised.
> > Therefore I think this would be a beneficial addition:
> > Acked-by: Pekka Paalanen <pekka.paalanen at collabora.co.uk>
> So, if I amend the commit message as above and rebase against current
> code, I can add your acked-by?
As the Ack is for the idea, you could stamp it already on this patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the wayland-devel