[PATCH 1/3 v4] wayland-server: Add API to control globals visibility

Tue Oct 18 13:57:26 UTC 2016

On Tue, 18 Oct 2016 08:37:56 -0400 (EDT)
Olivier Fourdan <ofourdan at redhat.com> wrote:

> Hi Pekka,
> 
> > sorry for taking so long to reply.  
> 
> Now it's my turn to apologize, I saw your email and then forgot about it!
>  
> > A recap from earlier emails as I understood them:
> > 
> > - This patch adds a callback in libwayland-server's wl_registry
> >   implementation, that will be called every time a) libwayland-server
> >   is about to send an advert of a global to a client, and b) when a
> >   client tries to correctly bind a global interface, to determine if
> >   that should actually happen. Case b) is needed in case a malicious
> >   client guesses the global name and interface correctly.
> > 
> > - This does not actually have any significant consequences and it does
> >   not close any "security holes" that would not be closable/closed
> >   already otherwise. It is purely about trimming down the list of
> >   globals per client. Essentially it's kind of like an ad hoc
> >   implementation of namespaces for globals.
> > 
> > - It was said that this is quite different to Giulio's plans for
> >   privileged/restricted interface negotiation [1].  
> 
> I agree with all of the above :)

> > I'm very happy to see you wrote tests for the new API.
> > 
> > To get proper validation for the new libwayland-server API, I would
> > like to see it used in Weston to replace all the existing privileged
> > global checks. To make that fluent, I would like Weston to also use the
> > recently added "new client created" callback to set up per-wl_client
> > tracking data, a part of which would be flags telling which privileged
> > interfaces can be bound or the special role of the client.
> > 
> > As the only serious request for this patch series, I would like the
> > commit message to mention some more benefits we just figured out with
> > Jonas in IRC:
> > 
> > - Hiding interfaces that expose compositor implementation details makes
> >   it harder for clients to identify the compositor. Therefore clients
> >   are a little less likely to develop compositor-specific workarounds
> >   instead of reporting problems upstream.
> > 
> > - Hiding can be used to diminish the problems from missing namespacing:
> >   if two compositors happen to use the same named global with different
> >   interfaces for their special-purpose clients, the client expecting
> >   the different interface would probably never see it advertised.
> > 
> > Therefore I think this would be a beneficial addition:
> > Acked-by: Pekka Paalanen <pekka.paalanen at collabora.co.uk>  
> 
> So, if I amend the commit message as above and rebase against current
> code, I can add your acked-by?

Yes!

As the Ack is for the idea, you could stamp it already on this patch.

Thanks,
pq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/wayland-devel/attachments/20161018/1c488552/attachment.sig>