[RFC] Interface for injection of input events

Simon McVittie smcv at collabora.com
Tue Apr 4 11:36:55 UTC 2017

On Tue, 28 Mar 2017 at 15:33:41 -0700, Jordan Sissel wrote:
> I am interested in the security concerns here, but are there reliable barriers
> between different processes run by the same user in the same desktop session?
> What is the threat model y'all are defending against?

D-Bus was mentioned earlier in this thread, and the security model that
we keep telling people applies there is:

* The uid who ran the session bus (dbus-daemon --session) can connect to it
* That uid is totally trusted
* If you don't like that, sandbox your untrusted app, don't let it
  open the normal D-Bus socket, and use some sort of filtering proxy
  like Flatpak does instead

<https://bugs.freedesktop.org/show_bug.cgi?id=100344> is a future design
for having dbus-daemon offer less-trusted sockets in parallel with the
totally trusted one, which would obsolete Flatpak's D-Bus proxy.

Several D-Bus services that listen on the session bus offer arbitrary
code execution, a user can typically ptrace their own processes and
achieve arbitrary code execution, and a user with write access to the
home directory can achieve arbitrary code execution by writing
configuration files - so there is no point in trying to provide a
privilege boundary unless you have either a container like Flatpak,
or an LSM like AppArmor, or both.

If Wayland is aiming to be at a higher level of security isolation than
the D-Bus session bus - something you can bind-mount into your container
and not worry about, without introducing secondary sockets like fd.o
#100344 - then of course its tradeoffs might not be the same as for D-Bus.


More information about the wayland-devel mailing list