[RFC] Interface for injection of input events

Mon Mar 27 08:08:52 UTC 2017

On Wed, 2017-03-22 at 11:00 +0800, Jonas Ådahl wrote:
> On Wed, Mar 22, 2017 at 12:23:46PM +1000, Peter Hutterer wrote:
> > 
> > == Authentication/Identification ==
> > The goal is to filter clients based on some white/blacklist, so
> > that e.g.
> > xdotool can access this interface but others cannot.
> > 
> > This is a big ¯\_(ツ)_/¯ for now, I don't now how to do this
> > reliably.
> > It's trivial to do per user, but per-process is difficult. DBus
> > filters
> > are largely limited to per-users. It's possible to get the process
> > ID of a
> > sender but going beyond that is unreliable (kernel doesn't
> > guarantee comm
> > being accurate).
> > 
> > Requiring applications to bind to a bus name merely restricts them
> > to being
> > a singleton, there is no guarantee the application that binds
> > org.freedesktop.org.WoodoTool.auth.xdotool is actually xdotool.
> > 
> > The option that comes closest so far is some pre-shared key between
> > compositor and application. That would need to be worked into the
> > API, but
> > it also relies on all participants to keep the key encrypted in
> > memory and
> > the various configuration files.
> > 
> > So it's not clear whether we can do anything beyond a basic on/off
> > toggle on
> > whether to allow events from fake input devices. Debatable if such
> > a crude
> > mechanism is useful.
> > 
> > 
> > Either way, this is a problem that *must* be solved but not
> > necessarily one
> > that affects the API itself (beyond what is required to make it
> > technically feasable, e.g. passing cookies around)
> 
> This could be left up to flatpak et.al, couldn't it? Coming up with a
> authentication mechanism that likely can be worked around without
> proper
> sandboxing doesn't sound relaible. CC:ing Alex regarding this.

Flatpak does indeed handle this, but it would really only work if all
the apps on your system are sandboxed. I.e, we can identify a flatpak
due to how we set it up when starting it, which the app cannot change
from inside the sandbox. However, any app not launched that way can
pretend to be someone else. Essentially there are two tiers of app
trust. Anything not flatpak (and snappy, etc) is considered trusted on
the user bus, and can do "anything".

So, in the golden future where all normal apps are sandboxed this could
work, but for current distros there is no secure way to authenticate
apps.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
       alexl at redhat.com            alexander.larsson at gmail.com 
He's an ungodly guitar-strumming paramedic gone bad. She's a cosmopolitan 
paranoid safe cracker with only herself to blame. They fight crime! 