[RFC] Interface for injection of input events

Carsten Haitzler (The Rasterman) raster at rasterman.com
Wed Mar 29 01:45:48 UTC 2017 

On Tue, 28 Mar 2017 15:33:41 -0700 Jordan Sissel <jls at semicomplete.com> said:

> I am interested in the security concerns here, but are there reliable
> barriers between different processes run by the same user in the same
> desktop session? What is the threat model y'all are defending against?

the assumption is a model where random apps are downloaded by a suer and these
apps are untrusted. they might be malware. they might want to rummage through
your address book and send it to someone to sell for a profit or to monitor
your file usage ... or become a keylogger and snarf your usernames and
passwords. apps are untrusted.

what is wanted is that wayland protocol and design it self does not OPEN holes
via the display system to such malicious clients/apps. wayland can do nothing
about the rest of the OS but it can at least secure itself well enough.

so we are operating on the assumption that if someone is in this scenario they
are then ALSO applying some kind of MAC/sandboxing setup to limit what these
untrusted apps can do/access on the "OS side" (ptrace, opening, writing of
files, and so on), so ASSUMING a well managed sandbox the app is running in, we
want to not expose anything more to the app other than what it should be
allowed to access. generally in wayland that has meant "very little". apps are
considered hostile/untrusted by default.

reality is though that for some things some apps do need access to do "trusted"
things where they may need access to all input or be able to generate input
(feed in fake input events) and so on. this should be heavily restricted and
part of this discussion is "how would this be done?" because being able to
see/modify some arbitrary other apps window is a recipe for disaster. being
able to inject input is even more so. so only special processes that are fully
trusted should be allowed to do this...

and given the many sandboxing methods... how would a compositor even enforce
such restriction? we could define one "blessed" mechanism. SMACK? containers?
something else? then what about wayland on non-linux? this makes securing
access to privileged features difficult cross-platform and so having some way
to do this in a portable way would be nice and make everyone's life simpler...
of course still assuming the OS somehow is doing sandboxing of the process in
other ways.

-- 
------------- Codito, ergo sum - "I code, therefore I am" --------------
The Rasterman (Carsten Haitzler)    raster at rasterman.com

More information about the wayland-devel mailing list