Proxying Wayland for security
Alyssa Ross
hi at alyssa.is
Wed Jul 28 10:37:29 UTC 2021
Simon Ser <contact at emersion.fr> writes:
> On Wednesday, July 28th, 2021 at 11:17, Alyssa Ross <hi at alyssa.is> wrote:
>
>> A further thought I've just had -- the pid lookup is generally done
>> through libwayland-server's wl_client_get_credentials(), right? So if
>> libwayland-server could be taught about the proxy, and the proxy could
>> communicate the pid/uid/gid to libwayland-server somehow, that could
>> make this possible after all, right?
>
> I'm not sure a proxy is a good idea, because proxying Wayland protocols
> isn't straightforward and introduces latency.
>
> That said, allowing sandboxes to feed back security context metadata to
> the compositor is something I believe would be useful in many scenarios.
> Maybe have a look at [1]?
>
> [1]: https://gitlab.freedesktop.org/wayland/wayland-protocols/-/merge_requests/68
Thanks for the link! That looks very useful indeed. I've read through
that and the Weston discussion it links to. We're using Virtio Wayland
from Chromium OS, and I think it would be very straightforward to
implement security context protocol in that.
Dynamic permissions are important to us, so if I'm understanding
correctly, with this model the compositor would be responsible for
asking the user before taking an action in response to a client request,
yes? And that would have to be implemented per compositor?
(But there's definitely value to static policy as well, if only so that
dynamic requests don't have to be repeated for every use of e.g. a
screenshot app, and the compositor doesn't have to somehow persist
them.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/wayland-devel/attachments/20210728/45c62ca3/attachment.sig>
More information about the wayland-devel
mailing list