Proxying Wayland for security
Jonas Ådahl
jadahl at gmail.com
Wed Jul 28 13:20:09 UTC 2021
On Wed, Jul 28, 2021 at 11:06:43AM +0000, Alyssa Ross wrote:
> Daniel Stone <daniel at fooishbar.org> writes:
>
> >> One big issue for us is protecting the system against potentially
> >> malicious Wayland clients. It's important that a compartmentalized
> >> application can't read from the clipboard or take a screenshot of the
> >> whole desktop without user consent. (The latter is possible in
> >> wlroots compositors with wlr-screencopy.)
> >>
> >> So an idea I had was to was to write a proxy program that would sit
> >> in front of the compositor, and receive connections from clients. If
> >> a client sent a wl_data_offer::receive, for example, the proxy could
> >> ask for user confirmation before forwarding that to the compositor.
> >
> > As you've noted, the core protocol doesn't offer any way to scrape
> > these contents without additional extension protocols, which are not
> > implemented by all compositors. Generally speaking, GNOME's Mutter and
> > Weston tend not to implement these protocols, and wlroots-based
> > compositors tend to implement them.
>
> That's true for screenshots, but it's not true for clipboard contents,
> right? As I understand it, any application can paste, with the only
> restriction being that it has to be in the foreground at the time, and
> wl-clipboard[1] seems to demonstrate that it's possible to fulfill that
> requirement without being visible to the user at all.
Getting things from the clipboard is generally supposed to require an
interaction of some sort, e.g. a button press, key press, touch down,
etc, but it might be not properly implemented here and there.
wl-clipboard relies on this not being done good enough, and will
eventally stop working, unless there exist some global state like
clipboard manager protocol that bypasses any content restrictions that
wl_data_device and friends apply.
Jonas
More information about the wayland-devel
mailing list