<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Tue, 28 Mar 2017 at 22:31 Pekka Paalanen <<a href="mailto:ppaalanen@gmail.com">ppaalanen@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, 28 Mar 2017 16:20:28 +0900<br class="gmail_msg">
Carsten Haitzler (The Rasterman) <<a href="mailto:raster@rasterman.com" class="gmail_msg" target="_blank">raster@rasterman.com</a>> wrote:<br class="gmail_msg">
<br class="gmail_msg">
> On Wed, 22 Mar 2017 13:59:43 +0200 Pekka Paalanen <<a href="mailto:ppaalanen@gmail.com" class="gmail_msg" target="_blank">ppaalanen@gmail.com</a>> said:<br class="gmail_msg">
><br class="gmail_msg">
> > > == Authentication/Identification ==<br class="gmail_msg">
> > > The goal is to filter clients based on some white/blacklist, so that e.g.<br class="gmail_msg">
> > > xdotool can access this interface but others cannot.<br class="gmail_msg">
> ><br class="gmail_msg">
> > Hi,<br class="gmail_msg">
> ><br class="gmail_msg">
> > if one allows a generic tool that essentially exposes everything at<br class="gmail_msg">
> > will, there isn't much point in authenticating that program, because<br class="gmail_msg">
> > any other program can simply call it.<br class="gmail_msg">
><br class="gmail_msg">
> This is where right now I might lean to some environment variable with a<br class="gmail_msg">
> cookie/key the compositor provides *and that may change from session to session<br class="gmail_msg">
> or on demand).<br class="gmail_msg">
><br class="gmail_msg">
> So compositor might putenv() then fork() + exec() something like a terminal<br class="gmail_msg">
> app.. and then this terminal app and anything run from it inherits this env<br class="gmail_msg">
> var... and thus now has the secret key to provide...<br class="gmail_msg">
><br class="gmail_msg">
> This also allows the compositor to run any such process that passes the<br class="gmail_msg">
> key/cookie along to other processes/tools it determines are safe. It would<br class="gmail_msg">
> require the compositor have a "safe user initiated or approved" way to run such<br class="gmail_msg">
> things.<br class="gmail_msg">
<br class="gmail_msg">
Hi,<br class="gmail_msg">
<br class="gmail_msg">
that doesn't sound too bad. Initially the cookie could be passed in the<br class="gmail_msg">
env, until something better comes around. Also the restrictions and<br class="gmail_msg">
privileges carried with a cookie could vary based on how it was<br class="gmail_msg">
generated, e.g. cookies created for a container could be invalid for<br class="gmail_msg">
clients outside that specific container. Or require matching to SElinux<br class="gmail_msg">
or SMACK or whatever attributes. Or none of these at first. Completely<br class="gmail_msg">
up to the compositor.<br class="gmail_msg">
<br class="gmail_msg">
So now we need a spec for the cookie. An opaque binary blob with<br class="gmail_msg">
variable size, limited by some maximum size? 1 kB max?<br class="gmail_msg">
<br class="gmail_msg">
(To ensure e.g. Wayland can relay the maximum sized cookie in one<br class="gmail_msg">
message.)<br class="gmail_msg">
<br class="gmail_msg">
This could be the generic starting point for all privileged interfaces,<br class="gmail_msg">
Wayland and others. How the client will get the cookie in the first<br class="gmail_msg">
place is left undefined. The cookie should probably be optional too, in<br class="gmail_msg">
case another scheme already grants the privileges.<br class="gmail_msg">
<br class="gmail_msg">
Giulio, how about incorporating such a cookie scheme in your<br class="gmail_msg">
restricted_registry design?<br class="gmail_msg">
<br class="gmail_msg">
OTOH, a spec that uses cookies but does not tell where you might get<br class="gmail_msg">
one, is that useful? Do we have to spec the env variable?<br></blockquote><div><br></div><div>FWIW, an HMAC cookie is how we handle various privileged actions in Mir (raise window, drag & drop [because most of D&D is handled out-of-compositor]), so this would be easy to integrate for us.<br></div></div></div>