On Sat, Mar 13, 2021 at 07:21:50AM +0000, Thomas Leonard wrote: > > > Once this is working more smoothly, I guess the next issues will be > > > setting up some kind of secure window manager on the host (e.g. > > > labelling windows with the VM they come from, not allowing > > > screenshots, etc). Would also be good to get sound forwarding working > > > somehow (Qubes routes pulseaudio to all the VMs and gives you a mixer > > > to control the levels for each, but I don't know how that worked). It > > > also needs some kind of VM manager to keep track of which VMs are > > > running. And some kind of IPC system like qrexec would be useful. Do > > > you have thoughts or plans about how to do any of this? > > > > The window manager is a part of this whole thing that makes me very > > nervous. A secure window manager is very important for Wayland, and I'm > > not sure how much I trust any of the existing ones to get it right. But > > with Wayfire I'm hoping it'll at least be easy enough to implement stuff > > like tagged/coloured windows for the proof of concept (since the > > plugin API and stuff is Wayfire's niche), and I'm hoping at some point > > somebody comes up with a security-focused Wayland window manager we can > > switch to -- I'd love a Rust one, and there's work going on in that > > area[1]. > > For the short-term, it would be fairly easy to make a slight change to > the wayland-virtwl-proxy[*] so that a version of it could run on the > host. Unlike the guest one, which has to copy frames and deal with > virtwl, this would just pass FDs through. And instead of connecting to > /dev/wl0, it would just connect to the host compositor socket. It > would then block access to screenshots (since it doesn't proxy that), > and would add the VM's name to each window's title. > > Eventually I'd like to turn it into a full compositor, but I'm going > to be busy for the next 6 months at least. A sanitizing proxy of this sort could be a very good way to go indeed, especially early on, because if we tightly control what messages Wayland clients can send, we don't have to worry so much about what the compositor will do if it gets a weird message. Having a proxy rather than investigating in hardening a specific compositor (or writing such a compositor) would also give us more freedom to change compositor later (or allow users to choose their own compositor). > > Not sure about IPC yet, but I recently read an article about PipeWire[2], > > and that's been making me think a bit about audio. With PipeWire, they > > seem to have cared about security from the start: > > Thanks for the link. I hadn't realised PulseAudio was in such a bad state! I think it's just one of those things where they just didn't think about security very much early on, and retrofitting that after the fact is difficult because every application has already been written to expect not to have to do anything special for security. Very much like the situation with X11 compared to Wayland. > > > To avoid the PulseAudio sandboxing limitations, security was > > > baked-in: a per-client permissions bitfield is attached to every > > > PipeWire node — where one or more SPA nodes are wrapped. This > > > security-aware design allowed easy and safe integration with Flatpak > > > portals; the sandboxed-application permissions interface now promoted > > > to a freedesktop XDG standard. > > > > And it gets better! In particular, this sounds very promising: > > > > > a native fully asynchronous protocol that was inspired by Wayland — > > > without the XML serialization part — was implemented over Unix-domain > > > sockets. Taymans wanted a protocol that is simple and hard-realtime > > > safe. > > > > It goes on to say they use this for sending file descriptors and stuff. > > The similarity to Wayland is very exciting, because it means we might > > just be able to run PipeWire over the existing virtio_wl infrastructure > > very efficiently. > > Yes. I wonder why they didn't just use Wayland directly. Removing the > XML schema files (I assume that's what they mean) doesn't seem like an > improvement. That's what makes it easy to use Wayland from safer > languages than C! Yeah I was a bit surprised to see that too. Maybe they're not expecting the protocol to grow extensions and stuff as much as Wayland, so automatic code generation is less valuable? But I'm not sure -- I haven't looked into it.