From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-4.4 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,URIBL_SBL_A autolearn=unavailable autolearn_force=no version=3.4.5 Received: by atuin.qyliss.net (Postfix, from userid 496) id 4B202115B7; Sat, 22 May 2021 13:06:10 +0000 (UTC) Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 1AB8C11626; Sat, 22 May 2021 13:05:56 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 496) id 22D9911597; Sat, 22 May 2021 13:05:53 +0000 (UTC) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) by atuin.qyliss.net (Postfix) with ESMTPS id 292C31161C for ; Sat, 22 May 2021 13:05:49 +0000 (UTC) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 97FB55C023F; Sat, 22 May 2021 09:05:47 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Sat, 22 May 2021 09:05:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h= from:to:cc:subject:date:message-id:mime-version:content-type; s= fm3; bh=A88jDoRUwX2kRi5V1h5j6tBZl4eUUF6DKpakK6Nl4Gc=; b=fskgD/Z6 u7R636HcyH6fgGmr2DjNBUfltc/rQgif6t8a6PSGOWtzkBy4r5stw8kRmz3SB59N nN4oVncgD+DP2J6cYqjzJpDWaLGe7MrJEuQE+sJJi0mWiSoBuoXEqb8UgcgyKoHW n7qgPQUHV9LQwf0tQLzeihWKeRqAGgS43HwqSs7QxqdtU80hm5g6MTaiSENe/rom i9NwldOYt72RRSA9w93hkseNla8IbFwHPH28UAd9uXYhtMOy9LJHdOefHFtPxeOK OJPUAEk0V4q3rW8MEAWJATfmm+HK1KqS1wOG84B27Kn8OXRgiGwgwEQuqoKsSXK0 ajI5nb/mQH+GLQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=A88jDoRUwX2kRi5V1h5j6tBZl4eUU F6DKpakK6Nl4Gc=; b=REPQyM+kh0QaahyevcvYdWynZy9k8xMXpaNlWK3DbVjer 3WtbDHb4Nbmlf7xLsc3qf243Df8dkBu/SGF8wur8d0HrxOfkjmXwWj03+HIx/bXY Nr317odOTavarxcM8GEt3aNe9ygOCCaZUhXLCFVKa4WAodjP8+mQt0v7MDn8dI1x eD5KGtg1VCL9QjBatdSViVQsR3KKORS7JNzvCI47qw3UHGSDs2AFi1+/0LSq50PC FgKu/WXVNu5oR8+6l5BU1E1uLAGP7PNNdw9yUpLv3Z7id6L+w9BpxkgPp6aMASvq J50fXuWZRp/YowS00YlEeyQ2QeY17eF8bw+FVpp6A== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdejhedgiedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvufffkfggtgesghdtreertddttdenucfhrhhomheptehlhihsshgrucft ohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnhepveejffdtje dvudfgleevleekleffhfefleefieetvdetveeiveegudfhheduffeunecuffhomhgrihhn pehfrhgvvgguvghskhhtohhprdhorhhgnecukfhppeegiedrkedtrddufeekrdejfeenuc evlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehhihesrghl hihsshgrrdhish X-ME-Proxy: Received: from x220.qyliss.net (p2e508a49.dip0.t-ipconnect.de [46.80.138.73]) by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 22 May 2021 09:05:46 -0400 (EDT) Received: by x220.qyliss.net (Postfix, from userid 1000) id 42BBCF65; Sat, 22 May 2021 13:05:44 +0000 (UTC) From: Alyssa Ross To: discuss@spectrum-os.org Subject: Proxying Wayland for untrusted clients Date: Sat, 22 May 2021 13:05:38 +0000 Message-ID: <8735ueudel.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Message-ID-Hash: KSS66QZ5R4GBP3AWIIK4SYA3Z5I3UJRM X-Message-ID-Hash: KSS66QZ5R4GBP3AWIIK4SYA3Z5I3UJRM X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Aaron Janse , Puck Meerburg , Thomas Leonard X-Mailman-Version: 3.3.4 Precedence: list List-Id: General high-level discussion about Spectrum Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain I've been thinking a lot about this for a while, thanks to conversations with Thomas and Puck, CCed here. I think it's time to put it into words properly and start working towards making it happen. One of the benefits that Wayland is supposed to have over X11 is security. A Wayland application isn't supposed to be able to record the screen without user permission, for example. But in most compositors, it can, with no restrictions. Existing Wayland compositors are monolithic, and each one would have to implement its own access controls. (Mutter already does this to some extent, at least for screen sharing, I believe.) The popular Wayland compositors are largely focused on being feature-complete reimplementations of their X11 equivalents, and so taking advantage of the security features and access controls the Wayland protocol makes possible hasn't been a priority for them. Additionally, every popular Wayland compositor is written in a memory-unsafe language, and this combined with the complexity of the Wayland protocol, with all the extensions involved, presents a serious concern to applications of Wayland that involve untrusted clients. To solve these problems, I propose a proxy program that sits between Wayland clients and the compositor, in the same privelege domain as the compositor. The proxy would decode and re-encode every Wayland request (client->compositor message), and would discard any request it didn't understand. This would mitigate the problem of a large, privileged program written in a memory-unsafe language being exposed to untrusted inputs. Additionally, the proxy would support a plugin interface, through which the user of the proxy (or their distributor) could configure custom behaviour. This could be used to prompt the user for confirmation before allowing a screen capture request, or even to implement a similar thing for e.g. clipboard access, for which there is no support in the Wayland protocol. It could even be used to modify surfaces, to implement things like Qubes-style unspoofable coloured window borders. This approach would allow permissions systems and other custom Wayland behaviour to be implemented in a compositor-independent manner. Distributions which suppor tseveral compositors could implement customisations in a single place, and users of compositors which lack security features and the assurances memory-safety can provide against untrusted input would gain access to those things. I'd like to hear feedback here, but I think early in the life of this idea we should also reach out to the broader Wayland community. I think there's a lot of potential for this idea beyond Spectrum, and it would be great if it could be something developed with input from a big breadth of Wayland users. If we can do that, it might be sensible for it to live at freedesktop.org? I'm not sure how that works. Let me know what you all think. :) --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEH9wgcxqlHM/ARR3h+dvtSFmyccAFAmCpAaQACgkQ+dvtSFmy ccD7MBAAqCARkjelKt43J7SnF6e8fzfuOOR/AGvdDPVZnY2+HSzwm3M8tuFt4PbY NscgWkOYb+ap/H4pw/rd392JpNCCiNb3UYvd8/M4T083Fm+MTqWOyrogkGN+fmuG fzJQC96jOuNOwFigrJ3BbwNqvBVFHfu/nh31OiD91hZ+sdb2LfHNrOGI2qCV7jar v+5OWeHJmG0Wv2oGL3Cq6jJ0r3+j9NqLItEiVOGpbvM5fNYz7ocvHLHgJ3uA8dWj RZDXrI5QA3kfC0SBjuzfSi5S94Ncc7fgudAGiuNc46F03WNB8A0iIreGKxFJNsC1 JfqBf60CyCu9TMI8SamYRV8/ygw//B7fuGH/OK9GRPajnrlxjIIzWhWn9F899Vgu 0geNo2zIbcYlo8JVOb8tGxV94NliFRUUwiDXafKDY6tJ9L1TmBn/cGcbiI4OYflr vifh3Be5k5NkJRs1gjBrwYQ/IwqPnOXVzMiIjWbak7mwihHXBA3hbqSgjmEtiCEs znt5XLJOatUhGrCbFEtSTIFcu32sFE6qgnCMolzkYy95RTDY7H0wjwqUG11RS8R7 6yo/L+6kSQMnfTPoDp+XlkdyFNkHpzKyAbs6vszHMCSsAfPQqsQWizdOlp80GDSp EYKjDi2wSyv4shb6RRlOSMjYWX1JSji8QcUjsDw+uMyq96nnaRk= =/AwQ -----END PGP SIGNATURE----- --=-=-=--