general high-level discussion about spectrum
 help / color / mirror / Atom feed
From: Michael Raskin <7c6f434c@mail.ru>
To: josh@joshdubois.com, discuss@spectrum-os.org
Subject: Re: Proxying Wayland for untrusted clients
Date: Sat, 22 May 2021 22:05:50 +0200	[thread overview]
Message-ID: <E1lkXlt-0001fn-AI.7c6f434c-mail-ru@smtp58.i.mail.ru> (raw)
In-Reply-To: <28F22202-61F4-42F0-B8EC-B0EC6595D003@joshdubois.com>

>On May 22, 2021, at 8:05 AM, Alyssa Ross <hi@alyssa.is> wrote:
>> 
>> One of the benefits that Wayland is supposed to have over X11 is
>> security.  A Wayland application isn't supposed to be able to record the
>> screen without user permission, for example.  But in most compositors,
>> it can, with no restrictions. 
><snip>
>> 
>> To solve these problems, I propose a proxy program that sits between
>> Wayland clients and the compositor, in the same privelege domain as the
>> compositor.
><snip>
>> If we can do that, it might be sensible for
>> it to live at freedesktop.org?  I'm not sure how that works.
>
>I am curious, if you have time, to hear more on why the approach of a proxy vs picking a compositor and implementing security there.
>
>If the problem is that the Wayland community so far has not considered security a priority, it seems that a security proxy may suffer from those same forces.  Basically, will it be easier to attract developers or gain widespread adoption of a proxy as opposed to getting buy-in to do security directly in a compositor?  You mention writing in a memory safe language and having a compositor neutral solution as technical advantages.
>
>Do you think a proxy is a good choice primarily because it can achieve a better technical result, or is the choice of a new component more a matter of difficulty getting community buy-in from a popular compositor and doing security there? How would you weigh the upsides of a new project against the difficulties of getting a new thing off the ground and adopted?
>
>(This is really just curiosity on my part and my $0.02 from the outside.  You may have already had a lot of discussions about that, or even already tried talking to compositor folk and not gotten traction.  Seems worth some explicit consideration.)

Most programs do zero things right, especially popular ones. With an effort, you could get one thing right. Two things (like handling graphics hot-reconfiguration and complicated policy filtering) done right in the same program require either heroical effort, or huge resources, or something like that.

Of from less jaded and more technical point of view, hijacking a compositor means that you need to make sure changes forced from driver side do not break security side and people could forget. A «I am just a client» proxy could have that nice property that breaking compatibility with it  usually comes together with breaking compatibility with Firefox (on server side) or Plasma (on client side); and breaking safety properties it expects also increases the risk of crashes in the mainstream usage, too.




  reply	other threads:[~2021-05-22 19:59 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-22 17:52 Josh DuBois
2021-05-22 20:05 ` Michael Raskin [this message]
  -- strict thread matches above, loose matches on Subject: below --
2021-05-22 13:05 Alyssa Ross
2021-05-22 13:45 ` Michael Raskin
2021-05-22 15:08   ` Alyssa Ross
2021-05-22 16:18   ` Michael Raskin
2021-05-22 17:22     ` Alyssa Ross
2021-05-22 18:48       ` Aaron Janse
2021-05-22 20:00     ` Michael Raskin
2021-05-22 17:13 ` Jean-Philippe Ouellet
2021-05-25 11:40   ` Alyssa Ross

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=E1lkXlt-0001fn-AI.7c6f434c-mail-ru@smtp58.i.mail.ru \
    --to=7c6f434c@mail.ru \
    --cc=discuss@spectrum-os.org \
    --cc=josh@joshdubois.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).