Re: Proxying Wayland for untrusted clients

On May 22, 2021, at 8:05 AM, Alyssa Ross wrote:

...

One of the benefits that Wayland is supposed to have over X11 is security. A Wayland application isn't supposed to be able to record the screen without user permission, for example. But in most compositors, it can, with no restrictions.

<snip>

...

To solve these problems, I propose a proxy program that sits between Wayland clients and the compositor, in the same privelege domain as the compositor.

<snip>

...

If we can do that, it might be sensible for it to live at freedesktop.org? I'm not sure how that works.

I am curious, if you have time, to hear more on why the approach of a proxy vs picking a compositor and implementing security there.

If the problem is that the Wayland community so far has not considered security a priority, it seems that a security proxy may suffer from those same forces. Basically, will it be easier to attract developers or gain widespread adoption of a proxy as opposed to getting buy-in to do security directly in a compositor? You mention writing in a memory safe language and having a compositor neutral solution as technical advantages.

Do you think a proxy is a good choice primarily because it can achieve a better technical result, or is the choice of a new component more a matter of difficulty getting community buy-in from a popular compositor and doing security there? How would you weigh the upsides of a new project against the difficulties of getting a new thing off the ground and adopted?

(This is really just curiosity on my part and my $0.02 from the outside. You may have already had a lot of discussions about that, or even already tried talking to compositor folk and not gotten traction. Seems worth some explicit consideration.)

Most programs do zero things right, especially popular ones. With an effort, you could get one thing right. Two things (like handling graphics hot-reconfiguration and complicated policy filtering) done right in the same program require either heroical effort, or huge resources, or something like that. Of from less jaded and more technical point of view, hijacking a compositor means that you need to make sure changes forced from driver side do not break security side and people could forget. A «I am just a client» proxy could have that nice property that breaking compatibility with it usually comes together with breaking compatibility with Firefox (on server side) or Plasma (on client side); and breaking safety properties it expects also increases the risk of crashes in the mainstream usage, too.