-
Notifications
You must be signed in to change notification settings - Fork 557
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wayland security context support #5883
Comments
FWIW, the Flatpak impl: flatpak/flatpak#4920 |
This protocol is already implemented by Kwin and sway. I am interested in trying to implement this but before I start I would like to ask some general questions about how this should be implemented and configured. By looking at how some mechanisms for x11 are implemented:
Do you have any preferences for this or other things I should keep in mind? |
One more point I thought of: much like the What are your thoughts on this @glitsj16 @kmk3 @rusty-snake ? |
This seems very doable indeed. I don't think there's anything special here besides implementing and editing the affected profiles and the profile template.
Personally I like this proposal.
Yes, I wouldn't expect anything unusual here. But @kmk3 is much better placed to advise on the particulars involved/potential implementation details to follow etcetera.
This is probably the trickier part of your proposal. I mean, there are pro's and con's here to consider for both suggestions and that's always very difficult to judge. No personal preference. On the topic of All in all a generous offer to work on this :-) Regards |
Consequences of fail is that we can not add it to any profile, hence "normal" users will not benefit from it, only power users who create .locals or add it to globals.local. If we go with warning/info (I prefer) we can add it to profiles upstream as long as someone tested it with a supporting compositor and normal users can benefit. For the most features we don't do a hard-fail if the platform requirements are not satisfied. Some features do hard-fail, but only when requested on command-line not when requested by a profile.
I do not like the include cluttering, we need snippets. Nevermind, how about
|
FWIW, Flatpak just carries on without the protocol if the compositor doesn't support it. Do note that Flatpak makes the difference between missing compositor support (global not advertised) and all other kind of errors when setting up the Wayland security context (these are hard failures). |
Is your feature request related to a problem? Please describe.
security-context is a wayland protocol that can be used by clients to create a new wayland socket. The same compositor instance will listen for connections on this sockets, but clients that connect to it cannot perform privileged operations.
Describe the solution you'd like
Firejail should use this protocol to further sandbox clients and prevent them from screenscrapping, creating transparent fullscreen overlays and permanent keyboard hijacking, other attacks. All these attack rely on "priviledged" protocols and are unavailable on sockets created via
security-context
.Describe alternatives you've considered
So far there hasn't been a way to do this. This protocol was introduced in wayland-protocols 1.32 which was released yesterday.
sway already has a patch with a working server implementations. I expect other wlroots compositors to follow suit.
Additional context
Shameless plug: I wrote a tiny cli client that creates a new socket at given path: https://git.sr.ht/~whynothugo/way-secure
This could be called on the host to create a socket inside the sandbox's
$XDG_RUNTIME_DIR
.The text was updated successfully, but these errors were encountered: