On Sep 5, 2008, at 6:19 PM, Tracy R Reed wrote:
By what mechanism would a malicious webapp or plugin snag your window system mouse and keyboard events? I know it possibly could, I'm just wondering exactly how that works and whether there is a capability wrapping it where the security policy could check it.
In X11, any app can "take" the mouse and keyboard, or even just "listen" to the mouse and/or keyboard without even being the "active" window or app.
This is why "xhost +" is the equivalent of saying to the Internet "Please, come in, I've enabled remote keylogging for free!" Yes, we've had direct experience with someone from romania event-sniffing a coworker's machine via X11 and then walking in with the sniffed passwords 6 months later.
If it's a local application, though (like, say, a web browser) that a malicious web site is able to get code to run on that can do the same type of event sniffing, you're still just as owned, and there's probably not much SELinux could do about that without getting into X11 internals.
I'm not sure how it works in Windows or Mac. Gregory -- Gregory K. Ruiz-Ade <[EMAIL PROTECTED]> OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
PGP.sig
Description: This is a digitally signed message part
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
