Am 2014-01-07 15:07, schrieb Martin Peres:
Those are extremely rare cases. Users wanting to do that should agree
they give up
confidentiality and should thus be administrators in order to tell the
compositor that.
Why should those people have worse security then others only because
they want a feature you define as non-standard?
In this case, we can still restrict access to the interface to a
handful of programs
to lower the risks, but it will still be possible for these
applications to spy on the user
without him knowing and this is something that shouldn't be allowed by
default.
Like I said, we should be able to let polkit decide. You could even
distribute
a .rules file which white-lists an application if we pass the executable
path.
You may be right. I meant for screen grabbing (images or videos), no
idea
what restricted interface could be useful for a wayland compositor.
Any idea?
The GNOME accessibility team need a few restricted protocols. Don't know
about
the details, though.
Would it be ok for you if the compositor asked the user to agree for
the program to
do the operation? If so, we can guarantee that this is really the
user's intent and
allow the application. We can also add a security warning with a "Do
not ask again"
checkbox. Would it be satisfactory to you?
If an application has the permission to use an restricted protocol it
already
met all the requirements. You should talk to the polkit dev if you want
such
an feature, I guess.
I don't really like mandating compositors to implement that much code,
but that's the only
secure way I see to allow the uses cases you want to allow.
And that's exactly why I don't want to implement the authorization
checking
in the compositor! We can safely let polkit decide in non-obvious cases.
Less code in the compositor, less duplicated code and less security
risks
because polkit is designed to do that.
By the way, I asked Peter about the security of input and that should
be good. We then
discussed about visual feedback as a mean to provide some mitigation
and show
some applications are grabbing the screen in the background. That may
be something you
would be interested in, in your case. What do you think?
I'm personally not interested in it but I guess it's a nice feature for
some
people and I don't see why it should not work.
_______________________________________________
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/wayland-devel
