On Tue, 28 Mar 2017 at 15:33:41 -0700, Jordan Sissel wrote: > I am interested in the security concerns here, but are there reliable barriers > between different processes run by the same user in the same desktop session? > What is the threat model y'all are defending against?
D-Bus was mentioned earlier in this thread, and the security model that we keep telling people applies there is: * The uid who ran the session bus (dbus-daemon --session) can connect to it * That uid is totally trusted * If you don't like that, sandbox your untrusted app, don't let it open the normal D-Bus socket, and use some sort of filtering proxy like Flatpak does instead <https://bugs.freedesktop.org/show_bug.cgi?id=100344> is a future design for having dbus-daemon offer less-trusted sockets in parallel with the totally trusted one, which would obsolete Flatpak's D-Bus proxy. Several D-Bus services that listen on the session bus offer arbitrary code execution, a user can typically ptrace their own processes and achieve arbitrary code execution, and a user with write access to the home directory can achieve arbitrary code execution by writing configuration files - so there is no point in trying to provide a privilege boundary unless you have either a container like Flatpak, or an LSM like AppArmor, or both. If Wayland is aiming to be at a higher level of security isolation than the D-Bus session bus - something you can bind-mount into your container and not worry about, without introducing secondary sockets like fd.o #100344 - then of course its tradeoffs might not be the same as for D-Bus. S _______________________________________________ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel