[arch-general] sandboxing

sivmu sivmu at web.de
Sun Feb 5 05:10:51 UTC 2017 


Am 05.02.2017 um 05:16 schrieb Shridhar Daithankar:
> On Saturday 4 February 2017 7:28:31 AM IST sivmu wrote: 
>> As long as the application has access to the xwayland instance, which is
>> by default the case when xwayland is available, it can influence all
>> other applications that still use the x-protcol.
> 
> Just to understand, if there are two applications using xwayland, under a 
> wayland session, will they be still able to look at each other's resources?
> 
> If the answer is no, the security is equivalent to the wayland applications, 
> since xwayland instance is essentially a sandbox?
> 

Not sure what you mean with resources.

this point is about the insecurity of the X Windows System architecture,
which basically assumes that all applications are to be trusted. There
is no build in security, therefore failing modern threat models completly.

This explains it pretty well I guess:
https://theinvisiblethings.blogspot.de/2011/04/linux-security-circus-on-gui-isolation.html

All of that is equally true for x-wayland, which is just a modified
xserver run alongside a wayland instance to allow x applications to run
on wayland compositors like weston.


>>
>> Only the input/output  of applications using only the wayland protocol
>> are somewhat safe from this attack vector.
>> To fully close this risk, full adaption of wayland in all applications
>> is necessary, because then you no longer need any xserver.
> 
> Again, if a wayland application and a xwayland application are running side-
> by-side, the xwayland application cannot of peek into the resources of wayland 
> application right?
> 

If I am not mistaken it does not matter if an application is run on
xwayland od directly on wayland, in regards to what it can capture.

All applications can see input/putput of all other applications using
the X Server Protocol, no matter what they themselfs are using.

You can test this by running xinput on a terminal like in the linked
article explained.

No matter where you run it, you can capture the input of x applications.
You can however not capture the input of wayland applications (at least
not that easily)

So if you want to avoid that other applications can snoop e.g. on your
terminal input where you enter your root password, you need to use one
that can work directly on wayland. Termite is a great terminal that
supports wayland.

Btw. to fully prevent keyloggin on wayland, you need to do more, e.g. by
sandboxing, since there are ways to work around the security of wayland
where the default linux security model is weaker then that of the
wayland architecture.

More info here:
https://www.reddit.com/r/linux/comments/23mj49/wayland_is_not_immune_to_keyloggers/


I hope I did not mess up that explaination, if I did someone please hit me.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20170205/f1525b81/attachment.asc>

More information about the arch-general mailing list