[arch-general] sandboxing

Shridhar Daithankar ghodechhap at ghodechhap.net
Sun Feb 5 05:38:09 UTC 2017


On Sunday 5 February 2017 6:10:51 AM IST sivmu wrote:
> Am 05.02.2017 um 05:16 schrieb Shridhar Daithankar:
> > On Saturday 4 February 2017 7:28:31 AM IST sivmu wrote:
> >> As long as the application has access to the xwayland instance, which is
> >> by default the case when xwayland is available, it can influence all
> >> other applications that still use the x-protcol.
> > 
> > Just to understand, if there are two applications using xwayland, under a
> > wayland session, will they be still able to look at each other's
> > resources?
> > 
> > If the answer is no, the security is equivalent to the wayland
> > applications, since xwayland instance is essentially a sandbox?
> 
> Not sure what you mean with resources.

devices and events, mostly.

> this point is about the insecurity of the X Windows System architecture,
> which basically assumes that all applications are to be trusted. There
> is no build in security, therefore failing modern threat models completly.
> 
> This explains it pretty well I guess:
> https://theinvisiblethings.blogspot.de/2011/04/linux-security-circus-on-gui-> isolation.html

ok. It confirms my understanding that X clients can listen to each other's 
events and modify them.

But in xwayland, things are bit different.

https://lists.freedesktop.org/archives/wayland-devel/2014-January/012777.html

As the thread suggests, if there is a separate X server instance per xwayland 
application, they won't be able to snoop on each other.

> Btw. to fully prevent keyloggin on wayland, you need to do more, e.g. by
> sandboxing, since there are ways to work around the security of wayland
> where the default linux security model is weaker then that of the
> wayland architecture.
> 
> More info here:
> https://www.reddit.com/r/linux/comments/23mj49/wayland_is_not_immune_to_keyl
> oggers/

Exactly. If I am running chromium with firejail, which whitelists what 
chromium can do to the file system(even better with --private); the browser 
cannot tamper with .profile/.bash_profile or .ssh.

-- 
Regards
 Shridhar


More information about the arch-general mailing list