Hi! I'm Alyssa and I'm working on Spectrum[1], which is a project aiming to create a compartmentalized desktop Linux system, with high levels of isolation between applications.
One big issue for us is protecting the system against potentially malicious Wayland clients. It's important that a compartmentalized application can't read from the clipboard or take a screenshot of the whole desktop without user consent. (The latter is possible in wlroots compositors with wlr-screencopy.) So an idea I had was to was to write a proxy program that would sit in front of the compositor, and receive connections from clients. If a client sent a wl_data_offer::receive, for example, the proxy could ask for user confirmation before forwarding that to the compositor. I could just implement this stuff in a compositor, but doing it with a proxy would mean that a known subset of the protocol could be used with any compositor, with appropriate access controls. It would also be a reusable component that could be customised to have different access control policy depending on the needs of a distributor or user. Which brings me to the reason I'm bringing this all up on wayland-devel. I'd be grateful for any input about this idea, especially: * Is this a sensible idea? Is there something I haven't considered which would make this unworkable, and force me to do a compositor-specific implementation instead? * Is this something that would be likely to be generally useful, outside of our project? Would it make sense as something to collaborate on / have as a freedesktop.org project? [1]: https://spectrum-os.org/ Alyssa Ross
signature.asc
Description: PGP signature
_______________________________________________ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel