wayfire icon indicating copy to clipboard operation
wayfire copied to clipboard
verified publisher icon WayfireWM

Add support for security-context-v1/global filtering for untrusted clients

Open dep4 opened this issue 1 year ago • 4 comments

Hi,

I'm looking to create a plugin (or a minor patch to compositor) to limit access for untrusted clients to Wayland protocols/features. I.e. screencopy, toplevel, etc. So any client can't record screen for example. Criteria how to distinguish trusted clients from untrusted is out of scope 😄

If you could please briefly describe how to incercept Wayland/Wayfire signals/messages etc for that?

Many thanks

dep4 avatar Feb 19 '24 16:02 dep4

In weston, the screenshooter protocol is protected because it only allows clients that were spawned by the compositor to use the protocol. So you use a compositor keybinding to launch the client and then compare the wl_client to others trying to access the protocol. Then you can check if it's not the compositor (or plugin) spawned client.

soreau avatar Feb 19 '24 16:02 soreau

Hi. If you are ready to write a Wayfire plugin, it should be quite easy. You need to set a custom callback for filtering globals with wl_display_set_global_filter() in the init() method and then accept/deny requests. Something like:

bool myfilter(const struct wl_client *client, const struct wl_global *global, void *data)
{
    return should_allow_for_client(global, client);
}

void init() override
{
    wl_display_set_global_filter(wf::get_core().display, myfilter, <custom data pointer>);
}

As @soreau mentioned, the hard part is figuring out which clients should get access to which protocols, but that is not a Wayfire-specific problem (and in general there are no generic solutions, otherwise we'd have already implemented it) :)

ammen99 avatar Feb 19 '24 16:02 ammen99

Actually, my bad. There are ways to do that, I hadn't realized that the protocol for it has been merged https://gitlab.freedesktop.org/wayland/wayland-protocols/-/merge_requests/68

So, I suppose you can implement security-context as a plugin which does exactly that. I also guess we need to keep a list of globals in core which are privileged, because some privileged protocols are implemented as a plugin.

I guess I'll keep this issue open because we probably should add this upstream, but I cannot give any ETA. If you work on this and want to upstream your work, send a PR on our way :)

ammen99 avatar Feb 19 '24 16:02 ammen99

Thanks so so much for prompt and detailed reply!!!

I created a plugin that fits my use case, it limits features to the first client (dock). https://github.com/dep4/wayfire-global-filter

dep4 avatar Feb 19 '24 20:02 dep4