Security in Wayland-based Desktop Environments: Privileged Clients, Authorization, Authentication and Sandboxing!
Abstract
We have been talking about security in the Graphics Stack for some time. Wayland has fixed all theproblems we had … but at the expense of usability and accessibility as applications are now unableto perform any sensitive task such as taking screenshots or injecting input events. Indeed, someapplications (especially the ones related to accessibility) really DO require privileged capabilitiesand should work across the different Wayland compositors. Before designing privileged interfaces, itwas thus necessary to think about how to handle privileged clients securely. The biggest issue withhandling privileged clients is not how to grant them the rights, it is about making sure that theuser understands what is going on on his/her system. This sometimes require to capture the user’sintent somewhere in the TCB (Trusted Code Base), often in the compositor.
In February, we proposed a way to handle privileged clients. We first started by listing differentways of capturing the user’s intent in the Wayland compositor. We then talked about how to expose thecurrent security threats and vulnerabilities to user by adding an icon to the systray allowing the userboth to see the security properties that may become violated and by which programs. The user could thenrevoke the rights away from an application for the current instance or any further instance.
We also proposed a way to delegate security decisions within the compositor to a centralized securitydecision engine such as SELinux, AppArmor or polkit. This would allow distro developers to shipapplications with their security policy for the system and the graphical environment. We called thisproposition Wayland Security Module (WSM) because they resemble the Linux Security Module interfacefound in the Linux kernel. An android-like system could thus be implemented where the package managerdisplays the capabilities required by the application and the user would select the permission he/shegives to the application. The same policy could be shared across all the Desktop Environments thanksto the common WSM interface that would need to be used by all the wayland compositors. Work on the WSMis currently on its way.
This leads us to another GUI-related problem of applications, they need to be able to access filesonly when the user wants it to. Capturing the user’s intent when it comes to giving permission to anapplication to open a file requires to delegate the file chooser to an external process. Doing so hasseveral challenges that we will talk about before showing our proposition and show you ourinterface (both from the code and the GUI perspective).
Currently, any application can pretend to be your DE’s window that asks for credentials. This inspiredus to look into the different of authorization and authentication UIs on major OSes and their problems.We finally proposed several ways of making your DE’s authentication window be unspoofable by making ittrivial for a user to check its legitimacy.
Video
Download this video in webm.