Bug 38517

Summary: GUI/App level isolation in Xserver/Linux
Product: xorg Reporter: marek <markotahal>
Component: SecurityAssignee: X.Org Security <xorg_security>
Status: RESOLVED WORKSFORME QA Contact: X.Org Security <xorg_security>
Severity: major    
Priority: high CC: markotahal
Version: unspecified   
Hardware: All   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description marek 2011-06-21 03:28:38 UTC 
Hi, 
I was quite shocked after reading this: 
http://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html
mostly for it really works. 

* What happens: 
running multiple applications in ine X server, each of them can see all what other apps print to output or read for input. That means every single once you run an untrustworthy app, all that happens in that X session is doomed. 

As I quickly searched, SELinux could (probably) prevent this, but not many bfu desktop users run a properly set up SElinux. 

* What should happen: 
X registers an input, finds an application that has focus and passes it to _just_ that app, others see nothing. That is my idea. 

So may say this will break global shortcuts, but well..who cares compared to this. And the shortcuts could be curricumwented by eg. when registering alt+one key, pass it to all apps running. 

* test case / steps to reproduce: 
taken from the blog. 
$xinput list
// find device with name AT keyboard and note the id
$xinput test <id>
// type something and you see keys pressed

//now start a new terminal window, and do 
su - 
#whatever secret
//or open a webbrowser and start ebanking. 

* Summary: 
It would be really nice if this could be somehow implemented. I didn't know that filling ebanking creditantials to firefox while having kopete with some plugin installed can be so dangerous. 

In any case, is this taken in account with designing Wayland? I would strongly vote for that. 

Thank you, Mark.
Comment 1 Daniel Stone 2011-06-21 06:28:43 UTC 
Sorry if this seems like a bit of a glib/out-of-hand dismissal, but, well ...

We already have an XSECURITY extension (and have had for years) which allows you to specify policies such as these in a SecurityPolicy file.  It's pretty neglected since no-one bothered using it, but it should work.

The well-maintained X-SELINUX extension allows full and powerful SELinux label-based matching, and works great.  If you search for blog entries and/or talks by Eamon Walsh, he's repeatedly demonstrated it and provided some examples.

As it is, not only would you break shortcuts, but also keys like brightness up/down, pop-up menus (including, e.g. the address bars in browsers), any window manager shortcut (e.g. the Windows key to provide the overview in GNOME Shell), the clipboard, a lot of input methods (e.g. virtual keyboards), and a whole lot else.  So it's pretty impractical to provide a 'please break my desktop badly' option.  

If you do indeed care about security, I have two suggestions (and again, apologies if it seems glib and out-of-hand):
    * don't run untrusted apps - if you are worried about malicious apps, then what's to stop an app from being a proxy to, or a fake copy of, a web browser that just sends all your online logins to spammers?
    * use X-SELINUX, as well as SELinux in general
Comment 2 Alan Coopersmith 2011-06-21 09:45:04 UTC 
(In reply to comment #0)
> In any case, is this taken in account with designing Wayland? I would strongly
> vote for that. 

You'll have to bring that up with the Wayland developers, not X.Org.
Comment 3 Stanislav Maslovski 2011-06-24 05:10:05 UTC 
To Daniel Stone:

Thanks for providing your view on this issue. I would, however, appreciate if you could give us some proof links to the demonstrations and the examples you mentioned.

Yes, I have seen some talks by Eamon Walsh in the net, but they seem to be useless as there are no practical examples of the secure configurations you mention. One may also find many broken and not updated pages like these [1] but no real info that could be useful for an end user.

[1] http://selinuxproject.org/page/XACE
Comment 4 marek 2011-06-24 11:46:26 UTC 
(In reply to comment #2)
> (In reply to comment #0)
> > In any case, is this taken in account with designing Wayland? I would strongly
> > vote for that. 
> 
> You'll have to bring that up with the Wayland developers, not X.Org.
Just posted to wayland-devel ML, I'm curious to see how wayland handels that. Thanks
Comment 5 marek 2011-06-24 11:53:11 UTC 
(In reply to comment #1)
> Sorry if this seems like a bit of a glib/out-of-hand dismissal, but, well ...
<snip>
>     * use X-SELINUX, as well as SELinux in general

Thank you Daniel for explanation, I totally agree with the problems you mentioned. However I still believe this issue is serious enough and should be handeled by default Xorg installation, that's why I brought it up. 

If linux is ever going to be used on desktop more widely (and I hope and see it's happening) the normal user doesn;t have all the SELinux goodies set up bu themselves(it's a bit complicated i think). 

I would like to give a try to to X security extention you mentioned but i didn't find any useful info on using the SecurityPolicy file, could you point me to something, please?

Thanks, Mark

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.