Steve Dodier-Lazaro & Martin Peres - Security in Wayland-based desktop environments: Privileged clients, authorization, authentication and sandboxing!
We have been talking about security in the Graphics Stack for some time. Wayland has fixed all the problems we had ... but at the expense of usability and accessibility as applications are now unable to perform any sensitive task such as taking screenshots or injecting input events. Indeed, some applications (especially the ones related to accessibility) really DO require privileged capabilities and should work across the different Wayland compositors. Before designing privileged interfaces, it was thus necessary to think about how to handle privileged clients securely. The biggest issue with handling privileged clients is not how to grant them the rights, it is about making sure that the user understands what is going on on his/her system. This sometimes require to capture the user's intent somewhere in the TCB (Trusted Code Base), often in the compositor.
In February, we proposed a way to handle privileged clients. We first started by listing different ways of capturing the user's intent in the Wayland compositor. We then talked about how to expose the current security threats and vulnerabilities to user by adding an icon to the systray allowing the user both to see the security properties that may become violated and by which programs. The user could then revoke the rights away from an application for the current instance or any further instance.
We also proposed a way to delegate security decisions within the compositor to a centralized security decision engine such as SELinux, AppArmor or polkit. This would allow distro developers to ship applications with their security policy for the system and the graphical environment. We called this proposition Wayland Security Module (WSM) because they resemble the Linux Security Module interface found in the Linux kernel. An android-like system could thus be implemented where the package manager displays the capabilities required by the application and the user would select the permission he/she gives to the application. The same policy could be shared across all the Desktop Environments thanks to the common WSM interface that would need to be used by all the wayland compositors. Work on the WSM is currently on its way.
This leads us to another GUI-related problem of applications, they need to be able to access files only when the user wants it to. Capturing the user's intent when it comes to giving permission to an application to open a file requires to delegate the file chooser to an external process. Doing so has several challenges that we will talk about before showing our proposition and show you our interface (both from the code and the GUI perspective).
Currently, any application can pretend to be your DE's window that asks for credentials. This inspired us to look into the different of authorization and authentication UIs on major OSes and their problems. We finally proposed several ways of making your DE's authentication window be unspoofable by making it trivial for a user to check its legitimacy.