Skip to content

Document security considerations of protocols

Some protocols, such as the proposed screen locker protocol (!100 (closed)) and screensharing protocols, provide access to sensitive information or to privileged operations. Untrusted clients, such as sandboxed Flatpak applications, must not be permitted to use these protocols. Other protocols may not be sensitive per se, but might expose enough attack surface in the compositor that untrusted clients should not be allowed access to them.

This is a request to document the security considerations of each protocol.

Unprivileged protocols

These protocols don’t seem to expose any privileged operations, and (unless noted) seem to expose no risk beyond potentially incre`ased attack surface. For them, boilerplate like the following might suffice:

This protocol is unprivileged.  Compositors may freely expose
it to untrusted, sandboxed clients.
  • linux_dmabuf_v1
  • presentation_time
  • viewporter
  • xdg_shell
  • content_type_v1
  • cursor_shape_v1
  • ext_idle_notify_v1 (possibly a minor information leak? Not sure.)
  • fractional_scale_v1
  • linux_drm_syncobj_v1
  • single_pixel_buffer_v1
  • tearing_control_v1
  • xdg_activation_v1
  • dialog_v1
  • xdg_toplevel_drag_v1
  • linux_dmabuf_unstable_v1 (deprecated?)
  • zwp_linux_explicit_synchronization_unstable_v1 (deprecated)
  • pointer_gestures_unstable_v1
  • wp_primary_selection_unstable_v1
  • tablet_unstable_v1 if only focused clients can use it (which is unclear).
  • tablet_unstable_v2 if only focused clients can use it (which is unclear).
  • text_input_unstable_v1
  • text_input_unstable_v3
  • xdg_decoration_unstable_v1
  • xdg_foreign_unstable_v1 (deprecated?)
  • xdg_foreign_unstable_v2
  • xdg_shell_unstable_v5 (deprecated?)
  • xdg_shell_unstable_v6 (deprecated?)

Semi-privileged protocols

These protocols are semi-privileged. They could be used to cause actions that might be undesirable. I expect most compositors would disallow sandboxed clients access to them, except if the user consents.

  • idle_inhibit_unstable_v1 (prevents screen locking)
  • input_timestamps_unstable_v1 (might be usable for fingerprinting?)
  • xdg_output_unstable_v1 (ditto)
  • keyboard_shortcuts_inhibit_unstable_v1 (can prevent keyboard shortcuts from working)
  • pointer_constraints_unstable_v1 (constrains pointer movement)

Fully privileged protocols

These protocols are definitely privileged. Allowing an untrusted client to use any of them would be a security vulnerability.

  • xwayland_shell_v1 (specific to Xwayland)
  • xwayland_keyboard_grab_unstable_v1 (ditto)
  • fullscreen_shell_unstable_v1 (allows taking complete control of an output, also deprecated?)
  • input_method_unstable_v1 (allows sending text input to other clients)
  • relative_pointer_unstable_v1 (allows receiving pointer events meant for other clients, I think?)
  • drm_lease_v1 (gives away control of an entire output)
  • ext_foreign_toplevel_list_v1 (leaks the position of other windows)
  • ext_session_lock_v1 (used for screenlockers and can be used to obtain keyboard focus)
  • ext_transient_seat_v1 (creates transient seats)
  • security_context_v1 (allows sandbox escape)
Edited by Demi Marie Obenour
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information