From owner-freebsd-current@freebsd.org  Sun Jul  9 21:21:31 2017
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 669F2D9628A
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Sun,  9 Jul 2017 21:21:31 +0000 (UTC) (envelope-from jilles@stack.nl)
Received: from mailout.stack.nl (mailout05.stack.nl
 [IPv6:2001:610:1108:5010::202])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mailout.stack.nl",
 Issuer "CA Cert Signing Authority" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 31C58710CF
 for <freebsd-current@freebsd.org>; Sun,  9 Jul 2017 21:21:31 +0000 (UTC)
 (envelope-from jilles@stack.nl)
Received: from snail.stack.nl (snail.stack.nl [IPv6:2001:610:1108:5010::131])
 by mailout.stack.nl (Postfix) with ESMTP id 887A469;
 Sun,  9 Jul 2017 23:21:22 +0200 (CEST)
Received: by snail.stack.nl (Postfix, from userid 1677)
 id 732A928497; Sun,  9 Jul 2017 23:21:22 +0200 (CEST)
Date: Sun, 9 Jul 2017 23:21:22 +0200
From: Jilles Tjoelker <jilles@stack.nl>
To: Johannes Lundberg <johalun0@gmail.com>
Cc: Stefan Ehmann <shoesoft@gmx.net>,
 freebsd-current <freebsd-current@freebsd.org>
Subject: Re: Getting PID of socket client
Message-ID: <20170709212122.GB51240@stack.nl>
References: <CAECmPwsD=PYqoG9EA=Wyq16hcrdbf7SQ3Owxdf+WSvYWazJfXA@mail.gmail.com>
 <a42d8db6-675f-b021-fc50-6ef87d310623@gmx.net>
 <CAECmPwuAm+n6DyFR01OgatxN9Jj3um-50jOpP0jeB4=N+j=yxg@mail.gmail.com>
 <684e8346-c4a8-a0c5-cb2a-cd5159d2af1c@gmx.net>
 <CAECmPwt0Un076DT8SHVDFi-ygdfqOWU6hH1cHejn0vNmr4A9Jg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAECmPwt0Un076DT8SHVDFi-ygdfqOWU6hH1cHejn0vNmr4A9Jg@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Jul 2017 21:21:31 -0000

On Sun, Jul 09, 2017 at 02:07:06PM +0000, Johannes Lundberg wrote:
> That code gets the child's pid from the fork command. That's is not
> available in my case (Wayland client connects to Wayland server via unix
> socket).

> I can understand the security issue.. hmm will dig further tomorrow..

It seems like what Wayland wants is not a security feature, but a
feature to prevent people from building things that will not work in a
future more secure world. In this future world, operations like making a
screenshot would be privileged.

Even if the PID race is solved, it remains trivial to fake the check
(for example, fork a process that sends the initial message and then
immediately execs a "privileged" binary, or use ptrace to attach to a
"privileged" binary or launch a new copy of a "privileged" binary).

With regard to security, it would be equivalent to have the client send
the name of its binary to the server. Putting this into a low-level
Wayland library would deter people from faking the check to do things
that will not work in the future more secure world. I don't know how
invasive this would be, though.

One possible implementation of the future more secure world would be
per-application UIDs a la Android. Another one would be
Capsicum-sandboxed applications where applications receive their Wayland
sockets pre-connected by code that tells the Wayland server the
application identity.

-- 
Jilles Tjoelker