xdg-app and a11y (was Re: Our sandboxed apps won't really protect users)
Michael Catanzaro
mcatanzaro at gnome.org
Tue Sep 15 16:17:42 UTC 2015
Changing the title of the thread again... hard to believe this started
out as a discussion about Darktable.
On Tue, 2015-09-15 at 11:51 +0200, Alexander Larsson wrote:
> No, i have not. Its on my todo list, but honestly its been pushed
> down
> partially because i have no real idea how this stuff works at all. :/
Me too. I ran into the same trouble working on the sandbox for WebKit:
https://bugs.webkit.org/show_bug.cgi?id=143004
I chatted with Alejandro PiƱeiro about this today. The at-spi2 socket
is a total sandbox escape: it can be used to inspect the accessibility
tree of arbitrary applications, send them keyboard input, etc. We can't
allow access to it. Also we can't block it, since that breaks a11y. A
design change will be required. It should be considered in tandem with
the problem of supporting a11y under Wayland, since the design problem
there is similar. The basic issue is that Wayland clients have no
access to other Wayland clients (except through clipboard and drag-and
-drop selections), which is a security feature of the Wayland protocol,
but one that breaks much of a11y, gnome-screenshot, etc. a11y needs a
way to give privileged applications such access, while limiting the
access of unprivileged applications.
Michael
More information about the desktop
mailing list