From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-4.5 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.4 Received: by atuin.qyliss.net (Postfix, from userid 496) id AD24678; Sat, 13 Mar 2021 13:52:46 +0000 (UTC) Received: from [127.0.0.1] (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 066B54E; Sat, 13 Mar 2021 13:52:22 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 496) id 94B3E178; Sat, 13 Mar 2021 13:52:19 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) by atuin.qyliss.net (Postfix) with ESMTPS id 8686648 for ; Sat, 13 Mar 2021 13:52:15 +0000 (UTC) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 0C9575C009A; Sat, 13 Mar 2021 08:52:14 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Sat, 13 Mar 2021 08:52:14 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm2; bh=yAk8xOwBLXEBncGJMXx5abLPI7k BwMYj5fUk2l/+4kU=; b=EioEAGW/nr+XFuRlwPVEPa9aXPZJFnBLizMxx/eSewI ejOGlZ9VjsPaLXZC6JzBz2prdEsMqabsxkfX7L1IaJCvzyNb+KXT4ncO80D9DCPn /8e3SrEgzxY58VpnevKqerJb733qdKriwVPmlSr7pzyedg7E7lDv54IDUrREFPAY lFwhb3SB6Gucd/tuCua1Id7Ybbai4RMJt/cuulnpvh8K79FX/+hz4eJM8hATgYHV nsUlvzq0jVbcQ6/JT9wIzqGCTlHroqr+G1wWd7JSRjKto+mEwEXtQn+lF4WBR9Jp PN/qq3POT1kNsU7zySvpB6Dhf9B62rV4Mtf54X3k1ew== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=yAk8xO wBLXEBncGJMXx5abLPI7kBwMYj5fUk2l/+4kU=; b=j5sMiEttQtGOE0/OZE25cU xzP8wRNTCBfksDyaU531UCWrzGe3P4PtDwsXSw2uzUxTd9gGqG+Etwtb+h6ZOeR3 QaJTLaGRyN12suYX4MUZ5m4XVptPd20NCc7iXuOYGS5gKKtujKORr146nkI1u8Da graUzE4+1UOt50b5zyYDaPhB2KIgL5XLRkVGxBChUzZKnjkf8ZXf48uUHNpFY7lc IPABLh3RiFx13Mm4/J+bOi03v3b2Wg99XmV3i44xG9/l08NXXzJfY+NOvL2cgqt6 Vn2HyYnV7LPl6H1xH9DYNvJIjJRj3HImNXEtc2+G6wQm9OsIGEM4E94IxgABxgag == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddvgedgheeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesghdttd ertddtjeenucfhrhhomheptehlhihsshgrucftohhsshcuoehhihesrghlhihsshgrrdhi sheqnecuggftrfgrthhtvghrnhepgeevffeffedvieffueffhfdvieevffdtueehjeffve dthfegveeileeujefhffejnecukfhppeekgedrudekuddrvdehhedrkeehnecuvehluhhs thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepqhihlhhishhssegvvh gvrdhqhihlihhsshdrnhgvth X-ME-Proxy: Received: from eve.qyliss.net (p54b5ff55.dip0.t-ipconnect.de [84.181.255.85]) by mail.messagingengine.com (Postfix) with ESMTPA id E6F431080057; Sat, 13 Mar 2021 08:52:12 -0500 (EST) Received: by eve.qyliss.net (Postfix, from userid 1000) id F1ADCE39; Sat, 13 Mar 2021 13:52:10 +0000 (UTC) Date: Sat, 13 Mar 2021 13:52:10 +0000 From: Alyssa Ross To: Thomas Leonard Subject: Re: New user getting started questions Message-ID: <20210313135210.hiuj4hwkoyrmd4fa@eve.qyliss.net> References: <87ble2czx6.fsf@alyssa.is> <87lfcvn1ln.fsf@alyssa.is> <87bldrn0kh.fsf@alyssa.is> <20210309162556.ctiy3yfp7plkbdqs@x220.qyliss.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ayndswul4rextb2d" Content-Disposition: inline In-Reply-To: Message-ID-Hash: QZVV4EJRRUQO6SZM6QO7SZVO75Y2ZEVG X-Message-ID-Hash: QZVV4EJRRUQO6SZM6QO7SZVO75Y2ZEVG X-MailFrom: qyliss@eve.qyliss.net X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: Michael Raskin <7c6f434c@mail.ru>, discuss@spectrum-os.org X-Mailman-Version: 3.3.1 Precedence: list List-Id: General high-level discussion about Spectrum Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: --ayndswul4rextb2d Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 13, 2021 at 07:21:50AM +0000, Thomas Leonard wrote: > > > Once this is working more smoothly, I guess the next issues will be > > > setting up some kind of secure window manager on the host (e.g. > > > labelling windows with the VM they come from, not allowing > > > screenshots, etc). Would also be good to get sound forwarding working > > > somehow (Qubes routes pulseaudio to all the VMs and gives you a mixer > > > to control the levels for each, but I don't know how that worked). It > > > also needs some kind of VM manager to keep track of which VMs are > > > running. And some kind of IPC system like qrexec would be useful. Do > > > you have thoughts or plans about how to do any of this? > > > > The window manager is a part of this whole thing that makes me very > > nervous. A secure window manager is very important for Wayland, and I'm > > not sure how much I trust any of the existing ones to get it right. But > > with Wayfire I'm hoping it'll at least be easy enough to implement stuff > > like tagged/coloured windows for the proof of concept (since the > > plugin API and stuff is Wayfire's niche), and I'm hoping at some point > > somebody comes up with a security-focused Wayland window manager we can > > switch to -- I'd love a Rust one, and there's work going on in that > > area[1]. > > For the short-term, it would be fairly easy to make a slight change to > the wayland-virtwl-proxy[*] so that a version of it could run on the > host. Unlike the guest one, which has to copy frames and deal with > virtwl, this would just pass FDs through. And instead of connecting to > /dev/wl0, it would just connect to the host compositor socket. It > would then block access to screenshots (since it doesn't proxy that), > and would add the VM's name to each window's title. > > Eventually I'd like to turn it into a full compositor, but I'm going > to be busy for the next 6 months at least. A sanitizing proxy of this sort could be a very good way to go indeed, especially early on, because if we tightly control what messages Wayland clients can send, we don't have to worry so much about what the compositor will do if it gets a weird message. Having a proxy rather than investigating in hardening a specific compositor (or writing such a compositor) would also give us more freedom to change compositor later (or allow users to choose their own compositor). > > Not sure about IPC yet, but I recently read an article about PipeWire[2= ], > > and that's been making me think a bit about audio. With PipeWire, they > > seem to have cared about security from the start: > > Thanks for the link. I hadn't realised PulseAudio was in such a bad state! I think it's just one of those things where they just didn't think about security very much early on, and retrofitting that after the fact is difficult because every application has already been written to expect not to have to do anything special for security. Very much like the situation with X11 compared to Wayland. > > > To avoid the PulseAudio sandboxing limitations, security was > > > baked-in: a per-client permissions bitfield is attached to every > > > PipeWire node =E2=80=94 where one or more SPA nodes are wrapped. This > > > security-aware design allowed easy and safe integration with Flatpak > > > portals; the sandboxed-application permissions interface now promoted > > > to a freedesktop XDG standard. > > > > And it gets better! In particular, this sounds very promising: > > > > > a native fully asynchronous protocol that was inspired by Wayland =E2= =80=94 > > > without the XML serialization part =E2=80=94 was implemented over Uni= x-domain > > > sockets. Taymans wanted a protocol that is simple and hard-realtime > > > safe. > > > > It goes on to say they use this for sending file descriptors and stuff. > > The similarity to Wayland is very exciting, because it means we might > > just be able to run PipeWire over the existing virtio_wl infrastructure > > very efficiently. > > Yes. I wonder why they didn't just use Wayland directly. Removing the > XML schema files (I assume that's what they mean) doesn't seem like an > improvement. That's what makes it easy to use Wayland from safer > languages than C! Yeah I was a bit surprised to see that too. Maybe they're not expecting the protocol to grow extensions and stuff as much as Wayland, so automatic code generation is less valuable? But I'm not sure -- I haven't looked into it. --ayndswul4rextb2d Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEdZTIUP7JZVWM3Ir2XDnhXb2v5OUFAmBMw4oACgkQXDnhXb2v 5OXf+g/+JVgQDRXVZm2cycM3xyoVkWKKZ9Azna+RdlnTz3S+BgAu4u3WLfVKbo/3 MVtL3vsjSMCnWsZ9V48WCfK7Xd2TAEFGa3FlY56TUT90kPUxNYDniG03LH/TOG42 vSBbkYiRWsrqNZTMLPRPJGPaNG4WCz9YYPFV/5i5olYPtmCKiQsus3T4UuccJJVT frwvAsXP6rS3Bzr5xQaFMvpdkZUcC9SBU7XEs6WZoxAw2+slNbHfBDYDMKd5iTBL O6l+pQp+QuDc7vK9VqSaoWGhp3P0+byPPbaoGtod2YJ4MozHJ6A3whqpF1ZmviRx F0+Pnub3mBRJFgq12P9T1Qg5gCi3uWRrASQyPhlczLLR1XPHg+9tFyt4I40AHlTz 3SXr1Hu8jTWcE4i5N7YJ7vAzED6SgIKqGEhXfGXwSXgyeppog7wPIROxYmT17/SE vdHMAhG7t9INOn2y5TV92irPkNrWLRq6vCTQL50vVYgT/E60Wrlc/Gpgsk5AjfL/ J11DGy+I92zaoVQfDfDNg+Lpe7VZ8HqgUlHLERXjhHIcs114vOnfjU236R2jYbnP fSSqx5ILhmU4qvFM4H15bCUaRu1wppYImG8l92NRw9U8I2vih+n2ahlxVhcNaf6R KSC8yys++XcmlS5Vf8py0ql634/0vPujH+aCYojEp/tjUQXzg9o= =Ui78 -----END PGP SIGNATURE----- --ayndswul4rextb2d--