Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How do you escape the sandbox through a Wayland or X11 socket? Do you have specific code examples?

Is there no way to safely run graphical applications in a bwrap sandbox? I thought Wayland was supposed to be better about this.



I think Wayland is fairly safe, but any X11 client can take screenshots or listen to the keyboard, or emit keyboard event, without limitations.


I do not have a specific code example, but you can use the normal X11 client interfaces to interact with the X server, which allows a lot of dangerous things such as sending events to other clients. We can imagine a rouge X11 client spawning a terminal and entering text through a virtual input interface, to run an arbitrary command for example.

On Wayland, assuming you don't have XWayland enabled and running, it depends on the specific compositor you are using and what Wayland protocols it supports.

Sandboxing GUI stuff on Wayland requires at the very least not having XWayland running, and also requires understanding what the compositor allows clients to do by default. Some compositors may have permission dialogues that prevent clients from doing stuff that you didn't expect.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: