-
-
Notifications
You must be signed in to change notification settings - Fork 393
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature request]: Advices to improve security when enabling access to /dev/uinput
#5459
Comments
This is not really a Flatpak question. The access to a particular device node that you get inside a Flatpak sandbox should always be less than or equal to the access you get outside Flatpak, otherwise that would be a serious security vulnerability (in either bubblewrap or the kernel, rather than Flatpak itself). From the Flatpak point of view, |
Ideally, "don't". Access to I believe the long-term answer to this is flatpak/xdg-desktop-portal#762, which proposes the addition of a portal interface that applications can use to inject input events into a compatible compositor under finer-grained control than In the shorter term, using
Yes. Flatpak only installs and runs apps, it doesn't do system administration. Setting up udev rules is a sysadmin-level thing which must be done by installing operating-system-level packages (like
Certainly don't do that: that lets every user of a multi-user system fake input, including users logged in remotely via ssh, and system uids like The least bad way to grant access to For details of how to write and install udev rules, see the |
Thanks a lot @smcv ! I guess this is the answer I was looking for:
I'll just need to figure out what the rule for keyboard should look like and how to send it properly to udev
I knew I was going to have at least one "Don't do it" thrown somewhere, classic linux! (but thanks for explaining anyway :D) To be more clear: I don't want access to This feature is important to me, as it save me tons of time when writing. And is important for anyone who wants Linux desktop to be more user and developer friendly (automating stuff the way we want is why a lot of people are on linux) And since flatpak is for packaging programs for the desktop.... It should also care about those kind of things no? As soon as there are safer way to do those kind of thing I will implement them, but for now you got do what you got do! Also the security "issue" due to all the laptop users can access uinput: I am the only user on my laptop (like most laptop owners I would expect, mostly only servers have multiple users, PC stands for Personal Computer). If someone is logged via SSH on it I think I have bigger problem than them faking keyboard input |
We cannot solve every problem for every user, some things have to be treated as out-of-scope.
If you feel that this is a Wayland limitation, please talk to Wayland developers, not Flatpak developers. The Wayland protocol is outside Flatpak's scope. I suspect that there is probably a security reason why Wayland developers have not allowed application-triggered pasting (an obvious one is "you might have copied a password to the clipboard, and if untrusted apps could trigger a paste at any time they wanted to, then they would be able to log everything you have ever copied"); but in any case this is not a Flatpak limitation, so talking to Flatpak developers won't remove it. As I said, the long-term solution to this is probably libeis, which isn't ready yet.
You are the only human user, but there are multiple machine-level user IDs used for privilege-separation in system services, and those should not be able to inject fake keyboard events. For example if Also, the generic security model of Unix systems (including Linux) is to assume that all systems are at least potentially multi-user, so the design of generic software like Flatpak cannot assume that it will only be installed on single-user personal laptops like yours. |
Thanks again for all the details and explanation about it @smcv , that was really helpful to better understand the caveats and potential danger I'll keep a note to check on libeis/xdg-portal-desktop when it will be mature enough To be able to paste without going through |
And it won't in the future because we'll be using libei. |
Checklist
Suggestion
Hi, I am trying to make simulating a
Ctrl+V
working on Wayland in a flatpak containerI managed to make it work with ydotool , but it requires r/w access to
/dev/uinput
to workI noticed my user is in the nfsnobody group which own /dev/uinput:
So I tried to simply
sudo chmod g+rw /dev/uinput
, but still got the permission denied (ok, not really logical, so let's bring it to the next level!)And poof the permission denied disappeared! And I can finally make something out of my laptop! (also hackers can do a lot I guess)
Now, this solution is the worst from a security point of view, but at least I know it can work!
In this issue #4137 it is mentioned that we should be able to fine tune the access by defining some rules like Steam has done for their devices: https://github.com/ValveSoftware/steam-devices/blob/master/60-steam-input.rules
But I could not find no documentation about how or where to include those rules! And I couldn't find what the rule to enable keyboard access should look like (I have experience working with linux and consort, but I don't know all its arcanes)
What would be a cleaner solution to give the user access to
/dev/uinput
in a flatpak container? How can it be added to a flatpak manifest? Or will it need to be done manually by users outside of flatpak?If you have any element of answers or pointers to enable to cleanly give a user access to /dev/uinput to simulate a keyboard key stroke, I would be interested! It would greatly help people to build secure packages (otherwise we need to do those dirty
chmod
hacks which kills all the hard work done to build a secure system)The text was updated successfully, but these errors were encountered: