On Tue, 9 Mar 2021 at 16:26, Alyssa Ross <hi@alyssa.is> wrote:
Hi Thomas!
Thanks for keeping us updated. It's really great to have all this written up to read, even though I'm only getting to it a month and a half later.
On Wed, Jan 27, 2021 at 05:31:08PM +0000, Thomas Leonard wrote:
[...]
Once this is working more smoothly, I guess the next issues will be setting up some kind of secure window manager on the host (e.g. labelling windows with the VM they come from, not allowing screenshots, etc). Would also be good to get sound forwarding working somehow (Qubes routes pulseaudio to all the VMs and gives you a mixer to control the levels for each, but I don't know how that worked). It also needs some kind of VM manager to keep track of which VMs are running. And some kind of IPC system like qrexec would be useful. Do you have thoughts or plans about how to do any of this?
The window manager is a part of this whole thing that makes me very nervous. A secure window manager is very important for Wayland, and I'm not sure how much I trust any of the existing ones to get it right. But with Wayfire I'm hoping it'll at least be easy enough to implement stuff like tagged/coloured windows for the proof of concept (since the plugin API and stuff is Wayfire's niche), and I'm hoping at some point somebody comes up with a security-focused Wayland window manager we can switch to -- I'd love a Rust one, and there's work going on in that area[1].
For the short-term, it would be fairly easy to make a slight change to the wayland-virtwl-proxy[*] so that a version of it could run on the host. Unlike the guest one, which has to copy frames and deal with virtwl, this would just pass FDs through. And instead of connecting to /dev/wl0, it would just connect to the host compositor socket. It would then block access to screenshots (since it doesn't proxy that), and would add the VM's name to each window's title. Eventually I'd like to turn it into a full compositor, but I'm going to be busy for the next 6 months at least.
Not sure about IPC yet, but I recently read an article about PipeWire[2], and that's been making me think a bit about audio. With PipeWire, they seem to have cared about security from the start:
Thanks for the link. I hadn't realised PulseAudio was in such a bad state!
To avoid the PulseAudio sandboxing limitations, security was baked-in: a per-client permissions bitfield is attached to every PipeWire node — where one or more SPA nodes are wrapped. This security-aware design allowed easy and safe integration with Flatpak portals; the sandboxed-application permissions interface now promoted to a freedesktop XDG standard.
And it gets better! In particular, this sounds very promising:
a native fully asynchronous protocol that was inspired by Wayland — without the XML serialization part — was implemented over Unix-domain sockets. Taymans wanted a protocol that is simple and hard-realtime safe.
It goes on to say they use this for sending file descriptors and stuff. The similarity to Wayland is very exciting, because it means we might just be able to run PipeWire over the existing virtio_wl infrastructure very efficiently.
Yes. I wonder why they didn't just use Wayland directly. Removing the XML schema files (I assume that's what they mean) doesn't seem like an improvement. That's what makes it easy to use Wayland from safer languages than C! [*] https://github.com/talex5/wayland-virtwl-proxy -- talex5 (GitHub/Twitter) http://roscidus.com/blog/ GPG: 5DD5 8D70 899C 454A 966D 6A51 7513 3C8F 94F6 E0CC