Unity System Compositor

[enhancement] Unity system compositor allows connections from any Mir client

Bug #1211141 reported by Robert Ancell
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Light Display Manager
Invalid
Medium
Unassigned
Mir
Fix Released
Critical
Alan Griffiths
Unity System Compositor
Invalid
Critical
Unassigned

Bug Description

Currently unity-system-compositor has a Mir socket that allows any Mir client to connect to it. We should only allow clients that the display manager has spawned to connect.

Tags: enhancement

Related branches

lp:~robert-ancell/lightdm/private-mir-connection
lp:~robert-ancell/unity-system-compositor/private-mir-connection
lp:~alan-griffiths/mir/socket-pair (Merged)
lp:~alan-griffiths/mir/socket-connection
PS Jenkins bot (community): Approve (continuous-integration)
Kevin DuBois (community): Approve
Alexandros Frantzis (community): Approve
Diff: 1779 lines (+594/-283)
32 files modified
examples/basic_server.cpp (+39/-4)
examples/render_surfaces.cpp (+5/-4)
include/server/mir/default_server_configuration.h (+10/-3)
include/server/mir/frontend/connector.h (+14/-14)
include/server/mir/frontend/connector_report.h (+9/-9)
include/server/mir/frontend/session_creator.h (+44/-0)
include/server/mir/server_configuration.h (+2/-2)
include/test/mir_test/test_protobuf_server.h (+4/-4)
src/server/default_server_configuration.cpp (+2/-0)
src/server/display_server.cpp (+9/-9)
src/server/frontend/CMakeLists.txt (+6/-7)
src/server/frontend/default_configuration.cpp (+49/-21)
src/server/frontend/protobuf_session_creator.cpp (+73/-0)
src/server/frontend/protobuf_session_creator.h (+60/-0)
src/server/frontend/published_socket_connector.cpp (+79/-76)
src/server/frontend/published_socket_connector.h (+37/-38)
src/server/frontend/socket_messenger.cpp (+2/-1)
tests/acceptance-tests/test_client_library.cpp (+1/-1)
tests/acceptance-tests/test_server_shutdown.cpp (+3/-3)
tests/acceptance-tests/test_test_framework.cpp (+1/-1)
tests/integration-tests/client/test_client_render.cpp (+1/-1)
tests/integration-tests/shell/test_session.cpp (+5/-4)
tests/integration-tests/test_display_server_main_loop_events.cpp (+33/-32)
tests/integration-tests/test_error_reporting.cpp (+1/-1)
tests/mir_test_doubles/test_protobuf_socket_server.cpp (+10/-10)
tests/unit-tests/client/test_client_mir_surface.cpp (+1/-1)
tests/unit-tests/frontend/CMakeLists.txt (+1/-1)
tests/unit-tests/frontend/stress_protobuf_communicator.cpp (+1/-1)
tests/unit-tests/frontend/test_protobuf_reports_errors.cpp (+1/-1)
tests/unit-tests/frontend/test_protobuf_sends_fds.cpp (+1/-1)
tests/unit-tests/frontend/test_protobuf_surface_apis.cpp (+1/-1)
tests/unit-tests/frontend/test_published_socket_connector.cpp (+89/-32)
Mir development team: Pending requested
Diff: 1758 lines (+587/-280)
31 files modified
examples/basic_server.cpp (+34/-2)
examples/render_surfaces.cpp (+5/-4)
include/server/mir/default_server_configuration.h (+10/-3)
include/server/mir/frontend/connector.h (+14/-14)
include/server/mir/frontend/connector_report.h (+9/-9)
include/server/mir/frontend/session_creator.h (+44/-0)
include/server/mir/server_configuration.h (+2/-2)
include/test/mir_test/test_protobuf_server.h (+4/-4)
src/server/default_server_configuration.cpp (+2/-0)
src/server/display_server.cpp (+9/-9)
src/server/frontend/CMakeLists.txt (+6/-7)
src/server/frontend/default_configuration.cpp (+50/-21)
src/server/frontend/protobuf_session_creator.cpp (+73/-0)
src/server/frontend/protobuf_session_creator.h (+60/-0)
src/server/frontend/published_socket_connector.cpp (+79/-76)
src/server/frontend/published_socket_connector.h (+37/-38)
tests/acceptance-tests/test_client_library.cpp (+1/-1)
tests/acceptance-tests/test_server_shutdown.cpp (+3/-3)
tests/acceptance-tests/test_test_framework.cpp (+1/-1)
tests/integration-tests/client/test_client_render.cpp (+1/-1)
tests/integration-tests/shell/test_session.cpp (+5/-4)
tests/integration-tests/test_display_server_main_loop_events.cpp (+33/-32)
tests/integration-tests/test_error_reporting.cpp (+1/-1)
tests/mir_test_doubles/test_protobuf_socket_server.cpp (+10/-10)
tests/unit-tests/client/test_client_mir_surface.cpp (+1/-1)
tests/unit-tests/frontend/CMakeLists.txt (+1/-1)
tests/unit-tests/frontend/stress_protobuf_communicator.cpp (+1/-1)
tests/unit-tests/frontend/test_protobuf_reports_errors.cpp (+1/-1)
tests/unit-tests/frontend/test_protobuf_sends_fds.cpp (+1/-1)
tests/unit-tests/frontend/test_protobuf_surface_apis.cpp (+1/-1)
tests/unit-tests/frontend/test_published_socket_connector.cpp (+88/-32)
Robert Ancell (robert-ancell)
Changed in unity-system-compositor:
status: New → Triaged
importance: Undecided → Critical
Robert Ancell (robert-ancell)
Changed in unity-system-compositor:
status: Triaged → In Progress
assignee: nobody → Robert Ancell (robert-ancell)
Robert Ancell (robert-ancell)
Changed in mir:
status: New → Fix Released
importance: Undecided → Critical
Changed in lightdm:
importance: Undecided → Critical
status: New → In Progress
Changed in mir:
assignee: nobody → Alan Griffiths (alan-griffiths)
Changed in lightdm:
assignee: nobody → Robert Ancell (robert-ancell)
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

I think this is a bad plan.

Running native Mir clients in USC has so far been an invaluable debugging technique. Why remove it?

Revision history for this message
Robert Ancell (robert-ancell) wrote :

Because we don't want malicious programs connecting and pretending to be the user session.

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

I think we made the critical mistake of designing a solution in the bug description. All we should do is ensure the permissions are restricted on the server socket file. So other users/daemons can't display things.

If however a "malicious program" is running as yourself, then you're already compromised, and already screwed.

I just want to make sure the desktop user still has permission to run a native Mir client on their own desktop. That's really important for us to triage bugs, and has been so far.

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

More work coming in lightdm or USC?

I still recommend against it :)

summary: - Unity system compositor allows connections from any Mir client
+ [enhancement] Unity system compositor allows connections from any Mir
+ client
tags: added: enhancement
Changed in lightdm:
status: In Progress → Incomplete
Changed in unity-system-compositor:
status: In Progress → Incomplete
Revision history for this message
Alan Griffiths (alan-griffiths) wrote :

Probably needs fix for https://bugs.launchpad.net/mir/+bug/1271655.

Robert Ancell (robert-ancell)
Changed in lightdm:
assignee: Robert Ancell (robert-ancell) → nobody
importance: Critical → Medium
Changed in unity-system-compositor:
assignee: Robert Ancell (robert-ancell) → nobody
Daniel van Vugt (vanvugt)
Changed in lightdm:
status: Incomplete → Invalid
Changed in unity-system-compositor:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.