X SECURITY: allowed extensions for untrusted clients

Adam Jackson ajax at nwnk.net
Wed Oct 11 18:57:03 UTC 2017


On Fri, 2017-10-06 at 19:46 +0000, Uecker, Martin wrote:
> Hi,
> 
> I would like to use untrusted connections for remote
> clients. Currently this does not work for me, because it is
> too slow, and I always have to use trusted connections.
> 
> So I wonder what it would take to expose some additional
> extensions that are required for efficiency to untrusted
> clients, in particular the RENDER extension?

The first step would be to add RENDER to the SecurityTrustedExtensions
list. After that one might need to fix SecurityResource() or
SecurityDoCheck() to allow untrusted client to do whatever they want to
their own resources (this might already be the case but I haven't tried
to understand that code in detail).

I continue to maintain that interacting with an "untrusted" remote
client is a weird thing to want: if you can't trust it to interact
peacefully with other clients, how can you trust it to do what you
expect when you type into it? But there's no intrinsic reason why
RENDER couldn't be made to work for untrusted clients, in fact
extending coverage to _all_ extensions should be pretty straightforward
since the selinux work put hooks in all the right places.

- ajax


More information about the xorg-devel mailing list