Pointer grabs causing accessibility issues! Why not deprecate them?

Eamon Walsh ewalsh at tycho.nsa.gov
Wed Apr 30 20:05:14 PDT 2008

Francesco Fumanti wrote:
> Hello,
> Daniel Stone wrote:
>>> If we need a protocol for ordered-priority grabs, then yes, let's get
>>> that sorted (it's on my ever-expanding Xi 2 list: replace grabs with a
>>> priority at event selection, and max priority = grab, whereas the rest
>>> is descending).  At this point, you can get the security boffins
>>> together, and they can bang heads and agree on a happy protocol for
>>> ensuring the integrity of this, such as having whatever Eamon's
>>> extension is called this week verify that anything grabbing at such
>>> a high level _is_ actually an input method.
> If I get it right, that would mean the following for the particular 
> problem about policykit and an onscreen keyboard:
> Supposing that the onscreen keyboard had a higher as the policykit 
> dialog, the events belonging to the onscreen keyboard would get to the 
> onscreen keyboard; but events belonging to other applications with a 
> lower priority than policykit would get grabbed by policykit.
> I don't have the knowledge to understand the implication of such a 
> change to X and whether it would really solve the problem. But I think 
> that it is an interesting point that might deserve consideration and 
> probably refinement. (e.g.: How to determine what priority to give to 
> the different applications? What happens in case of equal priority?...)
> Eamon Walsh wrote:
>> Honestly I'm increasingly convinced that MPX is the best way to solve 
>> this problem, and related problems such as separating input by security 
>> level.
>> Create a new virtual mouse/keyboard that no one else can see and use to 
>> it to get the password.
> Wikipedia just informed me that MPX stands for Multi-Pointer X Server. ;-)
> But how does it solve the pointer grabbing issue: could an application 
> not simply grab the events of all pointers and keyboards?

This can be controlled through security policy or an extension.  Devices 
are referenced by number in protocol requests and the device lookup 
function does a permission check.  MPX has some built-in access 
controls.  There's almost certainly work to be done but the concept of a 
private device (that could still be seen by input helpers) seems not too 
far-fetched.  Under this scenario the password dialog would not need to 
perform a grab.

The grab priority thing might be useful as well.  I'm not keen on 
assigning a security model to it though - grabs are the most complicated 
part of X I've seen, and widely used for UI stuff.  I want to use MPX as 
an escape pod to avoid dealing with them.

> Cheers
> Francesco

Eamon Walsh <ewalsh at tycho.nsa.gov>
National Security Agency

More information about the xorg mailing list