Pointer grabs causing accessibility issues! Why not deprecate them?

Eamon Walsh ewalsh at tycho.nsa.gov
Wed Apr 30 20:05:14 PDT 2008


Francesco Fumanti wrote:
> Hello,
>
> Daniel Stone wrote:
>   
>>> If we need a protocol for ordered-priority grabs, then yes, let's get
>>> that sorted (it's on my ever-expanding Xi 2 list: replace grabs with a
>>> priority at event selection, and max priority = grab, whereas the rest
>>> is descending).  At this point, you can get the security boffins
>>> together, and they can bang heads and agree on a happy protocol for
>>> ensuring the integrity of this, such as having whatever Eamon's
>>> extension is called this week verify that anything grabbing at such
>>> a high level _is_ actually an input method.
>>>       
>
> If I get it right, that would mean the following for the particular 
> problem about policykit and an onscreen keyboard:
>
> Supposing that the onscreen keyboard had a higher as the policykit 
> dialog, the events belonging to the onscreen keyboard would get to the 
> onscreen keyboard; but events belonging to other applications with a 
> lower priority than policykit would get grabbed by policykit.
>
> I don't have the knowledge to understand the implication of such a 
> change to X and whether it would really solve the problem. But I think 
> that it is an interesting point that might deserve consideration and 
> probably refinement. (e.g.: How to determine what priority to give to 
> the different applications? What happens in case of equal priority?...)
>
>
> Eamon Walsh wrote:
>   
>> Honestly I'm increasingly convinced that MPX is the best way to solve 
>> this problem, and related problems such as separating input by security 
>> level.
>>
>> Create a new virtual mouse/keyboard that no one else can see and use to 
>> it to get the password.
>>     
>
> Wikipedia just informed me that MPX stands for Multi-Pointer X Server. ;-)
> But how does it solve the pointer grabbing issue: could an application 
> not simply grab the events of all pointers and keyboards?
>   

This can be controlled through security policy or an extension.  Devices 
are referenced by number in protocol requests and the device lookup 
function does a permission check.  MPX has some built-in access 
controls.  There's almost certainly work to be done but the concept of a 
private device (that could still be seen by input helpers) seems not too 
far-fetched.  Under this scenario the password dialog would not need to 
perform a grab.

The grab priority thing might be useful as well.  I'm not keen on 
assigning a security model to it though - grabs are the most complicated 
part of X I've seen, and widely used for UI stuff.  I want to use MPX as 
an escape pod to avoid dealing with them.


> Cheers
>
> Francesco
>
>   


-- 
Eamon Walsh <ewalsh at tycho.nsa.gov>
National Security Agency




More information about the xorg mailing list