Way-secure: A helper to create Wayland security contexts via security_context_v1

6 hours ago 1

#way-secure

A helper to create Wayland security contexts via security_context_v1.

#Usage

way-secure needs to be provided with the socket where the compositor will listen to events. The parent process needs to create the socket, bind it and prepare it to accept connections by calling listen(2).

Create a socket at a given path:

way-secure --socket-path /run/user-1000/wayland-secure-context-123

For shell scripts, consider using s6-ipcserver-socketbinder:

s6-ipcserver-socketbinder /path/to/socket way-secure --socket-fd 0

The optional flags --sandbox-engine, --app-id and instance-id may be provided to relay metadata to the compositor.

An optional file descriptor provided via --close-fd can control when the compositor ought to stop listening for new connections. If this flag is not provided, way-secure will remain in background, and the secure context will continue accepting connections until the way-secure processed is killed.

Use the --ready-fd flag for readiness notification.

#Building

Build with cargo build --release. The resulting binary will be available in ./target/release/way-secure.

#Basic testing

Set up a socket:

s6-ipcserver-socketbinder $XDG_RUNTIME_DIR/wayland-4 cargo run -- --socket-fd 0

And run wayland-info pointing to it:

WAYLAND_DISPLAY=wayland-4 wayland-info

#Security

Using a secure-context is required to create a secure sandbox on a Wayland desktop, but not sufficient. A client can trivially just inspect $XDG_RUNTIME_DIR and find a fully privileged socket. This tool is intended to be used in concert with other sandboxing techniques.