Why is X11 unsandboxable? A similar but reverse approach to Xwayland, something like waylandX could be used to be part of the overall sandbox approach to run untrusted applications. That would have the advantage that the severe restrictions and feature degradations of wayland are only applied to those untrusted sandboxed applications, not everything.

Ultimately, X11 opens up everything. What you suggest (WaylandX) is essentially allow-by-default.

When this is the case and there is a supply chain attack, what you think is a trusted application (and therefore not running under "WaylandX") can very well keylog you or take screenshots of your desktop without your consent.

In a deny-by-default model ala Wayland, applications will have to ask for permissions before they can do something considered to be privileged.

You're not telling me anything I don't already know and haven't already explained. X11 keyloggers are trivial, and virtually never seen in the wild. X11 makes sandboxing impossible, but that doesn't matter because I'm not going to waste my time on something like Qubes anyway, and newbs from Windows aren't being directed to setups like that either. They're all installing Mint or Ubuntu where the security of Wayland is nullified by the absense of sandboxing.

>newbs from Windows aren't being directed to setups like that either. They're all installing Mint or Ubuntu where the security of Wayland is nullified by the absense of sandboxing.

This cannot be more further from the truth. Amongst the newcomers, it is rather popular nowadays for them to use Flatpak-bundled apps, especially with the rise of SteamOS (the Deck essentially) lots of Linux newcomers are in fact first exposed to Flatpak and running untrusted executables in a sandbox.

And the most prominent "untrusted executable" today to those newcomers has to be Bottles, which is a nice GUI wrapper for Wine and is sandboxed (if you enable wine-wayland, of course).

I wouldn't trust flatpak enough to run a truly untrusted executable. I am sure flatpak's isolation is full of holes unrelated to windowing.

But I don't think a game purchased through steam counts as untrusted.

>I wouldn't trust flatpak enough to run a truly untrusted executable. I am sure flatpak's isolation is full of holes unrelated to windowing.

As compared to running untrusted programs completely naked?

>But I don't think a game purchased through steam counts as untrusted.

Bottles is there for people to run any Win32 program, not just Steam games. And I shouldn't have to tell you how many malicious Win32 programs there are.

Just google the criticisms of flatpak from a security perspective. They're out there.

Containerization on Linux was never intended to be a security feature for totally untrusted, malicious code. It's isolation for trusted code. If your scenario relies on securely running untrusted executables in a Linux container you are doing stupid things.

I am well aware of the weak points of Flatpak. But are you suggesting that running applications in a container is not more secure than running an executable completely naked?

You see: If you want absolute security, for sure, go for a full-fledged VM! Or run something like QubesOS. It is a completely reasonable decision.

However, malice certainly has degrees, and the "mildly malicious" programs most likely cannot take advantage of sandbox escaping exploits. If Flatpak can stop 95% of all attacks (relative to running a program completely without sandboxing), that is already a win in my book.

But I will note again that X11 is a big hole (as in, almost a complete free-for-all) for sandbox escaping in Flatpak.

You seem to think a lot of things that aren't security boundaries are security boundaries. There have been VM escapes too. VMs are not for running untrusted OS images you get from end users.

I'm done with this thread, have a nice day.

Has there ever been a single instance of a game from Steam including an X11 keyloggers? These threats are off in fantasy land.

I am not sure where you got the impression of me talking about only "Steam games". Bottles allows you to run any Win32.

And besides that, "these threats are off in fantasy land" is an invalid defense in my opinion, considering the (quite sophisticated) XZ Utils backdoor happened not too long ago! Like I said, if such an attack towards X11 hasn't been deployed in the wild, it can only suggest such endeavor is unprofitable, not because the threats are fantastical.

XZ utils backdoor could have exploited X11, but didn't. And the most common Wayland configurations wouldn't have protected people from the backdoored utility; only extremely paranoid and therefore esoteric setups might have.

> And the most common Wayland configurations wouldn't have protected people from the backdoored utility

If the attacker decided to backdoor an utility and make use of X11, it is most likely the backdoored utility will listen to keyboard events, read the bitmaps of other X11 clients.

And there's nothing that can stop the backdoor from doing so on X11...

Anyways, if you are saying the Wayland security policies are unneeded because there hasn't been an attack on X11 (this is the fundamental disagreement between us), consider the following: You don't install doors in your premise, because there hasn't been a case of burglary in your neighborhood?