On 06/15/2016 04:11 AM, Andrew Lutomirski wrote:
I *strongly* disagree here. The xdg-app folks seem to be doing a pretty good job with their sandbox. The kernel attack surface is reduced considerably, as is the attack surface against the user via ptrace and filesystem access. If Wayland is available (which is should be!) then so is the attack surface against X.
What about the direct access to DRI device nodes? Why isn't this a problem that reduces the effectiveness of the sandbox considerably?
Thanks, Florian -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
