Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.acm.vt.edu/~jmaxwell/programs/xspy/xspy.html I want to lauch gnome-screensaver with a different context and not let xspy grab the password.
Unfortunately, putting gnome-screensaver into a separate context cannot solve this problem. xspy works by directly reading the state of the keyboard using XQueryKeymap(). The location of the input focus does not matter to this call; this is by design of the X protocol.
The solution has to be globally denying "read" permission on the default keyboard device. The vast majority of apps should never need this permission because the proper way to receive input is to passively wait for input events on your own windows, not to go out and actively query device state in this manner.
I tried this just now and it stopped xspy cold. However, there may need to be some refinement of the controls in this area. In particular, XQueryPointer() also requires "read" permission and this seems to be more frequently called, e.g. by toolkit libraries, even though it really is snooping; you can likely determine a lot just by knowing the movements of the mouse.
-- Eamon Walsh <ewalsh@xxxxxxxxxxxxx> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
