-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eamon Walsh wrote: > Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> http://www.acm.vt.edu/~jmaxwell/programs/xspy/xspy.html >> >> I want to lauch gnome-screensaver with a different context and not let >> xspy grab the password. >> > > Unfortunately, putting gnome-screensaver into a separate context cannot > solve this problem. xspy works by directly reading the state of the > keyboard using XQueryKeymap(). The location of the input focus does not > matter to this call; this is by design of the X protocol. > > The solution has to be globally denying "read" permission on the default > keyboard device. The vast majority of apps should never need this > permission because the proper way to receive input is to passively wait > for input events on your own windows, not to go out and actively query > device state in this manner. > > I tried this just now and it stopped xspy cold. However, there may need > to be some refinement of the controls in this area. In particular, > XQueryPointer() also requires "read" permission and this seems to be > more frequently called, e.g. by toolkit libraries, even though it really > is snooping; you can likely determine a lot just by knowing the > movements of the mouse. > > Well it seems like all confined domains should have the read on the keyboard blocked, then and maybe unconfined_t by boolean. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAke/Y7IACgkQrlYvE4MpobMdVQCfWCoHNbctduPivnzO54hSAGti 2hgAoMGf0tY88ys0SBzhFs6NbS+C6K6E =z3wN -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
