00:31 <vilhalmer> there's nothing in the spec for access control, but also nothing preventing the compositor from intervening

00:31 <vilhalmer> you could write a custom protocol that gives a specially-designated client the ability to decide who gets to see what

00:32 <vilhalmer> (or put it directly in the compositor, but it doesn't really belong there)

00:33 <vilhalmer> the sway project might be interested in collaborating on that, I know drew has/had plans for security features that haven't arrived yet

00:33 <vilhalmer> like authorizing clients to use a given protocol extension

09:13 <qyliss> edef: look at this!!!

09:13 <qyliss> https://github.com/firecracker-microvm/firecracker/blob/master/docs/vsock.md#firecracker-virtio-vsock-design

09:13 <qyliss> Firecracker does userspace vsock

09:13 <qyliss> No vhost required

09:13 <qyliss> The code looks fairly portable to crosvm too

09:14 <MichaelRaskin> Oh nice (re: vsock)

09:15 <MichaelRaskin> vilhalmer: well, X11 protocol could also be implemented with each client having an illusion of being alone, unless specially authorised… if wl_roots has some plans to implement filtering, that might be interesting of course.

09:15 <MichaelRaskin> Then we get Wayland access control done in an incompatible way between wl_roots/KDE/Gnome, right?

09:24 <MichaelRaskin> Hm nice, so Firecracker virtio-vsock is even usable for dynamic multiplexing.

09:24 <MichaelRaskin> So such code should be usable for a network-front VM accepting connections from dynamically created network-using VMs

12:00 <Shell> MichaelRaskin: access control is semi-intentionally not part of Wayland, as xdg-desktop-portal is intended to be the way folks access access-controlled desktop things these days. nobody thought anyone would want to access-control the clipboard though, I imagine. putting the access control stuff in the compositor (or a subprocess thereof) for now seems fine I guess?

12:23 <qyliss> I'd surprised nobody thought of access controlling the clipboard, since Qubes does it...

12:23 <qyliss> And I'd have assumed Qubes would have come up as an example of access controls in desktop environments

12:33 <Shell> qyliss: it could also have been a case of "we need a clipboard to be usable and cba doing access control yet, ship it".

13:01 <MichaelRaskin> If anything needs access control, clipboard is in top 3

14:07 <edef> qyliss: right, but i wanted vhost-net

14:08 <edef> qyliss: like, purposefully

16:02 <qyliss> edef: I don't

16:02 <qyliss> But yes, I do understand that.

16:02 <qyliss> crosvm's implementation is vhost-net

16:02 <qyliss> So you get best of both worlds :)

16:04 <qyliss> I've been finding it difficult to concentrate for the past couple of days so I think I'm going to take a few days off. Probably won't be on IRC much until then. :)

16:04 <qyliss> (that's addressed to the channel, not a response to anybody in particular)

17:14 <edef> qyliss: :3