security/hakurei
6
3
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

Harden access to PipeWire via pw_security_context #26

New Issue
Closed
opened 2025-11-15 12:40:34 +09:00 by ophestra · 2 comments
ophestra commented 2025-11-15 12:40:34 +09:00
Owner
Copy Link

Pipewire provides pw_security_context which is similar to wayland security-context-v1 that hakurei already supports. Flatpak currently does not appear to make use of this protocol.

The /.flatpak-info hack described in #21 is vulnerable to a confused deputy attack and race condition which this protocol is secure against. It is, however, not yet known whether the secure screen sharing protocol is usable through this, but a quick read of the source code suggests that is only possible via the /.flatpak-info hack.

Pipewire provides [pw_security_context](https://docs.pipewire.org/group__pw__security__context.html) which is similar to wayland `security-context-v1` that hakurei already supports. Flatpak currently does not appear to make use of this protocol. The `/.flatpak-info` hack described in #21 is vulnerable to a confused deputy attack and race condition which this protocol is secure against. It is, however, not yet known whether the secure screen sharing protocol is usable through this, but a quick read of the source code suggests that is only possible via the `/.flatpak-info` hack.
❤️ 1
ophestra added the
Reviewed
Confirmed
Kind
Security
Priority
Critical
 labels 2025-11-15 12:40:34 +09:00
ophestra added a new dependency 2025-11-15 12:43:05 +09:00
#21 Determine what to do with existing `/.flatpak-info` behaviour
ophestra commented 2025-11-17 22:50:11 +09:00
Author
Owner
Copy Link

Implementation works now, but cannot build static hakurei because pipewire does not support static linking.

Implementation works now, but cannot build static hakurei because pipewire does not support static linking.
👍 1
ophestra added the
Status
Blocked
 label 2025-11-17 22:50:24 +09:00
ophestra added a new dependency 2025-11-18 22:46:07 +09:00
#28 WIP: internal/pipewire: integrate pw_security_context
ophestra commented 2025-12-06 21:20:47 +09:00
Author
Owner
Copy Link

Implementation of PipeWire client is now complete at 3cb58b4b72. This should be able to move forward soon.

Implementation of PipeWire client is now complete at https://git.gensokyo.uk/security/hakurei/commit/3cb58b4b72ddb9ae1e354b954ae15230c9a49d6d. This should be able to move forward soon.
👍 1 👀 1 ❤️ 1 🎉 1 🚀 1
ophestra removed a dependency 2025-12-06 21:20:57 +09:00
#28 WIP: internal/pipewire: integrate pw_security_context
ophestra removed the
Status
Blocked
 label 2025-12-06 21:21:13 +09:00
cat referenced this issue from a commit 2025-12-07 22:37:34 +09:00
hst: add pipewire flag
cat closed this issue 2025-12-09 08:13:38 +09:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Compat
Breaking
Breaking change that won't be backward compatible
Kind
Bug
Something is not working
Kind
Documentation
Documentation changes
Kind
Enhancement
Improve existing functionality
Kind
Feature
New functionality
Kind
Security
This is security issue
Kind
Testing
Issue or pull request related to testing
Priority
Critical
The priority is critical
Priority
High
The priority is high
Priority
Low
The priority is low
Priority
Medium
The priority is medium
Reviewed
Confirmed
Issue has been confirmed
Reviewed
Duplicate
This issue or pull request already exists
Reviewed
Invalid
Invalid issue
Reviewed
Won't Fix
This issue won't be fixed
Status
Abandoned
Somebody has started to work on this but abandoned work
Status
Blocked
Something is blocking this issue or pull request
Status
Need More Info
Feedback is required to reproduce issue or to continue work
No Label
Kind
Security
Priority
Critical
Reviewed
Confirmed
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
cat maemachinebroke noir ophestra
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Blocks
#21 Determine what to do with existing `/.flatpak-info` behaviour
security/hakurei
Reference: security/hakurei#26
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?