Several interfaces in KWayland (Server) need to be security aware. That is not every application should be allowed to access it.
An idea is that applications are able to install a config file into a well-defined configuration directory. The absolute file path to the binary is the group, the key is the interface name, the value being Allowed, Denied or Undecided. E.g.:
[/usr/bin/plasmashell] PlasmaShell=Allowed Screenshot=Denied
KWayland gains a security interceptor which is invoked whenever a client tries to bind an interface. The security interceptor invokes a chain of registered interceptors which evaluate whether the client is allowed to bind the interface. If the current interceptor returns undecided the next is invoked. On allowed or denied the interception is ended.
KWayland would provide three default interceptors:
- allow all
- deny all
- configuration directory based
The user of the library can build up it's own security interceptor chain including the default ones and custom ones.