We grant access to all of /run/user/1000/ (where 1000 is my UID), which is needed for at-spi2 since it puts folders with random-looking names. But there are sockets there for gnome-keyring, dconf, and gvfs that the web process really should not be able to touch. Possible solutions: * Support globs, so that we can more precisely whitelist /run/user/1000/at-spi2-* instead. * Even then, I imagine the web process can do bad things to other apps with that permission... can it be used to inspect or control other processes? It would be nicest if at-spi2 created a more predictable directory name so that we could limit the web process.
Hey Joanie, I think you're the expert here. The security model is that the web process has been compromised and running attacker-controlled code, and is trying to access the user's personal files, so ideally it would not be able to have any more access in /run/user/uid than it really needs. I can just imagine it using the at-spi2 socket to control nautilus or something; is that possible?
Adding Piñeiro.
Talked with AP. Indeed, the at-spi2 socket is a total sandbox escape: it can be used to inspect the accessibility tree of arbitrary applications, send them keyboard input, etc. We can't allow access to it. Also we can't block it, since that breaks a11y. A design change will be required. It should be considered in tandem with the problem of supporting a11y under Wayland.