[FEATURE] Implement Fallbackdm for Seat Isolation for Virtual Input Devices #3
Description
Context & Motivation*
A "sandbox escape" vulnerability exists where a sandboxed application (e.g., a Flatpak) that has permission to access a virtual input device can inject keystrokes into the host's desktop environment.
If a virtual keyboard created by the sandbox is attached to the default seat (seat0), the host's Compositor (Mutter, KWin, etc.) treats it as a physical keyboard. The sandboxed app can then:
- Inject
Alt+F2to open the "Run Command" dialog. - Type a command to execute arbitrary code outside the sandbox.
- Inject global shortcuts (e.g.,
Super,Ctrl+Alt+T) to interact with the host shell.
To mitigate this, virtual input devices managed by vuinputd must be logically isolated from the active user session so that the desktop environment ignores their input.
Technical Architecture
This mechanism relies on udev tagging and systemd-logind seat management, supported by fallbackdm to ensure no "unowned" seats exist.
- Udev Rule Generation: (already done)
- Create a udev rule targeting devices created by
vuinputd. - Match devices by subsystem (
input) and specific attributes (e.g.,ATTRS{name}=="vuinputd-keyboard").
- Seat Assignment: (already done)
- Apply the tag
ENV{ID_SEAT}="seat_vuinput"to these devices. - This forces
systemd-logindto recognize the device as belonging to a separate seat, distinct fromseat0.
- Fallbackdm Integration:
- Ensure
fallbackdmis running to own the VTs in case no other graphical interface that owns the VT is running. This prevents the isolated seat from accidentally becoming the "active" console input source if the main graphical session terminates.