Skip to content

Add security context indicator #1441

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add security context indicator #1441

wants to merge 1 commit into from
+180 −14

Conversation

nesteroff
Copy link

This adds the ability to enable a security context indicator around floating windows similar to the focus indicator.

The security context protocol is commonly used when running applications in sandboxed environments. Being able to enable an indicator helps clearly distinguish between sandboxed and regular application windows. This is especially useful when running multiple apps with different sandbox settings. For example, a user might have a "trusted" browser running in a strict secure sandbox with a green window border and a regular one with red.

The indicator can be enabled by defining rules based on the sandbox engine and appid from the security context protocol and by specifying an indicator color in the security_context configuration file.

This might not be the most widely requested feature but it’s quite useful in certain scenarios. I’m sharing it here to see if there’s any interest in merging something like this or if others have thoughts or suggestions on how it could be improved.

@ids1024
Copy link
Member

ids1024 commented Jun 11, 2025

One limitation of this is that it won't display anything for X11 windows in a sandbox. It may be good to fallback to a different method of detection for that.

(I intend to use pop-os/cosmic-protocols#59 to allow clients to do this; /proc/$PID/root/.flatpak-info is apparently what other things use to determine if a process is running in a Flatpak.)

@nesteroff
Copy link
Author

One limitation of this is that it won't display anything for X11 windows in a sandbox. It may be good to fallback to a different method of detection for that.

That’s a good point. The idea behind this is to have an indicator specifically for the security context protocol. It shows that the app is running in a sandbox (though this can mean different things) and that it has restrictions on which Wayland protocols it can access. For X11 windows, that probably isn't the case so it’s somewhat logical that there wouldn’t be a security context indicator visible.

It would definitely be nice to have a more general "sandbox indicator" mechanism but that really depends on sandboxing engine implementation. I'm not sure we’d want to hardcode logic into the compositor to parse the internals of specific sandbox structures or something like that.

In my specific setup, for example, applications are sandboxed inside virtual machines so there isn't really much information available on the compositor side.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nesteroff @ids1024