GNOME's Mutter Adds Support For Launching "Trusted Clients" On Wayland

Written by Michael Larabel in GNOME on 4 August 2020 at 06:47 AM EDT. 28 Comments
Merged to GNOME's Mutter compositor is an API for Wayland to allow the launching of trusted clients.

This "trusted clients" support is namely about allowing child windows to be signified as being from a parent window/process. This can also allow for some nifty use-cases for GNOME on Wayland. The patch explains:
Unfortunately, although the child process can be a graphical program, currently it is not possible for the inner code to identify the windows created by the child in a secure manner (this is: being able to ensure that a malicious program won't be able to trick the inner code into thinking it is a child process launched by it).

Under X11 this is not a problem because any program has full control over their windows, but under Wayland it is a different story: a program can't neither force their window to be kept at the top (like a docker program does) or at the bottom (like a program for desktop icons does), nor hide it from the list of windows. This means that it is not possible for a "classic", non-priviledged program, to fulfill these tasks, and it can be done only from code inside mutter (like a
gnome-shell extension).

This is a non desirable situation, because an extension runs in the same main loop than the whole desktop itself, which means that a complex extension can need to do too much work inside the main loop, and freeze the whole desktop for too much time. Also, it is important to note that javascript doesn't have access to fork(), or threads, which means that, at most, all the parallel computing that can do is those available in the _async calls in GLib/GObject.

Also, having to create an extension for any priviledged graphical element is an stopper for a lot of programmers who already know GTK+ but doesn't know Clutter.

This patch wants to offer a solution to this problem, by offering a new class that allows to launch a trusted child process from inside mutter, and make it to use an specific UNIX socket to communicate with the compositor. It also allows to check whether an specific MetaWindow was created by one of this trusted child processes or not.

This allows to create extensions that launch a child process, and when that process creates a window, the extension can confirm in a secure way that the window really belongs to that process launched by it, so it can give to that window "superpowers" like being kept at the bottom of the desktop, not being listed in the list of windows or shown in the Activities panel... Also, in future versions, it could easily implement protocol extensions that only could be used by these trusted child processes.

This trusted client API can also be used for handling desktop icons, a desktop dock, or top/bottom bars on the desktop in a secure manner on Wayland. More details via this commit.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week