That’s a bit strange. This interface checks whether the caller owns one of the allowed bus names and otherwise should deny the request. Is that app maybe impersonating one of the allowed apps?
The only one I can think of it could be impersonating would be org.gnome.Screenshot (i.e. the old gnome-screenshot). In that case an extension to block requests requests from that sender might be possible.
If it is impersonating one of the other senders, that would break other things, because all other allowed senders are required background services.
So this is indeed impersonating the old gnome-screenshot utility. In that case it should be possible to write an extension that replaces the Main.shellDBusService._screenshotService._senderChecker with a new DBusSenderChecker that only allows 'org.gnome.SettingsDaemon.MediaKeys', 'org.freedesktop.impl.portal.desktop.gtk', 'org.freedesktop.impl.portal.desktop.gnome'.
Stepping back for a moment: what is this rogue program?
The reason it is able to claim to be org.gnome.Screenshot is that it is being run unsandboxed, as the same user as your shell. No amount of patching the shell with extensions will protect you from a malicious unsandboxed program, because it can also unload your extension or delete it from disk.
If you want to put a security boundary around a program, then you need to put it in a sandbox.
hi,it is running un-sandboxed with my EUID (not root)…I dont think it has enough intelligence to delete my extensions. besides I will change the ownership (and the write access) to those gnome extension related files.
Personally, if I discovered that a program I’m using would covertly take screenshots of my desktop and upload them somewhere, I would probably stop running that program. Who knows what else it is doing?
If you have to keep using it for some reason, I would strongly suggest running it in a virtual machine, or failing that a very restricted sandbox, so that you can be sure it is not able to do other malicious things, rather than running it unconfined as your regular UID and hoping you have stopped it acting maliciously.
oh that part is already done…which is why I know enough about it, now I want to know how do i stop other applications (that I have not discovered yet) from doing this…this incident has put me on high alert…
I assumed this was more about an unwanted hardcoded feature in some app rather than an actively malicious one, because of the apparent availability of the source code. If you really want to prevent those from taking screenshots, something like a proper sandbox/vm/etc. would be required. Otherwise there are countless of ways a malicious application could end up taking screenshots by modifying the contents of your home directory to introduce malicious code into the compositor.
If we are talking about unsandboxed malicious applications, there is nothing you can do to really prevent them from taking screenshots if they are determined enough. You can only make it a bit harder for them and they would need to write more code to be able to do so.
Add an extension to stop allowing gnome-screenshot to take screenshots - The malicious app could disable that extension because it has access to your users settings.
Drop gnome-screenshot from the allowed applications in gnome-shell itself (like in the MR above) - The malicious app could run gnome-shell in unsafe mode, because it can create overrides for the service files to add the respective flags. Or it could impersonate one of the portal implementations, because malicious applications probably don’t care too much about not breaking other aspects of the system.
Drop the entire DBus interface for screenshots (at which point legitimate use cases also stop working) - The malicious app could install its own extension to take screenshots. (There are other ways not involving extensions as well, so removing extension support won’t help either)
Drop the entire screenshot implementation from gnome-shell and only handle screenshots in mutter C code without exporting any relevant functions - The malicious app could install a pre-loaded library to still allow taking screenshots.
Drop all screenshot functionality from mutter - A pre-loaded library would still work, just with more work to re-implement some of the functionality required for taking screenshots.
The point is not to prevent taking screenshots—that would be absurd. The point is to prevent taking screenshots programmatically from unprivileged processes and without the user’s knowledge. If your application is using the Shell API or the desktop portal API, then the compositor will notify the user via a screen flash and a notification. There are no other ways of obtaining a screenshot under Wayland.
Hi
The flash only happens when the below code uses that option… It can take silent screen shots (that is without the flash, although notifications are there… In my case I have disabled the notification so I don’t know what’s going on)
