Today I encountered an unexpected behavior of the window focusing logic.
I am no security expert, but it made me wonder if one could craft some kind of secret extraction exploit from this as it is really unintuitive.
TL;DR
A window opened in the background while the focus is on a dom0 VM selection dialog (like the one opened when running qvm-copy
) will automatically obtain focus after the dialog is closed, even if a separate distinct VM had the focus before.
prerequisite
I tweaked the window manager settings not to give focus to newly created windows (Start menu > Gear Icon > “System Settings” > “Window Manager” > “Focus” > “New window focus” > “Automatically give focus to newly created windows”).
For me this is crucial as I often type in sensitive information whilst already opening new qubes for later tasks.
Without this feature I would unintentionally type the sensitive information into new qubes that have been auto-focused (imho preventing focus for new windows should be the default setting).
steps to reproduce
- Create 2 AppVMs, both based on
fedora-40-minimal
:AA-TEST-focus-steal
andAA-TEST-focus-stolen
.
The focus stealing should work with any window, even a dom0 terminal.
AA-TEST-focus-steal
is the VM that obtains the focus,AA-TEST-focus-stolen
is the VM that initially has the focus and loses it. - In
AA-TEST-focus-steal
executesleep 10 && xterm
. - Whithin the next 10 seconds, in
AA-TEST-focus-stolen
executeqvm-copy /home/user/.bashrc
(some command opening a dom0 VM selection dialog). - Wait for the
xterm
command from step 2 to be opened. - Close the selection dialog (press cancel or select a VM, does not matter).
- Now your focus is in the newly opened
xterm
ofAA-TEST-focust-steal
, although it was onAA-TEST-focus-stolen
before opening the selection dialog.
For me, muscle memory forced me to automatically type in exit
as what I was doing was a daily routine including copying a file and closing the terminal immediately after.
The fact that I closed the wrong terminal left me confused for a couple of seconds.
If I had typed in something more sensitive I would have leaked this information into another VM.
Of course better caution about focus can prevent such an information leakage, but is this actually expected behavior or a bug?
speculation about the cause
I am not a GUI developer, but here is my two cents:
I suspect that this is not incorrect behavior of the window stack itself (when closing a window, the one below is focused), but maybe the newly opened AA-TEST-focus-steal
window is inserted at the wrong position?
In my opinion it should be inserted beneath the AA-TEST-focus-stolen
window that caused the dom0 selection dialog, but it seems to be inserted above it and directly below the selection dialog.
What the window stack looks like:
[dom0 selection dialog] <--.
| |
|focuses on close |
V |
[AA-TEST-focus-steal] |"opens"
| |
|focuses on close |
V |
[AA-TEST-focust-stolen] ---`
What I expected it to look like:
[dom0 selection dialog] <--.
| |
|focuses on close |"opens"
V |
[AA-TEST-focust-stolen] ---`
|
|focuses on close
V
[AA-TEST-focus-steal]