Wayland advocates often complain about “security” in x11. One of the complaints is how you can have a keylogger without sudo privileges (for example xinput can do this).

This video shows xkbcat, a keylogger for x11 being restricted to windows it owns only, preventing keylogging. Bottom right is xkbcat running in a terminal and top right is a window it owns. As you can see, it can only see keys that were input to a window it owns. This method allow certain programs to get global key access, such as the window manager, so it doesn’t break systems running x11.

This was done by modifying a few lines in the xserver (although xace could also be used). This is backwards compatible and x11 clients dont need to be modified in any way.

XACE hooks into every x11 function and has generic handlers on the x server. One of those default handlers uses selinux, so if you are serious about security you can use selinux and you get Mandatory Access Control (MAC) for x11 as well. Wayland has nothing like this. Wayland has no security model at all in fact. X11 ends up being more secure than wayland because of this. Under wayland you are expected to put as much functionality as possible into the “compositor”.

Here are the changes I made to xserver to use xace without selinux: https://dec05eba.com/files/x11.patch