Quote https://www.whonix.org/wiki/Dev/Permissions#X_Windows_System
X Windows System
Any graphical application running under X Windows System (X11) can see what any user is typing in any other application for any user. [1] For example, if user
user
running X11 would runlxsudo -u limited-user some-application
that application if compromised could sniff anything that useruser
is writing. Including but not limited to anysudo
password prompts.
See the footnote on that page too.
Can apparmor prevent that?
Related:
https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html
AppArmor prevent access to the the API that xinput
is using for global keyboard sniffing?