diff --git a/config.d/security b/config.d/security index bff55f0f8..fe75d8ea5 100644 --- a/config.d/security +++ b/config.d/security @@ -37,15 +37,15 @@ ipc { # Limits the contexts from which certain commands are permitted commands { - fullscreen bindsym criteria + fullscreen binding criteria bindsym config - exit bindsym - kill bindsym + exit binding + kill binding # You should not change these unless you know what you're doing - it could # cripple your security - reload bindsym - restart bindsym + reload binding + restart binding permit config reject config ipc config diff --git a/include/security.h b/include/security.h new file mode 100644 index 000000000..efc25ce66 --- /dev/null +++ b/include/security.h @@ -0,0 +1,9 @@ +#ifndef _SWAY_SECURITY_H +#define _SWAY_SECURITY_H +#include +#include "sway/config.h" + +const struct feature_permissions *get_permissions(pid_t pid); +enum command_context get_command_context(const char *cmd); + +#endif diff --git a/include/sway/config.h b/include/sway/config.h index 8d077ee74..3744386cf 100644 --- a/include/sway/config.h +++ b/include/sway/config.h @@ -103,9 +103,6 @@ struct pid_workspace { time_t *time_added; }; -void pid_workspace_add(struct pid_workspace *pw); -void free_pid_workspace(struct pid_workspace *pw); - struct bar_config { /** * One of "dock", "hide", "invisible" @@ -184,6 +181,35 @@ enum edge_border_types { E_BOTH /**< hide vertical and horizontal edge borders */ }; +enum command_context { + CONTEXT_CONFIG = 1, + CONTEXT_BINDING = 2, + CONTEXT_IPC = 4, + CONTEXT_CRITERIA = 8, + CONTEXT_ALL = 0xFFFFFFFF, +}; + +struct command_policy { + char *command; + enum command_context context; +}; + +enum secure_feature { + FEATURE_LOCK = 1, + FEATURE_PANEL = 2, + FEATURE_BACKGROUND = 4, + FEATURE_SCREENSHOT = 8, + FEATURE_FULLSCREEN = 16, + FEATURE_KEYBOARD = 32, + FEATURE_MOUSE = 64, +}; + +struct feature_policy { + char *program; + bool permit; + enum secure_feature features; +}; + /** * The configuration struct. The result of loading a config file. */ @@ -252,8 +278,15 @@ struct sway_config { int32_t floating_maximum_height; int32_t floating_minimum_width; int32_t floating_minimum_height; + + // Security + list_t *command_policies; + list_t *feature_policies; }; +void pid_workspace_add(struct pid_workspace *pw); +void free_pid_workspace(struct pid_workspace *pw); + /** * Loads the main config from the given path. is_active should be true when * reloading the config. diff --git a/sway/config.c b/sway/config.c index 7d5999d8d..a2f6a7282 100644 --- a/sway/config.c +++ b/sway/config.c @@ -167,6 +167,16 @@ void free_pid_workspace(struct pid_workspace *pw) { free(pw); } +void free_command_policy(struct command_policy *policy) { + free(policy->command); + free(policy); +} + +void free_feature_policy(struct feature_policy *policy) { + free(policy->program); + free(policy); +} + void free_config(struct sway_config *config) { int i; for (i = 0; i < config->symbols->length; ++i) { @@ -211,6 +221,16 @@ void free_config(struct sway_config *config) { } list_free(config->output_configs); + for (i = 0; i < config->command_policies->length; ++i) { + free_command_policy(config->command_policies->items[i]); + } + list_free(config->command_policies); + + for (i = 0; i < config->feature_policies->length; ++i) { + free_feature_policy(config->feature_policies->items[i]); + } + list_free(config->feature_policies); + list_free(config->active_bar_modifiers); free_flat_list(config->config_chain); free(config->font); @@ -321,6 +341,10 @@ static void config_defaults(struct sway_config *config) { config->border_colors.placeholder.child_border = 0x0C0C0CFF; config->border_colors.background = 0xFFFFFFFF; + + // Security + config->command_policies = create_list(); + config->feature_policies = create_list(); } static int compare_modifiers(const void *left, const void *right) {