mirrors/sway
1
0
Fork 0
mirror of https://github.com/swaywm/sway.git synced 2024-12-29 00:16:22 +01:00
Code Issues Projects Releases Packages Wiki Activity

Write example security config, start on code

Browse source
This commit is contained in:
Drew DeVault 2016-12-01 19:27:35 -05:00
parent cd5694fdb5
commit 5831f7ab68
2 changed files with 75 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
config.d/security Normal file
View file

@ -0,0 +1,52 @@
# sway security rules
#
# Read sway-security(7) for details on how to secure your sway install.
#
# You MUST read this man page if you intend to attempt to secure your sway
# installation.
# Configures which programs are allowed to use which sway features
permit $PREFIX/swaylock lock
permit $PREFIX/swaybar panel
permit $PREFIX/swaybg background
permit $PREFIX/swaygrab screenshot
permit * fullscreen keyboard mouse
# Configures which IPC features are enabled
ipc {
command enabled
outputs enabled
workspaces enabled
tree enabled
marks enabled
bar-config enabled
inputs enabled
events {
workspace enabled
output enabled
mode enabled
window enabled
bar-config enabled
binding enabled
modifier enabled
input enabled
}
}
# Limits the contexts from which certain commands are permitted
commands {
fullscreen bindsym criteria
bindsym config
exit bindsym
kill bindsym
# You should not change these unless you know what you're doing - it could
# cripple your security
reload bindsym
restart bindsym
permit config
reject config
ipc config
}

23
sway/main.c
View file

@ -4,6 +4,7 @@
#include <wlc/wlc.h> #include <wlc/wlc.h>
#include <sys/wait.h> #include <sys/wait.h>
#include <sys/types.h> #include <sys/types.h>
#include <sys/stat.h>
#include <sys/un.h> #include <sys/un.h>
#include <signal.h> #include <signal.h>
#include <unistd.h> #include <unistd.h>
@ -142,6 +143,27 @@ static void log_kernel() {
fclose(f); fclose(f);
} }
static void security_sanity_check() {
// TODO: Notify users visually if this has issues
struct stat s = {0};
if (stat("/proc", &s)) {
sway_log(L_ERROR,
"!! DANGER !! /proc is not available - sway CANNOT enforce security rules!");
}
if (!stat(SYSCONFDIR "/sway", &s)) {
if (s.st_uid != 0 || s.st_gid != 0 || s.st_mode != 00755) {
sway_log(L_ERROR,
"!! DANGER !! " SYSCONFDIR "/sway is not secure! It should be owned by root and set to 0755");
}
}
// TODO: check that these command policies are set
// reload bindsym
// restart bindsym
// permit config
// reject config
// ipc config
}
int main(int argc, char **argv) { int main(int argc, char **argv) {
static int verbose = 0, debug = 0, validate = 0; static int verbose = 0, debug = 0, validate = 0;
@ -256,6 +278,7 @@ int main(int argc, char **argv) {
} }
wlc_log_set_handler(wlc_log_handler); wlc_log_set_handler(wlc_log_handler);
detect_proprietary(); detect_proprietary();
security_sanity_check();
input_devices = create_list(); input_devices = create_list();