From e7a764fdf450a8259ddbc17446dd720fa1157b44 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Sat, 3 Dec 2016 12:38:42 -0500 Subject: [PATCH] Disallow everything by default And update config.d/security to configure sane defaults --- config.d/security.in | 5 +++-- sway/commands.c | 2 +- sway/security.c | 21 ++++++++++++++++----- sway/sway-security.7.txt | 19 ++++++++++++++----- 4 files changed, 34 insertions(+), 13 deletions(-) diff --git a/config.d/security.in b/config.d/security.in index b5690dc79..47592b05e 100644 --- a/config.d/security.in +++ b/config.d/security.in @@ -6,13 +6,12 @@ # installation. # Configures which programs are allowed to use which sway features +permit * fullscreen keyboard mouse ipc permit __PREFIX__/bin/swaylock lock permit __PREFIX__/bin/swaybar panel permit __PREFIX__/bin/swaybg background permit __PREFIX__/bin/swaygrab screenshot -permit * fullscreen keyboard mouse - # Configures which IPC features are enabled ipc { command enabled @@ -36,6 +35,8 @@ ipc { # Limits the contexts from which certain commands are permitted commands { + * all + fullscreen binding criteria bindsym config exit binding diff --git a/sway/commands.c b/sway/commands.c index 3d8f8c5bb..d87d00841 100644 --- a/sway/commands.c +++ b/sway/commands.c @@ -524,7 +524,7 @@ struct cmd_results *config_commands_command(char *exec) { } struct cmd_handler *handler = find_handler(cmd, CMD_BLOCK_END); - if (!handler) { + if (!handler && strcmp(cmd, "*") != 0) { char *input = cmd ? cmd : "(empty)"; results = cmd_results_new(CMD_INVALID, input, "Unknown/invalid command"); goto cleanup; diff --git a/sway/security.c b/sway/security.c index 1d236b1df..f16fdd1f3 100644 --- a/sway/security.c +++ b/sway/security.c @@ -5,16 +5,25 @@ #include "log.h" struct feature_policy *alloc_feature_policy(const char *program) { + uint32_t default_policy = 0; + for (int i = 0; i < config->feature_policies->length; ++i) { + struct feature_policy *policy = config->feature_policies->items[i]; + if (strcmp(policy->program, "*") == 0) { + default_policy = policy->features; + break; + } + } + struct feature_policy *policy = malloc(sizeof(struct feature_policy)); policy->program = strdup(program); - policy->features = FEATURE_FULLSCREEN | FEATURE_KEYBOARD | FEATURE_MOUSE | FEATURE_IPC; + policy->features = default_policy; return policy; } struct command_policy *alloc_command_policy(const char *command) { struct command_policy *policy = malloc(sizeof(struct command_policy)); policy->command = strdup(command); - policy->context = CONTEXT_ALL; + policy->context = 0; return policy; } @@ -25,8 +34,7 @@ enum secure_feature get_feature_policy(pid_t pid) { snprintf(path, pathlen + 1, fmt, pid); static char link[2048]; - enum secure_feature default_policy = - FEATURE_FULLSCREEN | FEATURE_KEYBOARD | FEATURE_MOUSE; + uint32_t default_policy = 0; ssize_t len = readlink(path, link, sizeof(link)); if (len < 0) { @@ -53,10 +61,13 @@ enum secure_feature get_feature_policy(pid_t pid) { } enum command_context get_command_policy(const char *cmd) { - enum command_context default_policy = CONTEXT_ALL; + uint32_t default_policy = 0; for (int i = 0; i < config->command_policies->length; ++i) { struct command_policy *policy = config->command_policies->items[i]; + if (strcmp(policy->command, "*") == 0) { + default_policy = policy->context; + } if (strcmp(policy->command, cmd) == 0) { return policy->context; } diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt index 53c7b8763..9a2581b11 100644 --- a/sway/sway-security.7.txt +++ b/sway/sway-security.7.txt @@ -124,8 +124,14 @@ To work correctly, sway's own programs require the following permissions: - swaybg: background - swaylock: lock, keyboard -- swaybar: panel, mouse -- swaygrab: screenshot +- swaybar: panel, mouse, ipc +- swaygrab: screenshot, ipc + +When you first declare a policy for an executable, it will inherit the default +policy. Further changes to the default policy will not retroactively affect which +permissions an earlier policy inherits. You must explicitly reject any features +from the default policy that you do not want an executable to receive permission +for. Command policies ---------------- @@ -145,6 +151,9 @@ contexts you can control are: **criteria**:: Can be run when evaluating window criteria. +**all**:: + Shorthand for granting permission in all contexts. + By default a command is allowed to execute in any context. To configure this, open a commands block and fill it with policies: @@ -160,13 +169,13 @@ binding and critiera: focus binding criteria } +Setting a command policy overwrites any previous policy that was in place. + IPC policies ------------ -By default all programs can connect to IPC for backwards compatability with i3. -However, you can whitelist IPC access like so: +You may whitelist IPC access like so: - reject * ipc permit /usr/bin/swaybar ipc permit /usr/bin/swaygrab ipc # etc