From de855222487b9633c3833a4d0ef77558c52b8e5b Mon Sep 17 00:00:00 2001
From: Felix Pehla <74104874+FelixPehla@users.noreply.github.com>
Date: Wed, 7 Aug 2024 03:26:04 +0200
Subject: profiles: blacklist sway IPC socket (#6429)

Much like the i3 IPC socket (#6361), the sway IPC socket also allows
arbitrary code execution via the `exec` subcommand. Access should only
be permitted to sway itself by default.

The location of the IPC socket is set in sway/ipc-server.c:

https://github.com/swaywm/sway/blob/7e74a4914261cf32c45017521960adf7ff6dac8f/sway/ipc-server.c#L126
---
 etc/inc/disable-common.inc   | 4 ++++
 etc/profile-m-z/sway.profile | 4 ++++
 2 files changed, 8 insertions(+)

(limited to 'etc')

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 14f7d8cf7..faae99543 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -171,6 +171,10 @@ blacklist ${RUNUSER}/gsconnect
 blacklist ${RUNUSER}/i3/ipc-socket.*
 blacklist /tmp/i3-*/ipc-socket.*
 
+# sway IPC socket (allows arbitrary shell script execution)
+blacklist ${RUNUSER}/sway-ipc.*
+blacklist /tmp/sway-ipc.*
+
 # systemd
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
diff --git a/etc/profile-m-z/sway.profile b/etc/profile-m-z/sway.profile
index f71905150..b7f90f6ad 100644
--- a/etc/profile-m-z/sway.profile
+++ b/etc/profile-m-z/sway.profile
@@ -10,6 +10,10 @@ include globals.local
 noblacklist ${HOME}/.config/sway
 # sway uses ~/.config/i3 as fallback if there is no ~/.config/sway
 noblacklist ${HOME}/.config/i3
+# allow creation of IPC socket
+noblacklist ${RUNUSER}/sway-ipc.*
+noblacklist /tmp/sway-ipc.*
+
 include disable-common.inc
 
 caps.drop all
-- 
cgit v1.2.3-70-g09d2