diff options
| author |  Drew DeVault <sir@cmpwn.com> | 2016-12-02 18:37:01 -0500 |
|---|---|---|
| committer | Drew DeVault <sir@cmpwn.com> | 2016-12-02 18:37:01 -0500 |
| commit | 8577095db77eef62af05fd2acbd9bd2c28b901f6 (patch) | |
| tree | ca0cd048676ad3c516db717e94103e5b45d41894 | |
| parent | Add ipc connection feature policy controls (diff) | |
| download | sway-8577095db77eef62af05fd2acbd9bd2c28b901f6.tar.gz sway-8577095db77eef62af05fd2acbd9bd2c28b901f6.tar.zst sway-8577095db77eef62af05fd2acbd9bd2c28b901f6.zip | |
Check for CAP_SYS_PTRACE
| -rw-r--r-- | sway/CMakeLists.txt | 1 | ||||
| -rw-r--r-- | sway/main.c | 10 |
2 files changed, 11 insertions, 0 deletions
diff --git a/sway/CMakeLists.txt b/sway/CMakeLists.txt index 15fa1720..d1afadb6 100644 --- a/sway/CMakeLists.txt +++ b/sway/CMakeLists.txt | |||
| @@ -55,6 +55,7 @@ target_link_libraries(sway | |||
| 55 | ${PANGO_LIBRARIES} | 55 | ${PANGO_LIBRARIES} |
| 56 | ${JSONC_LIBRARIES} | 56 | ${JSONC_LIBRARIES} |
| 57 | m | 57 | m |
| 58 | cap | ||
| 58 | ) | 59 | ) |
| 59 | 60 | ||
| 60 | install( | 61 | install( |
diff --git a/sway/main.c b/sway/main.c index 9746cfb2..73c4b5f2 100644 --- a/sway/main.c +++ b/sway/main.c | |||
| @@ -9,6 +9,7 @@ | |||
| 9 | #include <signal.h> | 9 | #include <signal.h> |
| 10 | #include <unistd.h> | 10 | #include <unistd.h> |
| 11 | #include <getopt.h> | 11 | #include <getopt.h> |
| 12 | #include <sys/capability.h> | ||
| 12 | #include "sway/extensions.h" | 13 | #include "sway/extensions.h" |
| 13 | #include "sway/layout.h" | 14 | #include "sway/layout.h" |
| 14 | #include "sway/config.h" | 15 | #include "sway/config.h" |
| @@ -151,6 +152,15 @@ static void security_sanity_check() { | |||
| 151 | sway_log(L_ERROR, | 152 | sway_log(L_ERROR, |
| 152 | "!! DANGER !! /proc is not available - sway CANNOT enforce security rules!"); | 153 | "!! DANGER !! /proc is not available - sway CANNOT enforce security rules!"); |
| 153 | } | 154 | } |
| 155 | cap_flag_value_t v; | ||
| 156 | cap_t cap = cap_get_proc(); | ||
| 157 | if (!cap || cap_get_flag(cap, CAP_SYS_PTRACE, CAP_PERMITTED, &v) != 0 || v != CAP_SET) { | ||
| 158 | sway_log(L_ERROR, | ||
| 159 | "!! DANGER !! Sway does not have CAP_SYS_PTRACE and cannot enforce security rules for processes running as other users."); | ||
| 160 | } | ||
| 161 | if (cap) { | ||
| 162 | cap_free(cap); | ||
| 163 | } | ||
| 154 | if (!stat(SYSCONFDIR "/sway", &s)) { | 164 | if (!stat(SYSCONFDIR "/sway", &s)) { |
| 155 | if (s.st_uid != 0 || s.st_gid != 0 | 165 | if (s.st_uid != 0 || s.st_gid != 0 |
| 156 | || (s.st_mode & S_IWGRP) || (s.st_mode & S_IWOTH)) { | 166 | || (s.st_mode & S_IWGRP) || (s.st_mode & S_IWOTH)) { |