diff options
author | Drew DeVault <sir@cmpwn.com> | 2016-12-01 21:36:43 -0500 |
---|---|---|
committer | Drew DeVault <sir@cmpwn.com> | 2016-12-01 21:36:43 -0500 |
commit | 76cab04b4d7828f3c4f607c49e1e6ad78aa6e3da (patch) | |
tree | 53a871af54a91c689c5db597ab21b3c97c4506cd | |
parent | Memory leak (diff) | |
download | sway-76cab04b4d7828f3c4f607c49e1e6ad78aa6e3da.tar.gz sway-76cab04b4d7828f3c4f607c49e1e6ad78aa6e3da.tar.zst sway-76cab04b4d7828f3c4f607c49e1e6ad78aa6e3da.zip |
Implement permit and reject commands
-rw-r--r-- | config.d/security.in (renamed from config.d/security) | 8 | ||||
-rw-r--r-- | config.in (renamed from config) | 8 | ||||
-rw-r--r-- | include/security.h | 9 | ||||
-rw-r--r-- | include/sway/commands.h | 2 | ||||
-rw-r--r-- | include/sway/security.h | 6 | ||||
-rw-r--r-- | sway/commands.c | 2 | ||||
-rw-r--r-- | sway/commands/permit.c | 95 | ||||
-rw-r--r-- | sway/security.c | 7 |
8 files changed, 115 insertions, 22 deletions
diff --git a/config.d/security b/config.d/security.in index fe75d8ea..f59b2980 100644 --- a/config.d/security +++ b/config.d/security.in | |||
@@ -6,10 +6,10 @@ | |||
6 | # installation. | 6 | # installation. |
7 | 7 | ||
8 | # Configures which programs are allowed to use which sway features | 8 | # Configures which programs are allowed to use which sway features |
9 | permit $PREFIX/swaylock lock | 9 | permit __PREFIX__/swaylock lock |
10 | permit $PREFIX/swaybar panel | 10 | permit __PREFIX__/swaybar panel |
11 | permit $PREFIX/swaybg background | 11 | permit __PREFIX__/swaybg background |
12 | permit $PREFIX/swaygrab screenshot | 12 | permit __PREFIX__/swaygrab screenshot |
13 | 13 | ||
14 | permit * fullscreen keyboard mouse | 14 | permit * fullscreen keyboard mouse |
15 | 15 | ||
@@ -195,10 +195,4 @@ bar { | |||
195 | } | 195 | } |
196 | } | 196 | } |
197 | 197 | ||
198 | # You may want this: | 198 | include __SYSCONFDIR__/etc/sway/config.d/* |
199 | # | ||
200 | # include ~/.config/sway/conf.d/* | ||
201 | # | ||
202 | # Protip: | ||
203 | # | ||
204 | # include ~/.config/sway/`hostname`/* | ||
diff --git a/include/security.h b/include/security.h deleted file mode 100644 index 3a5dbca0..00000000 --- a/include/security.h +++ /dev/null | |||
@@ -1,9 +0,0 @@ | |||
1 | #ifndef _SWAY_SECURITY_H | ||
2 | #define _SWAY_SECURITY_H | ||
3 | #include <unistd.h> | ||
4 | #include "sway/config.h" | ||
5 | |||
6 | enum secure_features get_feature_policy(pid_t pid); | ||
7 | enum command_context get_command_policy(const char *cmd); | ||
8 | |||
9 | #endif | ||
diff --git a/include/sway/commands.h b/include/sway/commands.h index db5e94d9..1d5d56ac 100644 --- a/include/sway/commands.h +++ b/include/sway/commands.h | |||
@@ -122,6 +122,8 @@ sway_cmd cmd_new_float; | |||
122 | sway_cmd cmd_new_window; | 122 | sway_cmd cmd_new_window; |
123 | sway_cmd cmd_orientation; | 123 | sway_cmd cmd_orientation; |
124 | sway_cmd cmd_output; | 124 | sway_cmd cmd_output; |
125 | sway_cmd cmd_permit; | ||
126 | sway_cmd cmd_reject; | ||
125 | sway_cmd cmd_reload; | 127 | sway_cmd cmd_reload; |
126 | sway_cmd cmd_resize; | 128 | sway_cmd cmd_resize; |
127 | sway_cmd cmd_scratchpad; | 129 | sway_cmd cmd_scratchpad; |
diff --git a/include/sway/security.h b/include/sway/security.h index efc25ce6..ae2de0d8 100644 --- a/include/sway/security.h +++ b/include/sway/security.h | |||
@@ -3,7 +3,9 @@ | |||
3 | #include <unistd.h> | 3 | #include <unistd.h> |
4 | #include "sway/config.h" | 4 | #include "sway/config.h" |
5 | 5 | ||
6 | const struct feature_permissions *get_permissions(pid_t pid); | 6 | enum secure_feature get_feature_policy(pid_t pid); |
7 | enum command_context get_command_context(const char *cmd); | 7 | enum command_context get_command_policy(const char *cmd); |
8 | |||
9 | struct feature_policy *alloc_feature_policy(const char *program); | ||
8 | 10 | ||
9 | #endif | 11 | #endif |
diff --git a/sway/commands.c b/sway/commands.c index de29a7af..e2bafcb2 100644 --- a/sway/commands.c +++ b/sway/commands.c | |||
@@ -187,6 +187,8 @@ static struct cmd_handler handlers[] = { | |||
187 | { "new_float", cmd_new_float }, | 187 | { "new_float", cmd_new_float }, |
188 | { "new_window", cmd_new_window }, | 188 | { "new_window", cmd_new_window }, |
189 | { "output", cmd_output }, | 189 | { "output", cmd_output }, |
190 | { "permit", cmd_permit }, | ||
191 | { "reject", cmd_reject }, | ||
190 | { "reload", cmd_reload }, | 192 | { "reload", cmd_reload }, |
191 | { "resize", cmd_resize }, | 193 | { "resize", cmd_resize }, |
192 | { "scratchpad", cmd_scratchpad }, | 194 | { "scratchpad", cmd_scratchpad }, |
diff --git a/sway/commands/permit.c b/sway/commands/permit.c new file mode 100644 index 00000000..8a7bb98c --- /dev/null +++ b/sway/commands/permit.c | |||
@@ -0,0 +1,95 @@ | |||
1 | #include <string.h> | ||
2 | #include "sway/commands.h" | ||
3 | #include "sway/config.h" | ||
4 | #include "sway/security.h" | ||
5 | #include "log.h" | ||
6 | |||
7 | static enum secure_feature get_features(int argc, char **argv, | ||
8 | struct cmd_results **error) { | ||
9 | enum secure_feature features = 0; | ||
10 | |||
11 | struct { | ||
12 | char *name; | ||
13 | enum secure_feature feature; | ||
14 | } feature_names[] = { | ||
15 | { "lock", FEATURE_LOCK }, | ||
16 | { "panel", FEATURE_PANEL }, | ||
17 | { "background", FEATURE_BACKGROUND }, | ||
18 | { "screenshot", FEATURE_SCREENSHOT }, | ||
19 | { "fullscreen", FEATURE_FULLSCREEN }, | ||
20 | { "keyboard", FEATURE_KEYBOARD }, | ||
21 | { "mouse", FEATURE_MOUSE }, | ||
22 | }; | ||
23 | size_t names_len = sizeof(feature_names) / | ||
24 | (sizeof(char *) + sizeof(enum secure_feature)); | ||
25 | |||
26 | for (int i = 1; i < argc; ++i) { | ||
27 | size_t j; | ||
28 | for (j = 0; j < names_len; ++j) { | ||
29 | if (strcmp(feature_names[j].name, argv[i]) == 0) { | ||
30 | break; | ||
31 | } | ||
32 | } | ||
33 | if (j == names_len) { | ||
34 | *error = cmd_results_new(CMD_INVALID, | ||
35 | "permit", "Invalid feature grant %s", argv[i]); | ||
36 | return 0; | ||
37 | } | ||
38 | features |= feature_names[j].feature; | ||
39 | } | ||
40 | return features; | ||
41 | } | ||
42 | |||
43 | static struct feature_policy *get_policy(const char *name) { | ||
44 | struct feature_policy *policy = NULL; | ||
45 | for (int i = 0; i < config->feature_policies->length; ++i) { | ||
46 | struct feature_policy *p = config->feature_policies->items[i]; | ||
47 | if (strcmp(p->program, name) == 0) { | ||
48 | policy = p; | ||
49 | break; | ||
50 | } | ||
51 | } | ||
52 | if (!policy) { | ||
53 | policy = alloc_feature_policy(name); | ||
54 | list_add(config->feature_policies, policy); | ||
55 | } | ||
56 | return policy; | ||
57 | } | ||
58 | |||
59 | struct cmd_results *cmd_permit(int argc, char **argv) { | ||
60 | struct cmd_results *error = NULL; | ||
61 | if ((error = checkarg(argc, "permit", EXPECTED_MORE_THAN, 1))) { | ||
62 | return error; | ||
63 | } | ||
64 | |||
65 | struct feature_policy *policy = get_policy(argv[0]); | ||
66 | policy->features |= get_features(argc, argv, &error); | ||
67 | |||
68 | if (error) { | ||
69 | return error; | ||
70 | } | ||
71 | |||
72 | sway_log(L_DEBUG, "Permissions granted to %s for features %d", | ||
73 | policy->program, policy->features); | ||
74 | |||
75 | return cmd_results_new(CMD_SUCCESS, NULL, NULL); | ||
76 | } | ||
77 | |||
78 | struct cmd_results *cmd_reject(int argc, char **argv) { | ||
79 | struct cmd_results *error = NULL; | ||
80 | if ((error = checkarg(argc, "reject", EXPECTED_MORE_THAN, 1))) { | ||
81 | return error; | ||
82 | } | ||
83 | |||
84 | struct feature_policy *policy = get_policy(argv[0]); | ||
85 | policy->features &= ~get_features(argc, argv, &error); | ||
86 | |||
87 | if (error) { | ||
88 | return error; | ||
89 | } | ||
90 | |||
91 | sway_log(L_DEBUG, "Permissions granted to %s for features %d", | ||
92 | policy->program, policy->features); | ||
93 | |||
94 | return cmd_results_new(CMD_SUCCESS, NULL, NULL); | ||
95 | } | ||
diff --git a/sway/security.c b/sway/security.c index 00e5e8d7..776bd527 100644 --- a/sway/security.c +++ b/sway/security.c | |||
@@ -4,6 +4,13 @@ | |||
4 | #include "sway/security.h" | 4 | #include "sway/security.h" |
5 | #include "log.h" | 5 | #include "log.h" |
6 | 6 | ||
7 | struct feature_policy *alloc_feature_policy(const char *program) { | ||
8 | struct feature_policy *policy = malloc(sizeof(struct feature_policy)); | ||
9 | policy->program = strdup(program); | ||
10 | policy->features = FEATURE_FULLSCREEN | FEATURE_KEYBOARD | FEATURE_MOUSE; | ||
11 | return policy; | ||
12 | } | ||
13 | |||
7 | enum secure_feature get_feature_policy(pid_t pid) { | 14 | enum secure_feature get_feature_policy(pid_t pid) { |
8 | const char *fmt = "/proc/%d/exe"; | 15 | const char *fmt = "/proc/%d/exe"; |
9 | int pathlen = snprintf(NULL, 0, fmt, pid); | 16 | int pathlen = snprintf(NULL, 0, fmt, pid); |