diff options
author | Drew DeVault <sir@cmpwn.com> | 2018-05-11 21:31:59 -0400 |
---|---|---|
committer | Drew DeVault <sir@cmpwn.com> | 2018-05-11 21:31:59 -0400 |
commit | 7a964651fbd12aa803969f9c4ad546b53372741a (patch) | |
tree | 604264bb2bfdcb542bb26d6dac895582ce79e8d7 | |
parent | Add sway-input(5) (diff) | |
download | sway-7a964651fbd12aa803969f9c4ad546b53372741a.tar.gz sway-7a964651fbd12aa803969f9c4ad546b53372741a.tar.zst sway-7a964651fbd12aa803969f9c4ad546b53372741a.zip |
Remove sway-security(7)
We will need to overhaul this for 1.0
-rw-r--r-- | sway/sway-security.7.txt | 239 |
1 files changed, 0 insertions, 239 deletions
diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt deleted file mode 100644 index c8d6758c..00000000 --- a/sway/sway-security.7.txt +++ /dev/null | |||
@@ -1,239 +0,0 @@ | |||
1 | ///// | ||
2 | vim:set ts=4 sw=4 tw=82 noet: | ||
3 | ///// | ||
4 | sway-security (7) | ||
5 | ================= | ||
6 | |||
7 | Name | ||
8 | ---- | ||
9 | sway-security - Guidelines for securing your sway install | ||
10 | |||
11 | Security Overview | ||
12 | ----------------- | ||
13 | |||
14 | **Sway is NOT secure**. We are working on it but do not trust that we have it all | ||
15 | figured out yet. The following man page is provisional. | ||
16 | |||
17 | Securing sway requires careful configuration of your environment, the sort that's | ||
18 | usually best suited to a distribution maintainer who wants to ship a secure sway | ||
19 | environment in their distribution. Sway provides a number of means of securing it but | ||
20 | you must make a few changes external to sway first. | ||
21 | |||
22 | Configuration of security features is limited to files in the security directory | ||
23 | (this is likely /etc/sway/security.d/*, but depends on your installation prefix). | ||
24 | Files in this directory must be owned by root:root and chmod 644 or 444. The default | ||
25 | security configuration is installed to /etc/sway/security.d/00-defaults, and | ||
26 | should not be modified - it will be updated with the latest recommended security | ||
27 | defaults between releases. To override the defaults, you should add more files to | ||
28 | this directory. | ||
29 | |||
30 | Environment security | ||
31 | -------------------- | ||
32 | |||
33 | LD_PRELOAD is a mechanism designed to ruin the security of your system. There are | ||
34 | a number of strategies for dealing with this, but they all suck a little. In order | ||
35 | of most practical to least practical: | ||
36 | |||
37 | 1. Only run important programs via exec. Sway's exec command will ensure that | ||
38 | LD_PRELOAD is unset when running programs. | ||
39 | |||
40 | 2. Remove LD_PRELOAD support from your dynamic loader (requires patching libc). | ||
41 | This may break programs that rely on LD_PRELOAD for legitimate functionality, | ||
42 | but this is the most effective solution. | ||
43 | |||
44 | 3. Use static linking for important programs. Of course statically linked programs | ||
45 | are unaffected by the dynamic linking security dumpster fire. | ||
46 | |||
47 | Note that should you choose method 1, you MUST ensure that sway itself isn't | ||
48 | compromised by LD_PRELOAD. It probably isn't, but you can be sure by setting | ||
49 | /usr/bin/sway to a+s (setuid), which will instruct the dynamic linker not to | ||
50 | permit LD_PRELOAD for it (and will also run it as root, which sway will shortly | ||
51 | drop). You could also statically link sway itself. | ||
52 | |||
53 | Note that LD_LIBRARY_PATH has all of these problems, and the same solutions. | ||
54 | |||
55 | Read your log | ||
56 | ------------- | ||
57 | |||
58 | Sway does sanity checks and prints big red warnings to stderr if they fail. Read | ||
59 | them. | ||
60 | |||
61 | Feature policies | ||
62 | ---------------- | ||
63 | |||
64 | Certain sway features are security sensitive and may be configured with security | ||
65 | policies. These features are: | ||
66 | |||
67 | **background**:: | ||
68 | Permission for a program to become the background. | ||
69 | |||
70 | **fullscreen**:: | ||
71 | Permission to become fullscreen. Note that users can always make a window | ||
72 | fullscreen themselves with the fullscreen command. | ||
73 | |||
74 | **ipc**:: | ||
75 | Permission to connect to sway's IPC socket. | ||
76 | |||
77 | **keyboard**:: | ||
78 | Permission to receive keyboard events (only while they are focused). | ||
79 | |||
80 | **lock**:: | ||
81 | Permission for a program to act as a screen locker. This involves becoming | ||
82 | fullscreen (on all outputs) and receiving _all_ keyboard and mouse input for | ||
83 | the duration of the process. | ||
84 | |||
85 | **mouse**:: | ||
86 | Permission to receive mouse events (only while the mouse is over them). | ||
87 | |||
88 | **panel**:: | ||
89 | Permission for a program to stick its windows to the sides of the screen. | ||
90 | |||
91 | **screenshot**:: | ||
92 | Permission to take screenshots or record the screen. | ||
93 | |||
94 | By default, no permissions are granted (though saner defaults are provided in | ||
95 | /etc/sway/config.d/security). You can use the following configuration options to control | ||
96 | a program's access: | ||
97 | |||
98 | **permit** <executable> <features...>:: | ||
99 | Permits <executable> to use <features> (each feature separated by a space). | ||
100 | <executable> may be * to affect the default policy, or the full path to the | ||
101 | executable file. | ||
102 | |||
103 | **reject** <executable> <features...>:: | ||
104 | Disallows <executable> from using <features> (each feature separated by a space). | ||
105 | <executable> may be * to affect the default policy, or the full path to the | ||
106 | executable file. | ||
107 | |||
108 | Note that policy enforcement requires procfs to be mounted at /proc and the sway | ||
109 | process to be able to access _/proc/[pid]/exe_ (see **procfs(5)** for details on | ||
110 | this access - setcap cap_sys_ptrace=eip /usr/bin/sway should do the trick). If | ||
111 | sway is unable to read _/proc/[pid]/exe_, it will apply the default policy. | ||
112 | |||
113 | To work correctly, sway's own programs require the following permissions: | ||
114 | |||
115 | - swaybg: background | ||
116 | - swaylock: lock, keyboard | ||
117 | - swaybar: panel, mouse, ipc | ||
118 | - swaygrab: screenshot, ipc | ||
119 | |||
120 | When you first declare a policy for an executable, it will inherit the default | ||
121 | policy. Further changes to the default policy will not retroactively affect which | ||
122 | permissions an earlier policy inherits. You must explicitly reject any features | ||
123 | from the default policy that you do not want an executable to receive permission | ||
124 | for. | ||
125 | |||
126 | Command policies | ||
127 | ---------------- | ||
128 | |||
129 | You can also control the context from which a command may execute. The different | ||
130 | contexts you can control are: | ||
131 | |||
132 | **config**:: | ||
133 | Can be run from your config file. | ||
134 | |||
135 | **binding**:: | ||
136 | Can be run from bindsym or bindcode commands. | ||
137 | |||
138 | **ipc**:: | ||
139 | Can be run by IPC clients. | ||
140 | |||
141 | **criteria**:: | ||
142 | Can be run when evaluating window criteria. | ||
143 | |||
144 | **all**:: | ||
145 | Shorthand for granting permission in all contexts. | ||
146 | |||
147 | By default a command is allowed to execute in any context. To configure this, open | ||
148 | a commands block and fill it with policies: | ||
149 | |||
150 | commands { | ||
151 | <name> <contexts...> | ||
152 | ... | ||
153 | } | ||
154 | |||
155 | For example, you could do this to limit the use of the focus command to just | ||
156 | binding and criteria: | ||
157 | |||
158 | commands { | ||
159 | focus binding criteria | ||
160 | } | ||
161 | |||
162 | Setting a command policy overwrites any previous policy that was in place. | ||
163 | |||
164 | IPC policies | ||
165 | ------------ | ||
166 | |||
167 | Disabling IPC access via swaymsg is encouraged if you intend to secure the IPC | ||
168 | socket, because any program that can execute swaymsg could circumvent its own | ||
169 | security policy by simply invoking swaymsg. | ||
170 | |||
171 | You can configure which features of IPC are available for particular clients: | ||
172 | |||
173 | ipc <executable> { | ||
174 | ... | ||
175 | } | ||
176 | |||
177 | You may use * for <executable> to configure the default policy for all clients. | ||
178 | Configuring IPC policies for specific executables is not supported on FreeBSD, and | ||
179 | the default policy will be applied to all IPC connections. | ||
180 | |||
181 | The following commands are available within this block: | ||
182 | |||
183 | **bar-config** <enabled|disabled>:: | ||
184 | Controls GET_BAR_CONFIG (required for swaybar to work at all). | ||
185 | |||
186 | **command** <enabled|disabled>:: | ||
187 | Controls executing sway commands via IPC. | ||
188 | |||
189 | **inputs** <enabled|disabled>:: | ||
190 | Controls GET_INPUTS (input device information). | ||
191 | |||
192 | **marks** <enabled|disabled>:: | ||
193 | Controls GET_MARKS. | ||
194 | |||
195 | **outputs** <enabled|disabled>:: | ||
196 | Controls GET_OUTPUTS. | ||
197 | |||
198 | **tree** <enabled|disabled>:: | ||
199 | Controls GET_TREE. | ||
200 | |||
201 | **workspaces** <enabled|disabled>:: | ||
202 | Controls GET_WORKSPACES. | ||
203 | |||
204 | You can also control which IPC events can be raised with an events block: | ||
205 | |||
206 | ipc <executable> { | ||
207 | events { | ||
208 | ... | ||
209 | } | ||
210 | } | ||
211 | |||
212 | The following commands are valid within an IPC events block: | ||
213 | |||
214 | **binding** <enabled|disabled>:: | ||
215 | Controls keybinding notifications (disabled by default). | ||
216 | |||
217 | **input** <enabled|disabled>:: | ||
218 | Controls input device hotplugging notifications. | ||
219 | |||
220 | **mode** <enabled|disabled>:: | ||
221 | Controls output hotplugging notifications. | ||
222 | |||
223 | **output** <enabled|disabled>:: | ||
224 | Controls output hotplugging notifications. | ||
225 | |||
226 | **window** <enabled|disabled>:: | ||
227 | Controls window event notifications. | ||
228 | |||
229 | **workspace** <enabled|disabled>:: | ||
230 | Controls workspace notifications. | ||
231 | |||
232 | In each of these blocks, you may use * (as in "* enabled" or "* disabled") to | ||
233 | control access to every feature at once. | ||
234 | |||
235 | Authors | ||
236 | ------- | ||
237 | Maintained by Drew DeVault <sir@cmpwn.com>, who is assisted by other open | ||
238 | source contributors. For more information about sway development, see | ||
239 | <https://github.com/swaywm/sway>. | ||