diff options
author | Drew DeVault <sir@cmpwn.com> | 2017-02-19 02:36:36 -0500 |
---|---|---|
committer | Drew DeVault <sir@cmpwn.com> | 2017-02-19 02:56:59 -0500 |
commit | 7dbecdde95d1f309d8fdd02fe480dc3fbef7c7c1 (patch) | |
tree | 303b3632a576fac27835523872f8286adbd35d9b | |
parent | Merge pull request #1075 from zandrmartin/floating-positioning (diff) | |
download | sway-7dbecdde95d1f309d8fdd02fe480dc3fbef7c7c1.tar.gz sway-7dbecdde95d1f309d8fdd02fe480dc3fbef7c7c1.tar.zst sway-7dbecdde95d1f309d8fdd02fe480dc3fbef7c7c1.zip |
Revise IPC security configuration
-rw-r--r-- | security.d/00-defaults.in (renamed from security.in) | 37 | ||||
-rw-r--r-- | sway/CMakeLists.txt | 2 | ||||
-rw-r--r-- | sway/sway-security.7.txt | 34 |
3 files changed, 39 insertions, 34 deletions
diff --git a/security.in b/security.d/00-defaults.in index 16897ade..99859edd 100644 --- a/security.in +++ b/security.d/00-defaults.in | |||
@@ -8,33 +8,34 @@ | |||
8 | # This file should live at __SYSCONFDIR__/sway/security and will be | 8 | # This file should live at __SYSCONFDIR__/sway/security and will be |
9 | # automatically read by sway. | 9 | # automatically read by sway. |
10 | 10 | ||
11 | # Configures which programs are allowed to use which sway features | 11 | # Configures enabled compositor features for specific programs |
12 | permit * fullscreen keyboard mouse ipc | 12 | permit * fullscreen keyboard mouse |
13 | permit __PREFIX__/bin/swaylock lock | 13 | permit __PREFIX__/bin/swaylock lock |
14 | permit __PREFIX__/bin/swaybar panel | ||
15 | permit __PREFIX__/bin/swaybg background | 14 | permit __PREFIX__/bin/swaybg background |
16 | permit __PREFIX__/bin/swaygrab screenshot | 15 | permit __PREFIX__/bin/swaygrab screenshot |
16 | permit __PREFIX__/bin/swaybar panel | ||
17 | 17 | ||
18 | # Configures which IPC features are enabled | 18 | # Configures enabled IPC features for specific programs |
19 | ipc { | 19 | ipc __PREFIX__/bin/swaymsg { |
20 | command enabled | 20 | * enabled |
21 | outputs enabled | ||
22 | workspaces enabled | ||
23 | tree enabled | ||
24 | marks enabled | ||
25 | bar-config enabled | ||
26 | inputs enabled | ||
27 | 21 | ||
28 | events { | 22 | events { |
29 | workspace enabled | 23 | * disabled |
30 | output enabled | ||
31 | mode enabled | ||
32 | window enabled | ||
33 | input enabled | ||
34 | binding disabled | ||
35 | } | 24 | } |
36 | } | 25 | } |
37 | 26 | ||
27 | ipc __PREFIX__/bin/swaybar { | ||
28 | bar-config enabled | ||
29 | outputs enabled | ||
30 | workspaces enabled | ||
31 | command enabled | ||
32 | } | ||
33 | |||
34 | ipc __PREFIX__/bin/swaygrab { | ||
35 | outputs enabled | ||
36 | tree enabled | ||
37 | } | ||
38 | |||
38 | # Limits the contexts from which certain commands are permitted | 39 | # Limits the contexts from which certain commands are permitted |
39 | commands { | 40 | commands { |
40 | * all | 41 | * all |
diff --git a/sway/CMakeLists.txt b/sway/CMakeLists.txt index d5453003..981f8a07 100644 --- a/sway/CMakeLists.txt +++ b/sway/CMakeLists.txt | |||
@@ -91,7 +91,7 @@ function(add_config name source destination) | |||
91 | endfunction() | 91 | endfunction() |
92 | 92 | ||
93 | add_config(config config sway) | 93 | add_config(config config sway) |
94 | add_config(security security sway) | 94 | add_config(00-defaults security.d/00-defaults sway/security.d) |
95 | 95 | ||
96 | add_manpage(sway 1) | 96 | add_manpage(sway 1) |
97 | add_manpage(sway 5) | 97 | add_manpage(sway 5) |
diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt index 7d8aa4ad..98e3f5ac 100644 --- a/sway/sway-security.7.txt +++ b/sway/sway-security.7.txt | |||
@@ -19,8 +19,13 @@ usually best suited to a distro maintainer who wants to ship a secure sway | |||
19 | environment in their distro. Sway provides a number of means of securing it but | 19 | environment in their distro. Sway provides a number of means of securing it but |
20 | you must make a few changes external to sway first. | 20 | you must make a few changes external to sway first. |
21 | 21 | ||
22 | Security-related configuration is only valid in /etc/sway/config (or whatever path | 22 | Configuration of security features is limited to files in the security directory |
23 | is appropriate for your system). | 23 | (this is likely /etc/sway/security.d/*, but depends on your installation prefix). |
24 | Files in this directory must be owned by root:root and chmod 600. The default | ||
25 | security configuration is installed to /etc/sway/security.d/00-defaults, and | ||
26 | should not be modified - it will be updated with the latest recommended security | ||
27 | defaults between releases. To override the defaults, you should add more files to | ||
28 | this directory. | ||
24 | 29 | ||
25 | Environment security | 30 | Environment security |
26 | -------------------- | 31 | -------------------- |
@@ -160,22 +165,20 @@ Setting a command policy overwrites any previous policy that was in place. | |||
160 | IPC policies | 165 | IPC policies |
161 | ------------ | 166 | ------------ |
162 | 167 | ||
163 | You may whitelist IPC access like so: | 168 | Disabling IPC access via swaymsg is encouraged if you intend to secure the IPC |
169 | socket, because any program that can execute swaymsg could circumvent its own | ||
170 | security policy by simply invoking swaymsg. | ||
164 | 171 | ||
165 | permit /usr/bin/swaybar ipc | 172 | You can configure which features of IPC are available for particular clients: |
166 | permit /usr/bin/swaygrab ipc | ||
167 | # etc | ||
168 | 173 | ||
169 | Note that it's suggested you do not enable swaymsg to access IPC if you intend to | 174 | ipc <executable> { |
170 | secure your IPC socket, because any program could just run swaymsg itself instead | ||
171 | of connecting to IPC directly. | ||
172 | |||
173 | You can also configure which features of IPC are available with an IPC block: | ||
174 | |||
175 | ipc { | ||
176 | ... | 175 | ... |
177 | } | 176 | } |
178 | 177 | ||
178 | You may use * for <executable> to configure the default policy for all clients. | ||
179 | Configuring IPC policies for specific executables is not supported on FreeBSD, and | ||
180 | the default policy will be applied to all IPC connections. | ||
181 | |||
179 | The following commands are available within this block: | 182 | The following commands are available within this block: |
180 | 183 | ||
181 | **bar-config** <enabled|disabled>:: | 184 | **bar-config** <enabled|disabled>:: |
@@ -201,7 +204,7 @@ The following commands are available within this block: | |||
201 | 204 | ||
202 | You can also control which IPC events can be raised with an events block: | 205 | You can also control which IPC events can be raised with an events block: |
203 | 206 | ||
204 | ipc { | 207 | ipc <executable> { |
205 | events { | 208 | events { |
206 | ... | 209 | ... |
207 | } | 210 | } |
@@ -227,7 +230,8 @@ The following commands are vaild within an ipc events block: | |||
227 | **workspace** <enabled|disabled>:: | 230 | **workspace** <enabled|disabled>:: |
228 | Controls workspace notifications. | 231 | Controls workspace notifications. |
229 | 232 | ||
230 | Disabling some of these may cause swaybar to behave incorrectly. | 233 | In each of these blocks, you may use * (as in "* enabled" or "* disabled") to |
234 | control access to every feature at once. | ||
231 | 235 | ||
232 | Authors | 236 | Authors |
233 | ------- | 237 | ------- |