Write example security config, start on code

1 files changed, 23 insertions, 0 deletions

diff --git a/sway/main.c b/sway/main.c
index a040cec9..4704f900 100644
--- a/sway/main.c
+++ b/sway/main.c
@@ -4,6 +4,7 @@
 #include <wlc/wlc.h>
 #include <sys/wait.h>
 #include <sys/types.h>
+#include <sys/stat.h>
 #include <sys/un.h>
 #include <signal.h>
 #include <unistd.h>
@@ -142,6 +143,27 @@ static void log_kernel() {
         fclose(f);
 }
 
+static void security_sanity_check() {
+        // TODO: Notify users visually if this has issues
+        struct stat s = {0};
+        if (stat("/proc", &s)) {
+                sway_log(L_ERROR,
+                        "!! DANGER !! /proc is not available - sway CANNOT enforce security rules!");
+        }
+        if (!stat(SYSCONFDIR "/sway", &s)) {
+                if (s.st_uid != 0 || s.st_gid != 0 || s.st_mode != 00755) {
+                        sway_log(L_ERROR,
+                                "!! DANGER !! " SYSCONFDIR "/sway is not secure! It should be owned by root and set to 0755");
+                }
+        }
+        // TODO: check that these command policies are set
+    // reload bindsym
+    // restart bindsym
+    // permit config
+    // reject config
+    // ipc config
+}
+
 int main(int argc, char **argv) {
         static int verbose = 0, debug = 0, validate = 0;
 
@@ -256,6 +278,7 @@ int main(int argc, char **argv) {
         }
         wlc_log_set_handler(wlc_log_handler);
         detect_proprietary();
+        security_sanity_check();
 
         input_devices = create_list();