diff options
author | Drew DeVault <sir@cmpwn.com> | 2016-12-01 21:51:07 -0500 |
---|---|---|
committer | Drew DeVault <sir@cmpwn.com> | 2016-12-01 21:51:07 -0500 |
commit | 21e1b2bef3d3cda3d10d4dc2aafe5fcac583c2a5 (patch) | |
tree | 40a28228200d8199680c9d52ebe7a90ad0ab7997 /sway | |
parent | Implement permit and reject commands (diff) | |
download | sway-21e1b2bef3d3cda3d10d4dc2aafe5fcac583c2a5.tar.gz sway-21e1b2bef3d3cda3d10d4dc2aafe5fcac583c2a5.tar.zst sway-21e1b2bef3d3cda3d10d4dc2aafe5fcac583c2a5.zip |
Add security checks for background, panel, lock
Diffstat (limited to 'sway')
-rw-r--r-- | sway/extensions.c | 25 | ||||
-rw-r--r-- | sway/security.c | 4 |
2 files changed, 27 insertions, 2 deletions
diff --git a/sway/extensions.c b/sway/extensions.c index 60cd8d41..96c7e60d 100644 --- a/sway/extensions.c +++ b/sway/extensions.c | |||
@@ -7,6 +7,7 @@ | |||
7 | #include "sway/layout.h" | 7 | #include "sway/layout.h" |
8 | #include "sway/input_state.h" | 8 | #include "sway/input_state.h" |
9 | #include "sway/extensions.h" | 9 | #include "sway/extensions.h" |
10 | #include "sway/security.h" | ||
10 | #include "sway/ipc-server.h" | 11 | #include "sway/ipc-server.h" |
11 | #include "log.h" | 12 | #include "log.h" |
12 | 13 | ||
@@ -68,6 +69,12 @@ void lock_surface_destructor(struct wl_resource *resource) { | |||
68 | 69 | ||
69 | static void set_background(struct wl_client *client, struct wl_resource *resource, | 70 | static void set_background(struct wl_client *client, struct wl_resource *resource, |
70 | struct wl_resource *_output, struct wl_resource *surface) { | 71 | struct wl_resource *_output, struct wl_resource *surface) { |
72 | pid_t pid; | ||
73 | wl_client_get_credentials(client, &pid, NULL, NULL); | ||
74 | if (!(get_feature_policy(pid) & FEATURE_BACKGROUND)) { | ||
75 | sway_log(L_INFO, "Denying background feature to %d", pid); | ||
76 | return; | ||
77 | } | ||
71 | wlc_handle output = wlc_handle_from_wl_output_resource(_output); | 78 | wlc_handle output = wlc_handle_from_wl_output_resource(_output); |
72 | if (!output) { | 79 | if (!output) { |
73 | return; | 80 | return; |
@@ -86,6 +93,12 @@ static void set_background(struct wl_client *client, struct wl_resource *resourc | |||
86 | 93 | ||
87 | static void set_panel(struct wl_client *client, struct wl_resource *resource, | 94 | static void set_panel(struct wl_client *client, struct wl_resource *resource, |
88 | struct wl_resource *_output, struct wl_resource *surface) { | 95 | struct wl_resource *_output, struct wl_resource *surface) { |
96 | pid_t pid; | ||
97 | wl_client_get_credentials(client, &pid, NULL, NULL); | ||
98 | if (!(get_feature_policy(pid) & FEATURE_PANEL)) { | ||
99 | sway_log(L_INFO, "Denying panel feature to %d", pid); | ||
100 | return; | ||
101 | } | ||
89 | wlc_handle output = wlc_handle_from_wl_output_resource(_output); | 102 | wlc_handle output = wlc_handle_from_wl_output_resource(_output); |
90 | if (!output) { | 103 | if (!output) { |
91 | return; | 104 | return; |
@@ -111,6 +124,12 @@ static void desktop_unlock(struct wl_client *client, struct wl_resource *resourc | |||
111 | 124 | ||
112 | static void set_lock_surface(struct wl_client *client, struct wl_resource *resource, | 125 | static void set_lock_surface(struct wl_client *client, struct wl_resource *resource, |
113 | struct wl_resource *_output, struct wl_resource *surface) { | 126 | struct wl_resource *_output, struct wl_resource *surface) { |
127 | pid_t pid; | ||
128 | wl_client_get_credentials(client, &pid, NULL, NULL); | ||
129 | if (!(get_feature_policy(pid) & FEATURE_LOCK)) { | ||
130 | sway_log(L_INFO, "Denying lock feature to %d", pid); | ||
131 | return; | ||
132 | } | ||
114 | swayc_t *output = swayc_by_handle(wlc_handle_from_wl_output_resource(_output)); | 133 | swayc_t *output = swayc_by_handle(wlc_handle_from_wl_output_resource(_output)); |
115 | swayc_t *view = swayc_by_handle(wlc_handle_from_wl_surface_resource(surface)); | 134 | swayc_t *view = swayc_by_handle(wlc_handle_from_wl_surface_resource(surface)); |
116 | sway_log(L_DEBUG, "Setting lock surface to %p", view); | 135 | sway_log(L_DEBUG, "Setting lock surface to %p", view); |
@@ -155,6 +174,12 @@ static void desktop_ready(struct wl_client *client, struct wl_resource *resource | |||
155 | } | 174 | } |
156 | 175 | ||
157 | static void set_panel_position(struct wl_client *client, struct wl_resource *resource, uint32_t position) { | 176 | static void set_panel_position(struct wl_client *client, struct wl_resource *resource, uint32_t position) { |
177 | pid_t pid; | ||
178 | wl_client_get_credentials(client, &pid, NULL, NULL); | ||
179 | if (!(get_feature_policy(pid) & FEATURE_PANEL)) { | ||
180 | sway_log(L_INFO, "Denying panel feature to %d", pid); | ||
181 | return; | ||
182 | } | ||
158 | struct panel_config *config = find_or_create_panel_config(resource); | 183 | struct panel_config *config = find_or_create_panel_config(resource); |
159 | sway_log(L_DEBUG, "Panel position for wl_resource %p changed %d => %d", resource, config->panel_position, position); | 184 | sway_log(L_DEBUG, "Panel position for wl_resource %p changed %d => %d", resource, config->panel_position, position); |
160 | config->panel_position = position; | 185 | config->panel_position = position; |
diff --git a/sway/security.c b/sway/security.c index 776bd527..a4cecf16 100644 --- a/sway/security.c +++ b/sway/security.c | |||
@@ -34,7 +34,7 @@ enum secure_feature get_feature_policy(pid_t pid) { | |||
34 | 34 | ||
35 | for (int i = 0; i < config->feature_policies->length; ++i) { | 35 | for (int i = 0; i < config->feature_policies->length; ++i) { |
36 | struct feature_policy *policy = config->feature_policies->items[i]; | 36 | struct feature_policy *policy = config->feature_policies->items[i]; |
37 | if (strcmp(policy->program, "*")) { | 37 | if (strcmp(policy->program, "*") == 0) { |
38 | default_policy = policy->features; | 38 | default_policy = policy->features; |
39 | } | 39 | } |
40 | if (strcmp(policy->program, link) == 0) { | 40 | if (strcmp(policy->program, link) == 0) { |
@@ -50,7 +50,7 @@ enum command_context get_command_policy(const char *cmd) { | |||
50 | 50 | ||
51 | for (int i = 0; i < config->command_policies->length; ++i) { | 51 | for (int i = 0; i < config->command_policies->length; ++i) { |
52 | struct command_policy *policy = config->command_policies->items[i]; | 52 | struct command_policy *policy = config->command_policies->items[i]; |
53 | if (strcmp(policy->command, "*")) { | 53 | if (strcmp(policy->command, "*") == 0) { |
54 | default_policy = policy->context; | 54 | default_policy = policy->context; |
55 | } | 55 | } |
56 | if (strcmp(policy->command, cmd) == 0) { | 56 | if (strcmp(policy->command, cmd) == 0) { |