diff options
-rw-r--r-- | sway/CMakeLists.txt | 1 | ||||
-rw-r--r-- | sway/main.c | 10 |
2 files changed, 11 insertions, 0 deletions
diff --git a/sway/CMakeLists.txt b/sway/CMakeLists.txt index 15fa1720..d1afadb6 100644 --- a/sway/CMakeLists.txt +++ b/sway/CMakeLists.txt | |||
@@ -55,6 +55,7 @@ target_link_libraries(sway | |||
55 | ${PANGO_LIBRARIES} | 55 | ${PANGO_LIBRARIES} |
56 | ${JSONC_LIBRARIES} | 56 | ${JSONC_LIBRARIES} |
57 | m | 57 | m |
58 | cap | ||
58 | ) | 59 | ) |
59 | 60 | ||
60 | install( | 61 | install( |
diff --git a/sway/main.c b/sway/main.c index 9746cfb2..73c4b5f2 100644 --- a/sway/main.c +++ b/sway/main.c | |||
@@ -9,6 +9,7 @@ | |||
9 | #include <signal.h> | 9 | #include <signal.h> |
10 | #include <unistd.h> | 10 | #include <unistd.h> |
11 | #include <getopt.h> | 11 | #include <getopt.h> |
12 | #include <sys/capability.h> | ||
12 | #include "sway/extensions.h" | 13 | #include "sway/extensions.h" |
13 | #include "sway/layout.h" | 14 | #include "sway/layout.h" |
14 | #include "sway/config.h" | 15 | #include "sway/config.h" |
@@ -151,6 +152,15 @@ static void security_sanity_check() { | |||
151 | sway_log(L_ERROR, | 152 | sway_log(L_ERROR, |
152 | "!! DANGER !! /proc is not available - sway CANNOT enforce security rules!"); | 153 | "!! DANGER !! /proc is not available - sway CANNOT enforce security rules!"); |
153 | } | 154 | } |
155 | cap_flag_value_t v; | ||
156 | cap_t cap = cap_get_proc(); | ||
157 | if (!cap || cap_get_flag(cap, CAP_SYS_PTRACE, CAP_PERMITTED, &v) != 0 || v != CAP_SET) { | ||
158 | sway_log(L_ERROR, | ||
159 | "!! DANGER !! Sway does not have CAP_SYS_PTRACE and cannot enforce security rules for processes running as other users."); | ||
160 | } | ||
161 | if (cap) { | ||
162 | cap_free(cap); | ||
163 | } | ||
154 | if (!stat(SYSCONFDIR "/sway", &s)) { | 164 | if (!stat(SYSCONFDIR "/sway", &s)) { |
155 | if (s.st_uid != 0 || s.st_gid != 0 | 165 | if (s.st_uid != 0 || s.st_gid != 0 |
156 | || (s.st_mode & S_IWGRP) || (s.st_mode & S_IWOTH)) { | 166 | || (s.st_mode & S_IWGRP) || (s.st_mode & S_IWOTH)) { |