diff options
-rw-r--r-- | config.d/security | 10 | ||||
-rw-r--r-- | include/security.h | 9 | ||||
-rw-r--r-- | include/sway/config.h | 39 | ||||
-rw-r--r-- | sway/config.c | 24 |
4 files changed, 74 insertions, 8 deletions
diff --git a/config.d/security b/config.d/security index bff55f0f..fe75d8ea 100644 --- a/config.d/security +++ b/config.d/security | |||
@@ -37,15 +37,15 @@ ipc { | |||
37 | 37 | ||
38 | # Limits the contexts from which certain commands are permitted | 38 | # Limits the contexts from which certain commands are permitted |
39 | commands { | 39 | commands { |
40 | fullscreen bindsym criteria | 40 | fullscreen binding criteria |
41 | bindsym config | 41 | bindsym config |
42 | exit bindsym | 42 | exit binding |
43 | kill bindsym | 43 | kill binding |
44 | 44 | ||
45 | # You should not change these unless you know what you're doing - it could | 45 | # You should not change these unless you know what you're doing - it could |
46 | # cripple your security | 46 | # cripple your security |
47 | reload bindsym | 47 | reload binding |
48 | restart bindsym | 48 | restart binding |
49 | permit config | 49 | permit config |
50 | reject config | 50 | reject config |
51 | ipc config | 51 | ipc config |
diff --git a/include/security.h b/include/security.h new file mode 100644 index 00000000..efc25ce6 --- /dev/null +++ b/include/security.h | |||
@@ -0,0 +1,9 @@ | |||
1 | #ifndef _SWAY_SECURITY_H | ||
2 | #define _SWAY_SECURITY_H | ||
3 | #include <unistd.h> | ||
4 | #include "sway/config.h" | ||
5 | |||
6 | const struct feature_permissions *get_permissions(pid_t pid); | ||
7 | enum command_context get_command_context(const char *cmd); | ||
8 | |||
9 | #endif | ||
diff --git a/include/sway/config.h b/include/sway/config.h index 8d077ee7..3744386c 100644 --- a/include/sway/config.h +++ b/include/sway/config.h | |||
@@ -103,9 +103,6 @@ struct pid_workspace { | |||
103 | time_t *time_added; | 103 | time_t *time_added; |
104 | }; | 104 | }; |
105 | 105 | ||
106 | void pid_workspace_add(struct pid_workspace *pw); | ||
107 | void free_pid_workspace(struct pid_workspace *pw); | ||
108 | |||
109 | struct bar_config { | 106 | struct bar_config { |
110 | /** | 107 | /** |
111 | * One of "dock", "hide", "invisible" | 108 | * One of "dock", "hide", "invisible" |
@@ -184,6 +181,35 @@ enum edge_border_types { | |||
184 | E_BOTH /**< hide vertical and horizontal edge borders */ | 181 | E_BOTH /**< hide vertical and horizontal edge borders */ |
185 | }; | 182 | }; |
186 | 183 | ||
184 | enum command_context { | ||
185 | CONTEXT_CONFIG = 1, | ||
186 | CONTEXT_BINDING = 2, | ||
187 | CONTEXT_IPC = 4, | ||
188 | CONTEXT_CRITERIA = 8, | ||
189 | CONTEXT_ALL = 0xFFFFFFFF, | ||
190 | }; | ||
191 | |||
192 | struct command_policy { | ||
193 | char *command; | ||
194 | enum command_context context; | ||
195 | }; | ||
196 | |||
197 | enum secure_feature { | ||
198 | FEATURE_LOCK = 1, | ||
199 | FEATURE_PANEL = 2, | ||
200 | FEATURE_BACKGROUND = 4, | ||
201 | FEATURE_SCREENSHOT = 8, | ||
202 | FEATURE_FULLSCREEN = 16, | ||
203 | FEATURE_KEYBOARD = 32, | ||
204 | FEATURE_MOUSE = 64, | ||
205 | }; | ||
206 | |||
207 | struct feature_policy { | ||
208 | char *program; | ||
209 | bool permit; | ||
210 | enum secure_feature features; | ||
211 | }; | ||
212 | |||
187 | /** | 213 | /** |
188 | * The configuration struct. The result of loading a config file. | 214 | * The configuration struct. The result of loading a config file. |
189 | */ | 215 | */ |
@@ -252,8 +278,15 @@ struct sway_config { | |||
252 | int32_t floating_maximum_height; | 278 | int32_t floating_maximum_height; |
253 | int32_t floating_minimum_width; | 279 | int32_t floating_minimum_width; |
254 | int32_t floating_minimum_height; | 280 | int32_t floating_minimum_height; |
281 | |||
282 | // Security | ||
283 | list_t *command_policies; | ||
284 | list_t *feature_policies; | ||
255 | }; | 285 | }; |
256 | 286 | ||
287 | void pid_workspace_add(struct pid_workspace *pw); | ||
288 | void free_pid_workspace(struct pid_workspace *pw); | ||
289 | |||
257 | /** | 290 | /** |
258 | * Loads the main config from the given path. is_active should be true when | 291 | * Loads the main config from the given path. is_active should be true when |
259 | * reloading the config. | 292 | * reloading the config. |
diff --git a/sway/config.c b/sway/config.c index 7d5999d8..a2f6a728 100644 --- a/sway/config.c +++ b/sway/config.c | |||
@@ -167,6 +167,16 @@ void free_pid_workspace(struct pid_workspace *pw) { | |||
167 | free(pw); | 167 | free(pw); |
168 | } | 168 | } |
169 | 169 | ||
170 | void free_command_policy(struct command_policy *policy) { | ||
171 | free(policy->command); | ||
172 | free(policy); | ||
173 | } | ||
174 | |||
175 | void free_feature_policy(struct feature_policy *policy) { | ||
176 | free(policy->program); | ||
177 | free(policy); | ||
178 | } | ||
179 | |||
170 | void free_config(struct sway_config *config) { | 180 | void free_config(struct sway_config *config) { |
171 | int i; | 181 | int i; |
172 | for (i = 0; i < config->symbols->length; ++i) { | 182 | for (i = 0; i < config->symbols->length; ++i) { |
@@ -211,6 +221,16 @@ void free_config(struct sway_config *config) { | |||
211 | } | 221 | } |
212 | list_free(config->output_configs); | 222 | list_free(config->output_configs); |
213 | 223 | ||
224 | for (i = 0; i < config->command_policies->length; ++i) { | ||
225 | free_command_policy(config->command_policies->items[i]); | ||
226 | } | ||
227 | list_free(config->command_policies); | ||
228 | |||
229 | for (i = 0; i < config->feature_policies->length; ++i) { | ||
230 | free_feature_policy(config->feature_policies->items[i]); | ||
231 | } | ||
232 | list_free(config->feature_policies); | ||
233 | |||
214 | list_free(config->active_bar_modifiers); | 234 | list_free(config->active_bar_modifiers); |
215 | free_flat_list(config->config_chain); | 235 | free_flat_list(config->config_chain); |
216 | free(config->font); | 236 | free(config->font); |
@@ -321,6 +341,10 @@ static void config_defaults(struct sway_config *config) { | |||
321 | config->border_colors.placeholder.child_border = 0x0C0C0CFF; | 341 | config->border_colors.placeholder.child_border = 0x0C0C0CFF; |
322 | 342 | ||
323 | config->border_colors.background = 0xFFFFFFFF; | 343 | config->border_colors.background = 0xFFFFFFFF; |
344 | |||
345 | // Security | ||
346 | config->command_policies = create_list(); | ||
347 | config->feature_policies = create_list(); | ||
324 | } | 348 | } |
325 | 349 | ||
326 | static int compare_modifiers(const void *left, const void *right) { | 350 | static int compare_modifiers(const void *left, const void *right) { |