1 files changed, 19 insertions, 15 deletions
diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt
index 7d8aa4ad..fb47ffcf 100644
--- a/sway/sway-security.7.txt
+++ b/sway/sway-security.7.txt
@@ -19,8 +19,13 @@ usually best suited to a distro maintainer who wants to ship a secure sway
 environment in their distro. Sway provides a number of means of securing it but
 you must make a few changes external to sway first.
-Security-related configuration is only valid in /etc/sway/config (or whatever path
+Configuration of security features is limited to files in the security directory
-is appropriate for your system).
+(this is likely /etc/sway/security.d/*, but depends on your installation prefix).
+Files in this directory must be owned by root:root and chmod 644. The default
+security configuration is installed to /etc/sway/security.d/00-defaults, and
+should not be modified - it will be updated with the latest recommended security
+defaults between releases. To override the defaults, you should add more files to
+this directory.
 Environment security
 --------------------
@@ -160,22 +165,20 @@ Setting a command policy overwrites any previous policy that was in place.
 IPC policies
 ------------
-You may whitelist IPC access like so:
+Disabling IPC access via swaymsg is encouraged if you intend to secure the IPC
+socket, because any program that can execute swaymsg could circumvent its own
+security policy by simply invoking swaymsg.
-        permit /usr/bin/swaybar ipc
+You can configure which features of IPC are available for particular clients:
-        permit /usr/bin/swaygrab ipc
-        # etc
-Note that it's suggested you do not enable swaymsg to access IPC if you intend to
+        ipc <executable> {
-secure your IPC socket, because any program could just run swaymsg itself instead
-of connecting to IPC directly.
-You can also configure which features of IPC are available with an IPC block:
-        ipc {
                ...
        }
+You may use * for <executable> to configure the default policy for all clients.
+Configuring IPC policies for specific executables is not supported on FreeBSD, and
+the default policy will be applied to all IPC connections.
 The following commands are available within this block:
 **bar-config** <enabled|disabled>::
@@ -201,7 +204,7 @@ The following commands are available within this block:
 You can also control which IPC events can be raised with an events block:
-        ipc {
+        ipc <executable> {
                events {
                        ...
                }
@@ -227,7 +230,8 @@ The following commands are vaild within an ipc events block:
 **workspace** <enabled|disabled>::
        Controls workspace notifications.
-Disabling some of these may cause swaybar to behave incorrectly.
+In each of these blocks, you may use * (as in "* enabled" or "* disabled") to
+control access to every feature at once.
 Authors
 -------