diff options
Diffstat (limited to 'sway/sway-security.7.txt')
-rw-r--r-- | sway/sway-security.7.txt | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt index 53c7b876..9a2581b1 100644 --- a/sway/sway-security.7.txt +++ b/sway/sway-security.7.txt | |||
@@ -124,8 +124,14 @@ To work correctly, sway's own programs require the following permissions: | |||
124 | 124 | ||
125 | - swaybg: background | 125 | - swaybg: background |
126 | - swaylock: lock, keyboard | 126 | - swaylock: lock, keyboard |
127 | - swaybar: panel, mouse | 127 | - swaybar: panel, mouse, ipc |
128 | - swaygrab: screenshot | 128 | - swaygrab: screenshot, ipc |
129 | |||
130 | When you first declare a policy for an executable, it will inherit the default | ||
131 | policy. Further changes to the default policy will not retroactively affect which | ||
132 | permissions an earlier policy inherits. You must explicitly reject any features | ||
133 | from the default policy that you do not want an executable to receive permission | ||
134 | for. | ||
129 | 135 | ||
130 | Command policies | 136 | Command policies |
131 | ---------------- | 137 | ---------------- |
@@ -145,6 +151,9 @@ contexts you can control are: | |||
145 | **criteria**:: | 151 | **criteria**:: |
146 | Can be run when evaluating window criteria. | 152 | Can be run when evaluating window criteria. |
147 | 153 | ||
154 | **all**:: | ||
155 | Shorthand for granting permission in all contexts. | ||
156 | |||
148 | By default a command is allowed to execute in any context. To configure this, open | 157 | By default a command is allowed to execute in any context. To configure this, open |
149 | a commands block and fill it with policies: | 158 | a commands block and fill it with policies: |
150 | 159 | ||
@@ -160,13 +169,13 @@ binding and critiera: | |||
160 | focus binding criteria | 169 | focus binding criteria |
161 | } | 170 | } |
162 | 171 | ||
172 | Setting a command policy overwrites any previous policy that was in place. | ||
173 | |||
163 | IPC policies | 174 | IPC policies |
164 | ------------ | 175 | ------------ |
165 | 176 | ||
166 | By default all programs can connect to IPC for backwards compatability with i3. | 177 | You may whitelist IPC access like so: |
167 | However, you can whitelist IPC access like so: | ||
168 | 178 | ||
169 | reject * ipc | ||
170 | permit /usr/bin/swaybar ipc | 179 | permit /usr/bin/swaybar ipc |
171 | permit /usr/bin/swaygrab ipc | 180 | permit /usr/bin/swaygrab ipc |
172 | # etc | 181 | # etc |