diff options
Diffstat (limited to 'sway/sway-security.7.txt')
-rw-r--r-- | sway/sway-security.7.txt | 34 |
1 files changed, 19 insertions, 15 deletions
diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt index 7d8aa4ad..fb47ffcf 100644 --- a/sway/sway-security.7.txt +++ b/sway/sway-security.7.txt | |||
@@ -19,8 +19,13 @@ usually best suited to a distro maintainer who wants to ship a secure sway | |||
19 | environment in their distro. Sway provides a number of means of securing it but | 19 | environment in their distro. Sway provides a number of means of securing it but |
20 | you must make a few changes external to sway first. | 20 | you must make a few changes external to sway first. |
21 | 21 | ||
22 | Security-related configuration is only valid in /etc/sway/config (or whatever path | 22 | Configuration of security features is limited to files in the security directory |
23 | is appropriate for your system). | 23 | (this is likely /etc/sway/security.d/*, but depends on your installation prefix). |
24 | Files in this directory must be owned by root:root and chmod 644. The default | ||
25 | security configuration is installed to /etc/sway/security.d/00-defaults, and | ||
26 | should not be modified - it will be updated with the latest recommended security | ||
27 | defaults between releases. To override the defaults, you should add more files to | ||
28 | this directory. | ||
24 | 29 | ||
25 | Environment security | 30 | Environment security |
26 | -------------------- | 31 | -------------------- |
@@ -160,22 +165,20 @@ Setting a command policy overwrites any previous policy that was in place. | |||
160 | IPC policies | 165 | IPC policies |
161 | ------------ | 166 | ------------ |
162 | 167 | ||
163 | You may whitelist IPC access like so: | 168 | Disabling IPC access via swaymsg is encouraged if you intend to secure the IPC |
169 | socket, because any program that can execute swaymsg could circumvent its own | ||
170 | security policy by simply invoking swaymsg. | ||
164 | 171 | ||
165 | permit /usr/bin/swaybar ipc | 172 | You can configure which features of IPC are available for particular clients: |
166 | permit /usr/bin/swaygrab ipc | ||
167 | # etc | ||
168 | 173 | ||
169 | Note that it's suggested you do not enable swaymsg to access IPC if you intend to | 174 | ipc <executable> { |
170 | secure your IPC socket, because any program could just run swaymsg itself instead | ||
171 | of connecting to IPC directly. | ||
172 | |||
173 | You can also configure which features of IPC are available with an IPC block: | ||
174 | |||
175 | ipc { | ||
176 | ... | 175 | ... |
177 | } | 176 | } |
178 | 177 | ||
178 | You may use * for <executable> to configure the default policy for all clients. | ||
179 | Configuring IPC policies for specific executables is not supported on FreeBSD, and | ||
180 | the default policy will be applied to all IPC connections. | ||
181 | |||
179 | The following commands are available within this block: | 182 | The following commands are available within this block: |
180 | 183 | ||
181 | **bar-config** <enabled|disabled>:: | 184 | **bar-config** <enabled|disabled>:: |
@@ -201,7 +204,7 @@ The following commands are available within this block: | |||
201 | 204 | ||
202 | You can also control which IPC events can be raised with an events block: | 205 | You can also control which IPC events can be raised with an events block: |
203 | 206 | ||
204 | ipc { | 207 | ipc <executable> { |
205 | events { | 208 | events { |
206 | ... | 209 | ... |
207 | } | 210 | } |
@@ -227,7 +230,8 @@ The following commands are vaild within an ipc events block: | |||
227 | **workspace** <enabled|disabled>:: | 230 | **workspace** <enabled|disabled>:: |
228 | Controls workspace notifications. | 231 | Controls workspace notifications. |
229 | 232 | ||
230 | Disabling some of these may cause swaybar to behave incorrectly. | 233 | In each of these blocks, you may use * (as in "* enabled" or "* disabled") to |
234 | control access to every feature at once. | ||
231 | 235 | ||
232 | Authors | 236 | Authors |
233 | ------- | 237 | ------- |