diff options
Diffstat (limited to 'sway/sway-security.7.txt')
-rw-r--r-- | sway/sway-security.7.txt | 19 |
1 files changed, 9 insertions, 10 deletions
diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt index aee3793c..c8d6758c 100644 --- a/sway/sway-security.7.txt +++ b/sway/sway-security.7.txt | |||
@@ -15,8 +15,8 @@ Security Overview | |||
15 | figured out yet. The following man page is provisional. | 15 | figured out yet. The following man page is provisional. |
16 | 16 | ||
17 | Securing sway requires careful configuration of your environment, the sort that's | 17 | Securing sway requires careful configuration of your environment, the sort that's |
18 | usually best suited to a distro maintainer who wants to ship a secure sway | 18 | usually best suited to a distribution maintainer who wants to ship a secure sway |
19 | environment in their distro. Sway provides a number of means of securing it but | 19 | environment in their distribution. Sway provides a number of means of securing it but |
20 | you must make a few changes external to sway first. | 20 | you must make a few changes external to sway first. |
21 | 21 | ||
22 | Configuration of security features is limited to files in the security directory | 22 | Configuration of security features is limited to files in the security directory |
@@ -31,7 +31,7 @@ Environment security | |||
31 | -------------------- | 31 | -------------------- |
32 | 32 | ||
33 | LD_PRELOAD is a mechanism designed to ruin the security of your system. There are | 33 | LD_PRELOAD is a mechanism designed to ruin the security of your system. There are |
34 | a number of strategies for dealing with this but they all suck a little. In order | 34 | a number of strategies for dealing with this, but they all suck a little. In order |
35 | of most practical to least practical: | 35 | of most practical to least practical: |
36 | 36 | ||
37 | 1. Only run important programs via exec. Sway's exec command will ensure that | 37 | 1. Only run important programs via exec. Sway's exec command will ensure that |
@@ -50,8 +50,7 @@ compromised by LD_PRELOAD. It probably isn't, but you can be sure by setting | |||
50 | permit LD_PRELOAD for it (and will also run it as root, which sway will shortly | 50 | permit LD_PRELOAD for it (and will also run it as root, which sway will shortly |
51 | drop). You could also statically link sway itself. | 51 | drop). You could also statically link sway itself. |
52 | 52 | ||
53 | Note that LD_LIBRARY_PATH has all of the same problems, and all of the same | 53 | Note that LD_LIBRARY_PATH has all of these problems, and the same solutions. |
54 | solutions. | ||
55 | 54 | ||
56 | Read your log | 55 | Read your log |
57 | ------------- | 56 | ------------- |
@@ -93,16 +92,16 @@ policies. These features are: | |||
93 | Permission to take screenshots or record the screen. | 92 | Permission to take screenshots or record the screen. |
94 | 93 | ||
95 | By default, no permissions are granted (though saner defaults are provided in | 94 | By default, no permissions are granted (though saner defaults are provided in |
96 | /etc/sway/config.d/security). You can use the following config commands to control | 95 | /etc/sway/config.d/security). You can use the following configuration options to control |
97 | a program's access: | 96 | a program's access: |
98 | 97 | ||
99 | **permit** <executable> <features...>:: | 98 | **permit** <executable> <features...>:: |
100 | Permits <executable> to use <features> (each feature seperated by a space). | 99 | Permits <executable> to use <features> (each feature separated by a space). |
101 | <executable> may be * to affect the default policy, or the full path to the | 100 | <executable> may be * to affect the default policy, or the full path to the |
102 | executable file. | 101 | executable file. |
103 | 102 | ||
104 | **reject** <executable> <features...>:: | 103 | **reject** <executable> <features...>:: |
105 | Disallows <executable> from using <features> (each feature seperated by a space). | 104 | Disallows <executable> from using <features> (each feature separated by a space). |
106 | <executable> may be * to affect the default policy, or the full path to the | 105 | <executable> may be * to affect the default policy, or the full path to the |
107 | executable file. | 106 | executable file. |
108 | 107 | ||
@@ -154,7 +153,7 @@ a commands block and fill it with policies: | |||
154 | } | 153 | } |
155 | 154 | ||
156 | For example, you could do this to limit the use of the focus command to just | 155 | For example, you could do this to limit the use of the focus command to just |
157 | binding and critiera: | 156 | binding and criteria: |
158 | 157 | ||
159 | commands { | 158 | commands { |
160 | focus binding criteria | 159 | focus binding criteria |
@@ -210,7 +209,7 @@ You can also control which IPC events can be raised with an events block: | |||
210 | } | 209 | } |
211 | } | 210 | } |
212 | 211 | ||
213 | The following commands are vaild within an ipc events block: | 212 | The following commands are valid within an IPC events block: |
214 | 213 | ||
215 | **binding** <enabled|disabled>:: | 214 | **binding** <enabled|disabled>:: |
216 | Controls keybinding notifications (disabled by default). | 215 | Controls keybinding notifications (disabled by default). |