Read configs from /etc/sway/security.d/*
This commit is contained in:
parent
eabfb6c559
commit
126ce571da
9 changed files with 77 additions and 42 deletions
|
@ -340,6 +340,8 @@ void free_config(struct sway_config *config);
|
|||
*/
|
||||
char *do_var_replacement(char *str);
|
||||
|
||||
struct cmd_results *check_security_config();
|
||||
|
||||
int input_identifier_cmp(const void *item, const void *data);
|
||||
void merge_input_config(struct input_config *dst, struct input_config *src);
|
||||
void apply_input_config(struct input_config *ic, struct libinput_device *dev);
|
||||
|
|
|
@ -29,6 +29,11 @@ ipc __PREFIX__/bin/swaybar {
|
|||
outputs enabled
|
||||
workspaces enabled
|
||||
command enabled
|
||||
|
||||
events {
|
||||
workspace enabled
|
||||
mode enabled
|
||||
}
|
||||
}
|
||||
|
||||
ipc __PREFIX__/bin/swaygrab {
|
||||
|
|
|
@ -10,6 +10,9 @@ struct cmd_results *cmd_commands(int argc, char **argv) {
|
|||
if ((error = checkarg(argc, "commands", EXPECTED_EQUAL_TO, 1))) {
|
||||
return error;
|
||||
}
|
||||
if ((error = check_security_config())) {
|
||||
return error;
|
||||
}
|
||||
|
||||
if (strcmp(argv[0], "{") != 0) {
|
||||
return cmd_results_new(CMD_FAILURE, "commands", "Expected block declaration");
|
||||
|
@ -19,10 +22,5 @@ struct cmd_results *cmd_commands(int argc, char **argv) {
|
|||
return cmd_results_new(CMD_FAILURE, "commands", "Can only be used in config file.");
|
||||
}
|
||||
|
||||
if (!current_config_path || strcmp(SYSCONFDIR "/sway/security", current_config_path) != 0) {
|
||||
return cmd_results_new(CMD_INVALID, "permit",
|
||||
"This command is only permitted to run from " SYSCONFDIR "/sway/security");
|
||||
}
|
||||
|
||||
return cmd_results_new(CMD_BLOCK_COMMANDS, NULL, NULL);
|
||||
}
|
||||
|
|
|
@ -14,6 +14,9 @@ struct cmd_results *cmd_ipc(int argc, char **argv) {
|
|||
if ((error = checkarg(argc, "ipc", EXPECTED_EQUAL_TO, 2))) {
|
||||
return error;
|
||||
}
|
||||
if ((error = check_security_config())) {
|
||||
return error;
|
||||
}
|
||||
|
||||
const char *program = argv[0];
|
||||
|
||||
|
@ -26,11 +29,6 @@ struct cmd_results *cmd_ipc(int argc, char **argv) {
|
|||
return cmd_results_new(CMD_FAILURE, "ipc", "Can only be used in config file.");
|
||||
}
|
||||
|
||||
if (!current_config_path || strcmp(SYSCONFDIR "/sway/security", current_config_path) != 0) {
|
||||
return cmd_results_new(CMD_INVALID, "permit",
|
||||
"This command is only permitted to run from " SYSCONFDIR "/sway/security");
|
||||
}
|
||||
|
||||
current_policy = alloc_ipc_policy(program);
|
||||
list_add(config->ipc_policies, current_policy);
|
||||
|
||||
|
|
|
@ -62,19 +62,13 @@ struct cmd_results *cmd_permit(int argc, char **argv) {
|
|||
if ((error = checkarg(argc, "permit", EXPECTED_MORE_THAN, 1))) {
|
||||
return error;
|
||||
}
|
||||
|
||||
if (!current_config_path || strcmp(SYSCONFDIR "/sway/security", current_config_path) != 0) {
|
||||
return cmd_results_new(CMD_INVALID, "permit",
|
||||
"This command is only permitted to run from " SYSCONFDIR "/sway/security");
|
||||
if ((error = check_security_config())) {
|
||||
return error;
|
||||
}
|
||||
|
||||
struct feature_policy *policy = get_policy(argv[0]);
|
||||
policy->features |= get_features(argc, argv, &error);
|
||||
|
||||
if (error) {
|
||||
return error;
|
||||
}
|
||||
|
||||
sway_log(L_DEBUG, "Permissions granted to %s for features %d",
|
||||
policy->program, policy->features);
|
||||
|
||||
|
@ -86,19 +80,13 @@ struct cmd_results *cmd_reject(int argc, char **argv) {
|
|||
if ((error = checkarg(argc, "reject", EXPECTED_MORE_THAN, 1))) {
|
||||
return error;
|
||||
}
|
||||
|
||||
if (!current_config_path || strcmp(SYSCONFDIR "/sway/security", current_config_path) != 0) {
|
||||
return cmd_results_new(CMD_INVALID, "permit",
|
||||
"This command is only permitted to run from " SYSCONFDIR "/sway/security");
|
||||
if ((error = check_security_config())) {
|
||||
return error;
|
||||
}
|
||||
|
||||
struct feature_policy *policy = get_policy(argv[0]);
|
||||
policy->features &= ~get_features(argc, argv, &error);
|
||||
|
||||
if (error) {
|
||||
return error;
|
||||
}
|
||||
|
||||
sway_log(L_DEBUG, "Permissions granted to %s for features %d",
|
||||
policy->program, policy->features);
|
||||
|
||||
|
|
|
@ -11,6 +11,7 @@
|
|||
#include <libinput.h>
|
||||
#include <limits.h>
|
||||
#include <float.h>
|
||||
#include <dirent.h>
|
||||
#include "wayland-desktop-shell-server-protocol.h"
|
||||
#include "sway/commands.h"
|
||||
#include "sway/config.h"
|
||||
|
@ -485,6 +486,10 @@ static bool load_config(const char *path, struct sway_config *config) {
|
|||
return true;
|
||||
}
|
||||
|
||||
static int qstrcmp(const void* a, const void* b) {
|
||||
return strcmp(*((char**) a), *((char**) b));
|
||||
}
|
||||
|
||||
bool load_main_config(const char *file, bool is_active) {
|
||||
input_init();
|
||||
|
||||
|
@ -512,7 +517,43 @@ bool load_main_config(const char *file, bool is_active) {
|
|||
list_add(config->config_chain, path);
|
||||
|
||||
config->reading = true;
|
||||
bool success = load_config(SYSCONFDIR "/sway/security", config);
|
||||
|
||||
// Read security configs
|
||||
bool success = true;
|
||||
DIR *dir = opendir(SYSCONFDIR "/sway/security.d");
|
||||
if (!dir) {
|
||||
sway_log(L_ERROR, "%s does not exist, sway will have no security configuration"
|
||||
" and will probably be broken", SYSCONFDIR "/sway/security.d");
|
||||
} else {
|
||||
list_t *secconfigs = create_list();
|
||||
char *base = SYSCONFDIR "/sway/security.d/";
|
||||
struct dirent *ent = readdir(dir);
|
||||
while (ent != NULL) {
|
||||
if (ent->d_type == DT_REG) {
|
||||
char *_path = malloc(strlen(ent->d_name) + strlen(base) + 1);
|
||||
strcpy(_path, base);
|
||||
strcat(_path, ent->d_name);
|
||||
list_add(secconfigs, _path);
|
||||
}
|
||||
ent = readdir(dir);
|
||||
}
|
||||
closedir(dir);
|
||||
|
||||
list_qsort(secconfigs, qstrcmp);
|
||||
for (int i = 0; i < secconfigs->length; ++i) {
|
||||
char *_path = secconfigs->items[i];
|
||||
struct stat s;
|
||||
if (stat(_path, &s) || s.st_uid != 0 || s.st_gid != 0 || (s.st_mode & 0777) != 0644) {
|
||||
sway_log(L_ERROR, "Refusing to load %s - it must be owned by root and mode 644", _path);
|
||||
success = false;
|
||||
} else {
|
||||
success = success && load_config(_path, config);
|
||||
}
|
||||
}
|
||||
|
||||
free_flat_list(secconfigs);
|
||||
}
|
||||
|
||||
success = success && load_config(path, config);
|
||||
|
||||
if (is_active) {
|
||||
|
@ -620,6 +661,15 @@ bool load_include_configs(const char *path, struct sway_config *config) {
|
|||
return true;
|
||||
}
|
||||
|
||||
struct cmd_results *check_security_config() {
|
||||
if (!current_config_path || strncmp(SYSCONFDIR "/sway/security.d/", current_config_path,
|
||||
strlen(SYSCONFDIR "/sway/security.d/")) != 0) {
|
||||
return cmd_results_new(CMD_INVALID, "permit",
|
||||
"This command is only permitted to run from " SYSCONFDIR "/sway/security.d/*");
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
bool read_config(FILE *file, struct sway_config *config) {
|
||||
bool success = true;
|
||||
enum cmd_status block = CMD_BLOCK_END;
|
||||
|
|
|
@ -241,8 +241,7 @@ int ipc_client_handle_readable(int client_fd, uint32_t mask, void *data) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
void ipc_client_disconnect(struct ipc_client *client)
|
||||
{
|
||||
void ipc_client_disconnect(struct ipc_client *client) {
|
||||
if (!sway_assert(client != NULL, "client != NULL")) {
|
||||
return;
|
||||
}
|
||||
|
@ -326,8 +325,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
|
|||
ipc_client_disconnect(client);
|
||||
return;
|
||||
}
|
||||
if (client->payload_length > 0)
|
||||
{
|
||||
if (client->payload_length > 0) {
|
||||
ssize_t received = recv(client->fd, buf, client->payload_length, 0);
|
||||
if (received == -1)
|
||||
{
|
||||
|
@ -397,7 +395,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
|
|||
|
||||
case IPC_GET_WORKSPACES:
|
||||
{
|
||||
if (!(client->security_policy & IPC_FEATURE_GET_TREE)) {
|
||||
if (!(client->security_policy & IPC_FEATURE_GET_WORKSPACES)) {
|
||||
goto exit_denied;
|
||||
}
|
||||
json_object *workspaces = json_object_new_array();
|
||||
|
@ -410,7 +408,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
|
|||
|
||||
case IPC_GET_INPUTS:
|
||||
{
|
||||
if (!(client->security_policy & IPC_FEATURE_GET_TREE)) {
|
||||
if (!(client->security_policy & IPC_FEATURE_GET_INPUTS)) {
|
||||
goto exit_denied;
|
||||
}
|
||||
json_object *inputs = json_object_new_array();
|
||||
|
@ -436,7 +434,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
|
|||
|
||||
case IPC_GET_OUTPUTS:
|
||||
{
|
||||
if (!(client->security_policy & IPC_FEATURE_GET_TREE)) {
|
||||
if (!(client->security_policy & IPC_FEATURE_GET_OUTPUTS)) {
|
||||
goto exit_denied;
|
||||
}
|
||||
json_object *outputs = json_object_new_array();
|
||||
|
@ -561,6 +559,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
|
|||
|
||||
exit_denied:
|
||||
ipc_send_reply(client, error_denied, (uint32_t)strlen(error_denied));
|
||||
sway_log(L_DEBUG, "Denied IPC client access to %i", client->current_command);
|
||||
|
||||
exit_cleanup:
|
||||
client->payload_length = 0;
|
||||
|
@ -588,6 +587,8 @@ bool ipc_send_reply(struct ipc_client *client, const char *payload, uint32_t pay
|
|||
return false;
|
||||
}
|
||||
|
||||
sway_log(L_DEBUG, "Send IPC reply: %s", payload);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
|
@ -175,13 +175,6 @@ static void security_sanity_check() {
|
|||
cap_free(cap);
|
||||
}
|
||||
#endif
|
||||
if (!stat(SYSCONFDIR "/sway", &s)) {
|
||||
if (s.st_uid != 0 || s.st_gid != 0
|
||||
|| (s.st_mode & S_IWGRP) || (s.st_mode & S_IWOTH)) {
|
||||
sway_log(L_ERROR,
|
||||
"!! DANGER !! " SYSCONFDIR "/sway is not secure! It should be owned by root and set to 0755 at the minimum");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
|
|
|
@ -21,7 +21,7 @@ you must make a few changes external to sway first.
|
|||
|
||||
Configuration of security features is limited to files in the security directory
|
||||
(this is likely /etc/sway/security.d/*, but depends on your installation prefix).
|
||||
Files in this directory must be owned by root:root and chmod 600. The default
|
||||
Files in this directory must be owned by root:root and chmod 644. The default
|
||||
security configuration is installed to /etc/sway/security.d/00-defaults, and
|
||||
should not be modified - it will be updated with the latest recommended security
|
||||
defaults between releases. To override the defaults, you should add more files to
|
||||
|
|
Loading…
Add table
Reference in a new issue