Write example security config, start on code
This commit is contained in:
parent
cd5694fdb5
commit
5831f7ab68
52
config.d/security
Normal file
52
config.d/security
Normal file
|
@ -0,0 +1,52 @@
|
|||
# sway security rules
|
||||
#
|
||||
# Read sway-security(7) for details on how to secure your sway install.
|
||||
#
|
||||
# You MUST read this man page if you intend to attempt to secure your sway
|
||||
# installation.
|
||||
|
||||
# Configures which programs are allowed to use which sway features
|
||||
permit $PREFIX/swaylock lock
|
||||
permit $PREFIX/swaybar panel
|
||||
permit $PREFIX/swaybg background
|
||||
permit $PREFIX/swaygrab screenshot
|
||||
|
||||
permit * fullscreen keyboard mouse
|
||||
|
||||
# Configures which IPC features are enabled
|
||||
ipc {
|
||||
command enabled
|
||||
outputs enabled
|
||||
workspaces enabled
|
||||
tree enabled
|
||||
marks enabled
|
||||
bar-config enabled
|
||||
inputs enabled
|
||||
|
||||
events {
|
||||
workspace enabled
|
||||
output enabled
|
||||
mode enabled
|
||||
window enabled
|
||||
bar-config enabled
|
||||
binding enabled
|
||||
modifier enabled
|
||||
input enabled
|
||||
}
|
||||
}
|
||||
|
||||
# Limits the contexts from which certain commands are permitted
|
||||
commands {
|
||||
fullscreen bindsym criteria
|
||||
bindsym config
|
||||
exit bindsym
|
||||
kill bindsym
|
||||
|
||||
# You should not change these unless you know what you're doing - it could
|
||||
# cripple your security
|
||||
reload bindsym
|
||||
restart bindsym
|
||||
permit config
|
||||
reject config
|
||||
ipc config
|
||||
}
|
23
sway/main.c
23
sway/main.c
|
@ -4,6 +4,7 @@
|
|||
#include <wlc/wlc.h>
|
||||
#include <sys/wait.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/un.h>
|
||||
#include <signal.h>
|
||||
#include <unistd.h>
|
||||
|
@ -142,6 +143,27 @@ static void log_kernel() {
|
|||
fclose(f);
|
||||
}
|
||||
|
||||
static void security_sanity_check() {
|
||||
// TODO: Notify users visually if this has issues
|
||||
struct stat s = {0};
|
||||
if (stat("/proc", &s)) {
|
||||
sway_log(L_ERROR,
|
||||
"!! DANGER !! /proc is not available - sway CANNOT enforce security rules!");
|
||||
}
|
||||
if (!stat(SYSCONFDIR "/sway", &s)) {
|
||||
if (s.st_uid != 0 || s.st_gid != 0 || s.st_mode != 00755) {
|
||||
sway_log(L_ERROR,
|
||||
"!! DANGER !! " SYSCONFDIR "/sway is not secure! It should be owned by root and set to 0755");
|
||||
}
|
||||
}
|
||||
// TODO: check that these command policies are set
|
||||
// reload bindsym
|
||||
// restart bindsym
|
||||
// permit config
|
||||
// reject config
|
||||
// ipc config
|
||||
}
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
static int verbose = 0, debug = 0, validate = 0;
|
||||
|
||||
|
@ -256,6 +278,7 @@ int main(int argc, char **argv) {
|
|||
}
|
||||
wlc_log_set_handler(wlc_log_handler);
|
||||
detect_proprietary();
|
||||
security_sanity_check();
|
||||
|
||||
input_devices = create_list();
|
||||
|
||||
|
|
Loading…
Reference in a new issue