Check for CAP_SYS_PTRACE
This commit is contained in:
parent
d353da248b
commit
8577095db7
|
@ -55,6 +55,7 @@ target_link_libraries(sway
|
||||||
${PANGO_LIBRARIES}
|
${PANGO_LIBRARIES}
|
||||||
${JSONC_LIBRARIES}
|
${JSONC_LIBRARIES}
|
||||||
m
|
m
|
||||||
|
cap
|
||||||
)
|
)
|
||||||
|
|
||||||
install(
|
install(
|
||||||
|
|
10
sway/main.c
10
sway/main.c
|
@ -9,6 +9,7 @@
|
||||||
#include <signal.h>
|
#include <signal.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <getopt.h>
|
#include <getopt.h>
|
||||||
|
#include <sys/capability.h>
|
||||||
#include "sway/extensions.h"
|
#include "sway/extensions.h"
|
||||||
#include "sway/layout.h"
|
#include "sway/layout.h"
|
||||||
#include "sway/config.h"
|
#include "sway/config.h"
|
||||||
|
@ -151,6 +152,15 @@ static void security_sanity_check() {
|
||||||
sway_log(L_ERROR,
|
sway_log(L_ERROR,
|
||||||
"!! DANGER !! /proc is not available - sway CANNOT enforce security rules!");
|
"!! DANGER !! /proc is not available - sway CANNOT enforce security rules!");
|
||||||
}
|
}
|
||||||
|
cap_flag_value_t v;
|
||||||
|
cap_t cap = cap_get_proc();
|
||||||
|
if (!cap || cap_get_flag(cap, CAP_SYS_PTRACE, CAP_PERMITTED, &v) != 0 || v != CAP_SET) {
|
||||||
|
sway_log(L_ERROR,
|
||||||
|
"!! DANGER !! Sway does not have CAP_SYS_PTRACE and cannot enforce security rules for processes running as other users.");
|
||||||
|
}
|
||||||
|
if (cap) {
|
||||||
|
cap_free(cap);
|
||||||
|
}
|
||||||
if (!stat(SYSCONFDIR "/sway", &s)) {
|
if (!stat(SYSCONFDIR "/sway", &s)) {
|
||||||
if (s.st_uid != 0 || s.st_gid != 0
|
if (s.st_uid != 0 || s.st_gid != 0
|
||||||
|| (s.st_mode & S_IWGRP) || (s.st_mode & S_IWOTH)) {
|
|| (s.st_mode & S_IWGRP) || (s.st_mode & S_IWOTH)) {
|
||||||
|
|
Loading…
Reference in a new issue