Disallow everything by default

And update config.d/security to configure sane defaults
This commit is contained in:
Drew DeVault 2016-12-03 12:38:42 -05:00
parent 93d99f3712
commit e7a764fdf4
4 changed files with 34 additions and 13 deletions

View file

@ -6,13 +6,12 @@
# installation. # installation.
# Configures which programs are allowed to use which sway features # Configures which programs are allowed to use which sway features
permit * fullscreen keyboard mouse ipc
permit __PREFIX__/bin/swaylock lock permit __PREFIX__/bin/swaylock lock
permit __PREFIX__/bin/swaybar panel permit __PREFIX__/bin/swaybar panel
permit __PREFIX__/bin/swaybg background permit __PREFIX__/bin/swaybg background
permit __PREFIX__/bin/swaygrab screenshot permit __PREFIX__/bin/swaygrab screenshot
permit * fullscreen keyboard mouse
# Configures which IPC features are enabled # Configures which IPC features are enabled
ipc { ipc {
command enabled command enabled
@ -36,6 +35,8 @@ ipc {
# Limits the contexts from which certain commands are permitted # Limits the contexts from which certain commands are permitted
commands { commands {
* all
fullscreen binding criteria fullscreen binding criteria
bindsym config bindsym config
exit binding exit binding

View file

@ -524,7 +524,7 @@ struct cmd_results *config_commands_command(char *exec) {
} }
struct cmd_handler *handler = find_handler(cmd, CMD_BLOCK_END); struct cmd_handler *handler = find_handler(cmd, CMD_BLOCK_END);
if (!handler) { if (!handler && strcmp(cmd, "*") != 0) {
char *input = cmd ? cmd : "(empty)"; char *input = cmd ? cmd : "(empty)";
results = cmd_results_new(CMD_INVALID, input, "Unknown/invalid command"); results = cmd_results_new(CMD_INVALID, input, "Unknown/invalid command");
goto cleanup; goto cleanup;

View file

@ -5,16 +5,25 @@
#include "log.h" #include "log.h"
struct feature_policy *alloc_feature_policy(const char *program) { struct feature_policy *alloc_feature_policy(const char *program) {
uint32_t default_policy = 0;
for (int i = 0; i < config->feature_policies->length; ++i) {
struct feature_policy *policy = config->feature_policies->items[i];
if (strcmp(policy->program, "*") == 0) {
default_policy = policy->features;
break;
}
}
struct feature_policy *policy = malloc(sizeof(struct feature_policy)); struct feature_policy *policy = malloc(sizeof(struct feature_policy));
policy->program = strdup(program); policy->program = strdup(program);
policy->features = FEATURE_FULLSCREEN | FEATURE_KEYBOARD | FEATURE_MOUSE | FEATURE_IPC; policy->features = default_policy;
return policy; return policy;
} }
struct command_policy *alloc_command_policy(const char *command) { struct command_policy *alloc_command_policy(const char *command) {
struct command_policy *policy = malloc(sizeof(struct command_policy)); struct command_policy *policy = malloc(sizeof(struct command_policy));
policy->command = strdup(command); policy->command = strdup(command);
policy->context = CONTEXT_ALL; policy->context = 0;
return policy; return policy;
} }
@ -25,8 +34,7 @@ enum secure_feature get_feature_policy(pid_t pid) {
snprintf(path, pathlen + 1, fmt, pid); snprintf(path, pathlen + 1, fmt, pid);
static char link[2048]; static char link[2048];
enum secure_feature default_policy = uint32_t default_policy = 0;
FEATURE_FULLSCREEN | FEATURE_KEYBOARD | FEATURE_MOUSE;
ssize_t len = readlink(path, link, sizeof(link)); ssize_t len = readlink(path, link, sizeof(link));
if (len < 0) { if (len < 0) {
@ -53,10 +61,13 @@ enum secure_feature get_feature_policy(pid_t pid) {
} }
enum command_context get_command_policy(const char *cmd) { enum command_context get_command_policy(const char *cmd) {
enum command_context default_policy = CONTEXT_ALL; uint32_t default_policy = 0;
for (int i = 0; i < config->command_policies->length; ++i) { for (int i = 0; i < config->command_policies->length; ++i) {
struct command_policy *policy = config->command_policies->items[i]; struct command_policy *policy = config->command_policies->items[i];
if (strcmp(policy->command, "*") == 0) {
default_policy = policy->context;
}
if (strcmp(policy->command, cmd) == 0) { if (strcmp(policy->command, cmd) == 0) {
return policy->context; return policy->context;
} }

View file

@ -124,8 +124,14 @@ To work correctly, sway's own programs require the following permissions:
- swaybg: background - swaybg: background
- swaylock: lock, keyboard - swaylock: lock, keyboard
- swaybar: panel, mouse - swaybar: panel, mouse, ipc
- swaygrab: screenshot - swaygrab: screenshot, ipc
When you first declare a policy for an executable, it will inherit the default
policy. Further changes to the default policy will not retroactively affect which
permissions an earlier policy inherits. You must explicitly reject any features
from the default policy that you do not want an executable to receive permission
for.
Command policies Command policies
---------------- ----------------
@ -145,6 +151,9 @@ contexts you can control are:
**criteria**:: **criteria**::
Can be run when evaluating window criteria. Can be run when evaluating window criteria.
**all**::
Shorthand for granting permission in all contexts.
By default a command is allowed to execute in any context. To configure this, open By default a command is allowed to execute in any context. To configure this, open
a commands block and fill it with policies: a commands block and fill it with policies:
@ -160,13 +169,13 @@ binding and critiera:
focus binding criteria focus binding criteria
} }
Setting a command policy overwrites any previous policy that was in place.
IPC policies IPC policies
------------ ------------
By default all programs can connect to IPC for backwards compatability with i3. You may whitelist IPC access like so:
However, you can whitelist IPC access like so:
reject * ipc
permit /usr/bin/swaybar ipc permit /usr/bin/swaybar ipc
permit /usr/bin/swaygrab ipc permit /usr/bin/swaygrab ipc
# etc # etc