Merge pull request #1080 from SirCmpwn/ipc-security
Revise IPC security configuration
This commit is contained in:
commit
f68d2fb33c
|
@ -203,7 +203,6 @@ enum secure_feature {
|
|||
FEATURE_FULLSCREEN = 16,
|
||||
FEATURE_KEYBOARD = 32,
|
||||
FEATURE_MOUSE = 64,
|
||||
FEATURE_IPC = 128,
|
||||
};
|
||||
|
||||
struct feature_policy {
|
||||
|
@ -225,7 +224,17 @@ enum ipc_feature {
|
|||
IPC_FEATURE_EVENT_MODE = 1024,
|
||||
IPC_FEATURE_EVENT_WINDOW = 2048,
|
||||
IPC_FEATURE_EVENT_BINDING = 4096,
|
||||
IPC_FEATURE_EVENT_INPUT = 8192
|
||||
IPC_FEATURE_EVENT_INPUT = 8192,
|
||||
|
||||
IPC_FEATURE_ALL_COMMANDS = 1 | 2 | 4 | 8 | 16 | 32 | 64 | 128,
|
||||
IPC_FEATURE_ALL_EVENTS = 256 | 512 | 1024 | 2048 | 4096 | 8192,
|
||||
|
||||
IPC_FEATURE_ALL = IPC_FEATURE_ALL_COMMANDS | IPC_FEATURE_ALL_EVENTS,
|
||||
};
|
||||
|
||||
struct ipc_policy {
|
||||
char *program;
|
||||
uint32_t features;
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -300,7 +309,7 @@ struct sway_config {
|
|||
// Security
|
||||
list_t *command_policies;
|
||||
list_t *feature_policies;
|
||||
uint32_t ipc_policy;
|
||||
list_t *ipc_policies;
|
||||
};
|
||||
|
||||
void pid_workspace_add(struct pid_workspace *pw);
|
||||
|
@ -331,6 +340,8 @@ void free_config(struct sway_config *config);
|
|||
*/
|
||||
char *do_var_replacement(char *str);
|
||||
|
||||
struct cmd_results *check_security_config();
|
||||
|
||||
int input_identifier_cmp(const void *item, const void *data);
|
||||
void merge_input_config(struct input_config *dst, struct input_config *src);
|
||||
void apply_input_config(struct input_config *ic, struct libinput_device *dev);
|
||||
|
|
|
@ -3,12 +3,14 @@
|
|||
#include <unistd.h>
|
||||
#include "sway/config.h"
|
||||
|
||||
enum secure_feature get_feature_policy(pid_t pid);
|
||||
enum command_context get_command_policy(const char *cmd);
|
||||
uint32_t get_feature_policy(pid_t pid);
|
||||
uint32_t get_ipc_policy(pid_t pid);
|
||||
uint32_t get_command_policy(const char *cmd);
|
||||
|
||||
const char *command_policy_str(enum command_context context);
|
||||
|
||||
struct feature_policy *alloc_feature_policy(const char *program);
|
||||
struct ipc_policy *alloc_ipc_policy(const char *program);
|
||||
struct command_policy *alloc_command_policy(const char *command);
|
||||
|
||||
#endif
|
||||
|
|
|
@ -5,36 +5,42 @@
|
|||
# You MUST read this man page if you intend to attempt to secure your sway
|
||||
# installation.
|
||||
#
|
||||
# This file should live at __SYSCONFDIR__/sway/security and will be
|
||||
# automatically read by sway.
|
||||
# DO NOT CHANGE THIS FILE. Override these defaults by writing new files in
|
||||
# __SYSCONFDIR__/sway/security.d/*
|
||||
|
||||
# Configures which programs are allowed to use which sway features
|
||||
permit * fullscreen keyboard mouse ipc
|
||||
# Configures enabled compositor features for specific programs
|
||||
permit * fullscreen keyboard mouse
|
||||
permit __PREFIX__/bin/swaylock lock
|
||||
permit __PREFIX__/bin/swaybar panel
|
||||
permit __PREFIX__/bin/swaybg background
|
||||
permit __PREFIX__/bin/swaygrab screenshot
|
||||
permit __PREFIX__/bin/swaybar panel
|
||||
|
||||
# Configures which IPC features are enabled
|
||||
ipc {
|
||||
command enabled
|
||||
# Configures enabled IPC features for specific programs
|
||||
ipc __PREFIX__/bin/swaymsg {
|
||||
* enabled
|
||||
|
||||
events {
|
||||
* disabled
|
||||
}
|
||||
}
|
||||
|
||||
ipc __PREFIX__/bin/swaybar {
|
||||
bar-config enabled
|
||||
outputs enabled
|
||||
workspaces enabled
|
||||
tree enabled
|
||||
marks enabled
|
||||
bar-config enabled
|
||||
inputs enabled
|
||||
command enabled
|
||||
|
||||
events {
|
||||
workspace enabled
|
||||
output enabled
|
||||
mode enabled
|
||||
window enabled
|
||||
input enabled
|
||||
binding disabled
|
||||
}
|
||||
}
|
||||
|
||||
ipc __PREFIX__/bin/swaygrab {
|
||||
outputs enabled
|
||||
tree enabled
|
||||
}
|
||||
|
||||
# Limits the contexts from which certain commands are permitted
|
||||
commands {
|
||||
* all
|
|
@ -91,7 +91,7 @@ function(add_config name source destination)
|
|||
endfunction()
|
||||
|
||||
add_config(config config sway)
|
||||
add_config(security security sway)
|
||||
add_config(00-defaults security.d/00-defaults sway/security.d)
|
||||
|
||||
add_manpage(sway 1)
|
||||
add_manpage(sway 5)
|
||||
|
|
|
@ -297,6 +297,7 @@ static struct cmd_handler bar_colors_handlers[] = {
|
|||
};
|
||||
|
||||
static struct cmd_handler ipc_handlers[] = {
|
||||
{ "*", cmd_ipc_cmd },
|
||||
{ "bar-config", cmd_ipc_cmd },
|
||||
{ "command", cmd_ipc_cmd },
|
||||
{ "events", cmd_ipc_events },
|
||||
|
@ -308,6 +309,7 @@ static struct cmd_handler ipc_handlers[] = {
|
|||
};
|
||||
|
||||
static struct cmd_handler ipc_event_handlers[] = {
|
||||
{ "*", cmd_ipc_event_cmd },
|
||||
{ "binding", cmd_ipc_event_cmd },
|
||||
{ "input", cmd_ipc_event_cmd },
|
||||
{ "mode", cmd_ipc_event_cmd },
|
||||
|
|
|
@ -10,6 +10,9 @@ struct cmd_results *cmd_commands(int argc, char **argv) {
|
|||
if ((error = checkarg(argc, "commands", EXPECTED_EQUAL_TO, 1))) {
|
||||
return error;
|
||||
}
|
||||
if ((error = check_security_config())) {
|
||||
return error;
|
||||
}
|
||||
|
||||
if (strcmp(argv[0], "{") != 0) {
|
||||
return cmd_results_new(CMD_FAILURE, "commands", "Expected block declaration");
|
||||
|
@ -19,10 +22,5 @@ struct cmd_results *cmd_commands(int argc, char **argv) {
|
|||
return cmd_results_new(CMD_FAILURE, "commands", "Can only be used in config file.");
|
||||
}
|
||||
|
||||
if (!current_config_path || strcmp(SYSCONFDIR "/sway/security", current_config_path) != 0) {
|
||||
return cmd_results_new(CMD_INVALID, "permit",
|
||||
"This command is only permitted to run from " SYSCONFDIR "/sway/security");
|
||||
}
|
||||
|
||||
return cmd_results_new(CMD_BLOCK_COMMANDS, NULL, NULL);
|
||||
}
|
||||
|
|
|
@ -1,18 +1,26 @@
|
|||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include "sway/security.h"
|
||||
#include "sway/commands.h"
|
||||
#include "sway/config.h"
|
||||
#include "ipc.h"
|
||||
#include "log.h"
|
||||
#include "util.h"
|
||||
|
||||
static struct ipc_policy *current_policy = NULL;
|
||||
|
||||
struct cmd_results *cmd_ipc(int argc, char **argv) {
|
||||
struct cmd_results *error = NULL;
|
||||
if ((error = checkarg(argc, "ipc", EXPECTED_EQUAL_TO, 1))) {
|
||||
if ((error = checkarg(argc, "ipc", EXPECTED_EQUAL_TO, 2))) {
|
||||
return error;
|
||||
}
|
||||
if ((error = check_security_config())) {
|
||||
return error;
|
||||
}
|
||||
|
||||
if (config->reading && strcmp("{", argv[0]) != 0) {
|
||||
const char *program = argv[0];
|
||||
|
||||
if (config->reading && strcmp("{", argv[1]) != 0) {
|
||||
return cmd_results_new(CMD_INVALID, "ipc",
|
||||
"Expected '{' at start of IPC config definition.");
|
||||
}
|
||||
|
@ -21,10 +29,8 @@ struct cmd_results *cmd_ipc(int argc, char **argv) {
|
|||
return cmd_results_new(CMD_FAILURE, "ipc", "Can only be used in config file.");
|
||||
}
|
||||
|
||||
if (!current_config_path || strcmp(SYSCONFDIR "/sway/security", current_config_path) != 0) {
|
||||
return cmd_results_new(CMD_INVALID, "permit",
|
||||
"This command is only permitted to run from " SYSCONFDIR "/sway/security");
|
||||
}
|
||||
current_policy = alloc_ipc_policy(program);
|
||||
list_add(config->ipc_policies, current_policy);
|
||||
|
||||
return cmd_results_new(CMD_BLOCK_IPC, NULL, NULL);
|
||||
}
|
||||
|
@ -67,6 +73,7 @@ struct cmd_results *cmd_ipc_cmd(int argc, char **argv) {
|
|||
char *name;
|
||||
enum ipc_feature type;
|
||||
} types[] = {
|
||||
{ "*", IPC_FEATURE_ALL_COMMANDS },
|
||||
{ "command", IPC_FEATURE_COMMAND },
|
||||
{ "workspaces", IPC_FEATURE_GET_WORKSPACES },
|
||||
{ "outputs", IPC_FEATURE_GET_OUTPUTS },
|
||||
|
@ -86,10 +93,10 @@ struct cmd_results *cmd_ipc_cmd(int argc, char **argv) {
|
|||
}
|
||||
|
||||
if (enabled) {
|
||||
config->ipc_policy |= type;
|
||||
current_policy->features |= type;
|
||||
sway_log(L_DEBUG, "Enabled IPC %s feature", argv[-1]);
|
||||
} else {
|
||||
config->ipc_policy &= ~type;
|
||||
current_policy->features &= ~type;
|
||||
sway_log(L_DEBUG, "Disabled IPC %s feature", argv[-1]);
|
||||
}
|
||||
|
||||
|
@ -116,6 +123,7 @@ struct cmd_results *cmd_ipc_event_cmd(int argc, char **argv) {
|
|||
char *name;
|
||||
enum ipc_feature type;
|
||||
} types[] = {
|
||||
{ "*", IPC_FEATURE_ALL_EVENTS },
|
||||
{ "workspace", IPC_FEATURE_EVENT_WORKSPACE },
|
||||
{ "output", IPC_FEATURE_EVENT_OUTPUT },
|
||||
{ "mode", IPC_FEATURE_EVENT_MODE },
|
||||
|
@ -134,10 +142,10 @@ struct cmd_results *cmd_ipc_event_cmd(int argc, char **argv) {
|
|||
}
|
||||
|
||||
if (enabled) {
|
||||
config->ipc_policy |= type;
|
||||
current_policy->features |= type;
|
||||
sway_log(L_DEBUG, "Enabled IPC %s event", argv[-1]);
|
||||
} else {
|
||||
config->ipc_policy &= ~type;
|
||||
current_policy->features &= ~type;
|
||||
sway_log(L_DEBUG, "Disabled IPC %s event", argv[-1]);
|
||||
}
|
||||
|
||||
|
|
|
@ -19,7 +19,6 @@ static enum secure_feature get_features(int argc, char **argv,
|
|||
{ "fullscreen", FEATURE_FULLSCREEN },
|
||||
{ "keyboard", FEATURE_KEYBOARD },
|
||||
{ "mouse", FEATURE_MOUSE },
|
||||
{ "ipc", FEATURE_IPC },
|
||||
};
|
||||
|
||||
for (int i = 1; i < argc; ++i) {
|
||||
|
@ -63,19 +62,13 @@ struct cmd_results *cmd_permit(int argc, char **argv) {
|
|||
if ((error = checkarg(argc, "permit", EXPECTED_MORE_THAN, 1))) {
|
||||
return error;
|
||||
}
|
||||
|
||||
if (!current_config_path || strcmp(SYSCONFDIR "/sway/security", current_config_path) != 0) {
|
||||
return cmd_results_new(CMD_INVALID, "permit",
|
||||
"This command is only permitted to run from " SYSCONFDIR "/sway/security");
|
||||
if ((error = check_security_config())) {
|
||||
return error;
|
||||
}
|
||||
|
||||
struct feature_policy *policy = get_policy(argv[0]);
|
||||
policy->features |= get_features(argc, argv, &error);
|
||||
|
||||
if (error) {
|
||||
return error;
|
||||
}
|
||||
|
||||
sway_log(L_DEBUG, "Permissions granted to %s for features %d",
|
||||
policy->program, policy->features);
|
||||
|
||||
|
@ -87,19 +80,13 @@ struct cmd_results *cmd_reject(int argc, char **argv) {
|
|||
if ((error = checkarg(argc, "reject", EXPECTED_MORE_THAN, 1))) {
|
||||
return error;
|
||||
}
|
||||
|
||||
if (!current_config_path || strcmp(SYSCONFDIR "/sway/security", current_config_path) != 0) {
|
||||
return cmd_results_new(CMD_INVALID, "permit",
|
||||
"This command is only permitted to run from " SYSCONFDIR "/sway/security");
|
||||
if ((error = check_security_config())) {
|
||||
return error;
|
||||
}
|
||||
|
||||
struct feature_policy *policy = get_policy(argv[0]);
|
||||
policy->features &= ~get_features(argc, argv, &error);
|
||||
|
||||
if (error) {
|
||||
return error;
|
||||
}
|
||||
|
||||
sway_log(L_DEBUG, "Permissions granted to %s for features %d",
|
||||
policy->program, policy->features);
|
||||
|
||||
|
|
|
@ -11,6 +11,7 @@
|
|||
#include <libinput.h>
|
||||
#include <limits.h>
|
||||
#include <float.h>
|
||||
#include <dirent.h>
|
||||
#include "wayland-desktop-shell-server-protocol.h"
|
||||
#include "sway/commands.h"
|
||||
#include "sway/config.h"
|
||||
|
@ -379,7 +380,7 @@ static void config_defaults(struct sway_config *config) {
|
|||
// Security
|
||||
if (!(config->command_policies = create_list())) goto cleanup;
|
||||
if (!(config->feature_policies = create_list())) goto cleanup;
|
||||
config->ipc_policy = UINT32_MAX;
|
||||
if (!(config->ipc_policies = create_list())) goto cleanup;
|
||||
|
||||
return;
|
||||
cleanup:
|
||||
|
@ -485,6 +486,10 @@ static bool load_config(const char *path, struct sway_config *config) {
|
|||
return true;
|
||||
}
|
||||
|
||||
static int qstrcmp(const void* a, const void* b) {
|
||||
return strcmp(*((char**) a), *((char**) b));
|
||||
}
|
||||
|
||||
bool load_main_config(const char *file, bool is_active) {
|
||||
input_init();
|
||||
|
||||
|
@ -512,7 +517,43 @@ bool load_main_config(const char *file, bool is_active) {
|
|||
list_add(config->config_chain, path);
|
||||
|
||||
config->reading = true;
|
||||
bool success = load_config(SYSCONFDIR "/sway/security", config);
|
||||
|
||||
// Read security configs
|
||||
bool success = true;
|
||||
DIR *dir = opendir(SYSCONFDIR "/sway/security.d");
|
||||
if (!dir) {
|
||||
sway_log(L_ERROR, "%s does not exist, sway will have no security configuration"
|
||||
" and will probably be broken", SYSCONFDIR "/sway/security.d");
|
||||
} else {
|
||||
list_t *secconfigs = create_list();
|
||||
char *base = SYSCONFDIR "/sway/security.d/";
|
||||
struct dirent *ent = readdir(dir);
|
||||
while (ent != NULL) {
|
||||
if (ent->d_type == DT_REG) {
|
||||
char *_path = malloc(strlen(ent->d_name) + strlen(base) + 1);
|
||||
strcpy(_path, base);
|
||||
strcat(_path, ent->d_name);
|
||||
list_add(secconfigs, _path);
|
||||
}
|
||||
ent = readdir(dir);
|
||||
}
|
||||
closedir(dir);
|
||||
|
||||
list_qsort(secconfigs, qstrcmp);
|
||||
for (int i = 0; i < secconfigs->length; ++i) {
|
||||
char *_path = secconfigs->items[i];
|
||||
struct stat s;
|
||||
if (stat(_path, &s) || s.st_uid != 0 || s.st_gid != 0 || (s.st_mode & 0777) != 0644) {
|
||||
sway_log(L_ERROR, "Refusing to load %s - it must be owned by root and mode 644", _path);
|
||||
success = false;
|
||||
} else {
|
||||
success = success && load_config(_path, config);
|
||||
}
|
||||
}
|
||||
|
||||
free_flat_list(secconfigs);
|
||||
}
|
||||
|
||||
success = success && load_config(path, config);
|
||||
|
||||
if (is_active) {
|
||||
|
@ -620,6 +661,15 @@ bool load_include_configs(const char *path, struct sway_config *config) {
|
|||
return true;
|
||||
}
|
||||
|
||||
struct cmd_results *check_security_config() {
|
||||
if (!current_config_path || strncmp(SYSCONFDIR "/sway/security.d/", current_config_path,
|
||||
strlen(SYSCONFDIR "/sway/security.d/")) != 0) {
|
||||
return cmd_results_new(CMD_INVALID, "permit",
|
||||
"This command is only permitted to run from " SYSCONFDIR "/sway/security.d/*");
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
bool read_config(FILE *file, struct sway_config *config) {
|
||||
bool success = true;
|
||||
enum cmd_status block = CMD_BLOCK_END;
|
||||
|
|
|
@ -35,6 +35,7 @@ struct ipc_client {
|
|||
struct wlc_event_source *event_source;
|
||||
int fd;
|
||||
uint32_t payload_length;
|
||||
uint32_t security_policy;
|
||||
enum ipc_command_type current_command;
|
||||
enum ipc_command_type subscribed_events;
|
||||
};
|
||||
|
@ -159,17 +160,6 @@ int ipc_handle_connection(int fd, uint32_t mask, void *data) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
pid_t pid = get_client_pid(client_fd);
|
||||
if (!(get_feature_policy(pid) & FEATURE_IPC)) {
|
||||
sway_log(L_INFO, "Permission to connect to IPC socket denied to %d", pid);
|
||||
const char *error = "{\"success\": false, \"message\": \"Permission denied\"}";
|
||||
if (write(client_fd, &error, sizeof(error)) < (int)sizeof(error)) {
|
||||
sway_log(L_DEBUG, "Failed to write entire error");
|
||||
}
|
||||
close(client_fd);
|
||||
return 0;
|
||||
}
|
||||
|
||||
struct ipc_client* client = malloc(sizeof(struct ipc_client));
|
||||
if (!client) {
|
||||
sway_log(L_ERROR, "Unable to allocate ipc client");
|
||||
|
@ -181,6 +171,9 @@ int ipc_handle_connection(int fd, uint32_t mask, void *data) {
|
|||
client->subscribed_events = 0;
|
||||
client->event_source = wlc_event_loop_add_fd(client_fd, WLC_EVENT_READABLE, ipc_client_handle_readable, client);
|
||||
|
||||
pid_t pid = get_client_pid(client->fd);
|
||||
client->security_policy = get_ipc_policy(pid);
|
||||
|
||||
list_add(ipc_client_list, client);
|
||||
|
||||
return 0;
|
||||
|
@ -248,8 +241,7 @@ int ipc_client_handle_readable(int client_fd, uint32_t mask, void *data) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
void ipc_client_disconnect(struct ipc_client *client)
|
||||
{
|
||||
void ipc_client_disconnect(struct ipc_client *client) {
|
||||
if (!sway_assert(client != NULL, "client != NULL")) {
|
||||
return;
|
||||
}
|
||||
|
@ -333,8 +325,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
|
|||
ipc_client_disconnect(client);
|
||||
return;
|
||||
}
|
||||
if (client->payload_length > 0)
|
||||
{
|
||||
if (client->payload_length > 0) {
|
||||
ssize_t received = recv(client->fd, buf, client->payload_length, 0);
|
||||
if (received == -1)
|
||||
{
|
||||
|
@ -351,7 +342,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
|
|||
switch (client->current_command) {
|
||||
case IPC_COMMAND:
|
||||
{
|
||||
if (!(config->ipc_policy & IPC_FEATURE_COMMAND)) {
|
||||
if (!(client->security_policy & IPC_FEATURE_COMMAND)) {
|
||||
goto exit_denied;
|
||||
}
|
||||
struct cmd_results *results = handle_command(buf, CONTEXT_IPC);
|
||||
|
@ -365,6 +356,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
|
|||
|
||||
case IPC_SUBSCRIBE:
|
||||
{
|
||||
// TODO: Check if they're permitted to use these events
|
||||
struct json_object *request = json_tokener_parse(buf);
|
||||
if (request == NULL) {
|
||||
ipc_send_reply(client, "{\"success\": false}", 18);
|
||||
|
@ -403,7 +395,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
|
|||
|
||||
case IPC_GET_WORKSPACES:
|
||||
{
|
||||
if (!(config->ipc_policy & IPC_FEATURE_GET_WORKSPACES)) {
|
||||
if (!(client->security_policy & IPC_FEATURE_GET_WORKSPACES)) {
|
||||
goto exit_denied;
|
||||
}
|
||||
json_object *workspaces = json_object_new_array();
|
||||
|
@ -416,7 +408,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
|
|||
|
||||
case IPC_GET_INPUTS:
|
||||
{
|
||||
if (!(config->ipc_policy & IPC_FEATURE_GET_INPUTS)) {
|
||||
if (!(client->security_policy & IPC_FEATURE_GET_INPUTS)) {
|
||||
goto exit_denied;
|
||||
}
|
||||
json_object *inputs = json_object_new_array();
|
||||
|
@ -442,7 +434,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
|
|||
|
||||
case IPC_GET_OUTPUTS:
|
||||
{
|
||||
if (!(config->ipc_policy & IPC_FEATURE_GET_OUTPUTS)) {
|
||||
if (!(client->security_policy & IPC_FEATURE_GET_OUTPUTS)) {
|
||||
goto exit_denied;
|
||||
}
|
||||
json_object *outputs = json_object_new_array();
|
||||
|
@ -455,7 +447,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
|
|||
|
||||
case IPC_GET_TREE:
|
||||
{
|
||||
if (!(config->ipc_policy & IPC_FEATURE_GET_TREE)) {
|
||||
if (!(client->security_policy & IPC_FEATURE_GET_TREE)) {
|
||||
goto exit_denied;
|
||||
}
|
||||
json_object *tree = ipc_json_describe_container_recursive(&root_container);
|
||||
|
@ -522,7 +514,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
|
|||
|
||||
case IPC_GET_BAR_CONFIG:
|
||||
{
|
||||
if (!(config->ipc_policy & IPC_FEATURE_GET_BAR_CONFIG)) {
|
||||
if (!(client->security_policy & IPC_FEATURE_GET_BAR_CONFIG)) {
|
||||
goto exit_denied;
|
||||
}
|
||||
if (!buf[0]) {
|
||||
|
@ -567,6 +559,7 @@ void ipc_client_handle_command(struct ipc_client *client) {
|
|||
|
||||
exit_denied:
|
||||
ipc_send_reply(client, error_denied, (uint32_t)strlen(error_denied));
|
||||
sway_log(L_DEBUG, "Denied IPC client access to %i", client->current_command);
|
||||
|
||||
exit_cleanup:
|
||||
client->payload_length = 0;
|
||||
|
@ -594,6 +587,8 @@ bool ipc_send_reply(struct ipc_client *client, const char *payload, uint32_t pay
|
|||
return false;
|
||||
}
|
||||
|
||||
sway_log(L_DEBUG, "Send IPC reply: %s", payload);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
|
@ -616,10 +611,33 @@ void ipc_get_outputs_callback(swayc_t *container, void *data) {
|
|||
}
|
||||
|
||||
void ipc_send_event(const char *json_string, enum ipc_command_type event) {
|
||||
static struct {
|
||||
enum ipc_command_type event;
|
||||
enum ipc_feature feature;
|
||||
} security_mappings[] = {
|
||||
{ IPC_EVENT_WORKSPACE, IPC_FEATURE_EVENT_WORKSPACE },
|
||||
{ IPC_EVENT_OUTPUT, IPC_FEATURE_EVENT_OUTPUT },
|
||||
{ IPC_EVENT_MODE, IPC_FEATURE_EVENT_MODE },
|
||||
{ IPC_EVENT_WINDOW, IPC_FEATURE_EVENT_WINDOW },
|
||||
{ IPC_EVENT_BINDING, IPC_FEATURE_EVENT_BINDING },
|
||||
{ IPC_EVENT_INPUT, IPC_FEATURE_EVENT_INPUT }
|
||||
};
|
||||
|
||||
uint32_t security_mask = 0;
|
||||
for (size_t i = 0; i < sizeof(security_mappings) / sizeof(security_mappings[0]); ++i) {
|
||||
if (security_mappings[i].event == event) {
|
||||
security_mask = security_mappings[i].feature;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
int i;
|
||||
struct ipc_client *client;
|
||||
for (i = 0; i < ipc_client_list->length; i++) {
|
||||
client = ipc_client_list->items[i];
|
||||
if (!(client->security_policy & security_mask)) {
|
||||
continue;
|
||||
}
|
||||
if ((client->subscribed_events & event_mask(event)) == 0) {
|
||||
continue;
|
||||
}
|
||||
|
@ -632,9 +650,6 @@ void ipc_send_event(const char *json_string, enum ipc_command_type event) {
|
|||
}
|
||||
|
||||
void ipc_event_workspace(swayc_t *old, swayc_t *new, const char *change) {
|
||||
if (!(config->ipc_policy & IPC_FEATURE_EVENT_WORKSPACE)) {
|
||||
return;
|
||||
}
|
||||
sway_log(L_DEBUG, "Sending workspace::%s event", change);
|
||||
json_object *obj = json_object_new_object();
|
||||
json_object_object_add(obj, "change", json_object_new_string(change));
|
||||
|
@ -659,9 +674,6 @@ void ipc_event_workspace(swayc_t *old, swayc_t *new, const char *change) {
|
|||
}
|
||||
|
||||
void ipc_event_window(swayc_t *window, const char *change) {
|
||||
if (!(config->ipc_policy & IPC_FEATURE_EVENT_WINDOW)) {
|
||||
return;
|
||||
}
|
||||
sway_log(L_DEBUG, "Sending window::%s event", change);
|
||||
json_object *obj = json_object_new_object();
|
||||
json_object_object_add(obj, "change", json_object_new_string(change));
|
||||
|
@ -687,9 +699,6 @@ void ipc_event_barconfig_update(struct bar_config *bar) {
|
|||
}
|
||||
|
||||
void ipc_event_mode(const char *mode) {
|
||||
if (!(config->ipc_policy & IPC_FEATURE_EVENT_MODE)) {
|
||||
return;
|
||||
}
|
||||
sway_log(L_DEBUG, "Sending mode::%s event", mode);
|
||||
json_object *obj = json_object_new_object();
|
||||
json_object_object_add(obj, "change", json_object_new_string(mode));
|
||||
|
@ -715,9 +724,6 @@ void ipc_event_modifier(uint32_t modifier, const char *state) {
|
|||
}
|
||||
|
||||
static void ipc_event_binding(json_object *sb_obj) {
|
||||
if (!(config->ipc_policy & IPC_FEATURE_EVENT_BINDING)) {
|
||||
return;
|
||||
}
|
||||
sway_log(L_DEBUG, "Sending binding::run event");
|
||||
json_object *obj = json_object_new_object();
|
||||
json_object_object_add(obj, "change", json_object_new_string("run"));
|
||||
|
|
|
@ -175,13 +175,6 @@ static void security_sanity_check() {
|
|||
cap_free(cap);
|
||||
}
|
||||
#endif
|
||||
if (!stat(SYSCONFDIR "/sway", &s)) {
|
||||
if (s.st_uid != 0 || s.st_gid != 0
|
||||
|| (s.st_mode & S_IWGRP) || (s.st_mode & S_IWOTH)) {
|
||||
sway_log(L_ERROR,
|
||||
"!! DANGER !! " SYSCONFDIR "/sway is not secure! It should be owned by root and set to 0755 at the minimum");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
|
|
|
@ -27,6 +27,29 @@ struct feature_policy *alloc_feature_policy(const char *program) {
|
|||
return policy;
|
||||
}
|
||||
|
||||
struct ipc_policy *alloc_ipc_policy(const char *program) {
|
||||
uint32_t default_policy = 0;
|
||||
for (int i = 0; i < config->ipc_policies->length; ++i) {
|
||||
struct ipc_policy *policy = config->ipc_policies->items[i];
|
||||
if (strcmp(policy->program, "*") == 0) {
|
||||
default_policy = policy->features;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
struct ipc_policy *policy = malloc(sizeof(struct ipc_policy));
|
||||
if (!policy) {
|
||||
return NULL;
|
||||
}
|
||||
policy->program = strdup(program);
|
||||
if (!policy->program) {
|
||||
free(policy);
|
||||
return NULL;
|
||||
}
|
||||
policy->features = default_policy;
|
||||
return policy;
|
||||
}
|
||||
|
||||
struct command_policy *alloc_command_policy(const char *command) {
|
||||
struct command_policy *policy = malloc(sizeof(struct command_policy));
|
||||
if (!policy) {
|
||||
|
@ -41,7 +64,7 @@ struct command_policy *alloc_command_policy(const char *command) {
|
|||
return policy;
|
||||
}
|
||||
|
||||
enum secure_feature get_feature_policy(pid_t pid) {
|
||||
static const char *get_pid_exe(pid_t pid) {
|
||||
#ifdef __FreeBSD__
|
||||
const char *fmt = "/proc/%d/file";
|
||||
#else
|
||||
|
@ -52,9 +75,8 @@ enum secure_feature get_feature_policy(pid_t pid) {
|
|||
if (path) {
|
||||
snprintf(path, pathlen + 1, fmt, pid);
|
||||
}
|
||||
static char link[2048];
|
||||
|
||||
uint32_t default_policy = 0;
|
||||
static char link[2048];
|
||||
|
||||
ssize_t len = !path ? -1 : readlink(path, link, sizeof(link));
|
||||
if (len < 0) {
|
||||
|
@ -67,6 +89,13 @@ enum secure_feature get_feature_policy(pid_t pid) {
|
|||
}
|
||||
free(path);
|
||||
|
||||
return link;
|
||||
}
|
||||
|
||||
uint32_t get_feature_policy(pid_t pid) {
|
||||
uint32_t default_policy = 0;
|
||||
const char *link = get_pid_exe(pid);
|
||||
|
||||
for (int i = 0; i < config->feature_policies->length; ++i) {
|
||||
struct feature_policy *policy = config->feature_policies->items[i];
|
||||
if (strcmp(policy->program, "*") == 0) {
|
||||
|
@ -80,7 +109,24 @@ enum secure_feature get_feature_policy(pid_t pid) {
|
|||
return default_policy;
|
||||
}
|
||||
|
||||
enum command_context get_command_policy(const char *cmd) {
|
||||
uint32_t get_ipc_policy(pid_t pid) {
|
||||
uint32_t default_policy = 0;
|
||||
const char *link = get_pid_exe(pid);
|
||||
|
||||
for (int i = 0; i < config->ipc_policies->length; ++i) {
|
||||
struct ipc_policy *policy = config->ipc_policies->items[i];
|
||||
if (strcmp(policy->program, "*") == 0) {
|
||||
default_policy = policy->features;
|
||||
}
|
||||
if (strcmp(policy->program, link) == 0) {
|
||||
return policy->features;
|
||||
}
|
||||
}
|
||||
|
||||
return default_policy;
|
||||
}
|
||||
|
||||
uint32_t get_command_policy(const char *cmd) {
|
||||
uint32_t default_policy = 0;
|
||||
|
||||
for (int i = 0; i < config->command_policies->length; ++i) {
|
||||
|
|
|
@ -19,8 +19,13 @@ usually best suited to a distro maintainer who wants to ship a secure sway
|
|||
environment in their distro. Sway provides a number of means of securing it but
|
||||
you must make a few changes external to sway first.
|
||||
|
||||
Security-related configuration is only valid in /etc/sway/config (or whatever path
|
||||
is appropriate for your system).
|
||||
Configuration of security features is limited to files in the security directory
|
||||
(this is likely /etc/sway/security.d/*, but depends on your installation prefix).
|
||||
Files in this directory must be owned by root:root and chmod 644. The default
|
||||
security configuration is installed to /etc/sway/security.d/00-defaults, and
|
||||
should not be modified - it will be updated with the latest recommended security
|
||||
defaults between releases. To override the defaults, you should add more files to
|
||||
this directory.
|
||||
|
||||
Environment security
|
||||
--------------------
|
||||
|
@ -160,22 +165,20 @@ Setting a command policy overwrites any previous policy that was in place.
|
|||
IPC policies
|
||||
------------
|
||||
|
||||
You may whitelist IPC access like so:
|
||||
Disabling IPC access via swaymsg is encouraged if you intend to secure the IPC
|
||||
socket, because any program that can execute swaymsg could circumvent its own
|
||||
security policy by simply invoking swaymsg.
|
||||
|
||||
permit /usr/bin/swaybar ipc
|
||||
permit /usr/bin/swaygrab ipc
|
||||
# etc
|
||||
You can configure which features of IPC are available for particular clients:
|
||||
|
||||
Note that it's suggested you do not enable swaymsg to access IPC if you intend to
|
||||
secure your IPC socket, because any program could just run swaymsg itself instead
|
||||
of connecting to IPC directly.
|
||||
|
||||
You can also configure which features of IPC are available with an IPC block:
|
||||
|
||||
ipc {
|
||||
ipc <executable> {
|
||||
...
|
||||
}
|
||||
|
||||
You may use * for <executable> to configure the default policy for all clients.
|
||||
Configuring IPC policies for specific executables is not supported on FreeBSD, and
|
||||
the default policy will be applied to all IPC connections.
|
||||
|
||||
The following commands are available within this block:
|
||||
|
||||
**bar-config** <enabled|disabled>::
|
||||
|
@ -201,7 +204,7 @@ The following commands are available within this block:
|
|||
|
||||
You can also control which IPC events can be raised with an events block:
|
||||
|
||||
ipc {
|
||||
ipc <executable> {
|
||||
events {
|
||||
...
|
||||
}
|
||||
|
@ -227,7 +230,8 @@ The following commands are vaild within an ipc events block:
|
|||
**workspace** <enabled|disabled>::
|
||||
Controls workspace notifications.
|
||||
|
||||
Disabling some of these may cause swaybar to behave incorrectly.
|
||||
In each of these blocks, you may use * (as in "* enabled" or "* disabled") to
|
||||
control access to every feature at once.
|
||||
|
||||
Authors
|
||||
-------
|
||||
|
|
Loading…
Reference in a new issue