Revise IPC security configuration

This commit is contained in:
Drew DeVault 2017-02-19 02:36:36 -05:00
parent 76614efb16
commit 7dbecdde95
3 changed files with 39 additions and 34 deletions

View file

@ -8,33 +8,34 @@
# This file should live at __SYSCONFDIR__/sway/security and will be
# automatically read by sway.
# Configures which programs are allowed to use which sway features
permit * fullscreen keyboard mouse ipc
# Configures enabled compositor features for specific programs
permit * fullscreen keyboard mouse
permit __PREFIX__/bin/swaylock lock
permit __PREFIX__/bin/swaybar panel
permit __PREFIX__/bin/swaybg background
permit __PREFIX__/bin/swaygrab screenshot
permit __PREFIX__/bin/swaybar panel
# Configures which IPC features are enabled
ipc {
command enabled
outputs enabled
workspaces enabled
tree enabled
marks enabled
bar-config enabled
inputs enabled
# Configures enabled IPC features for specific programs
ipc __PREFIX__/bin/swaymsg {
* enabled
events {
workspace enabled
output enabled
mode enabled
window enabled
input enabled
binding disabled
* disabled
}
}
ipc __PREFIX__/bin/swaybar {
bar-config enabled
outputs enabled
workspaces enabled
command enabled
}
ipc __PREFIX__/bin/swaygrab {
outputs enabled
tree enabled
}
# Limits the contexts from which certain commands are permitted
commands {
* all

View file

@ -91,7 +91,7 @@ function(add_config name source destination)
endfunction()
add_config(config config sway)
add_config(security security sway)
add_config(00-defaults security.d/00-defaults sway/security.d)
add_manpage(sway 1)
add_manpage(sway 5)

View file

@ -19,8 +19,13 @@ usually best suited to a distro maintainer who wants to ship a secure sway
environment in their distro. Sway provides a number of means of securing it but
you must make a few changes external to sway first.
Security-related configuration is only valid in /etc/sway/config (or whatever path
is appropriate for your system).
Configuration of security features is limited to files in the security directory
(this is likely /etc/sway/security.d/*, but depends on your installation prefix).
Files in this directory must be owned by root:root and chmod 600. The default
security configuration is installed to /etc/sway/security.d/00-defaults, and
should not be modified - it will be updated with the latest recommended security
defaults between releases. To override the defaults, you should add more files to
this directory.
Environment security
--------------------
@ -160,22 +165,20 @@ Setting a command policy overwrites any previous policy that was in place.
IPC policies
------------
You may whitelist IPC access like so:
Disabling IPC access via swaymsg is encouraged if you intend to secure the IPC
socket, because any program that can execute swaymsg could circumvent its own
security policy by simply invoking swaymsg.
permit /usr/bin/swaybar ipc
permit /usr/bin/swaygrab ipc
# etc
You can configure which features of IPC are available for particular clients:
Note that it's suggested you do not enable swaymsg to access IPC if you intend to
secure your IPC socket, because any program could just run swaymsg itself instead
of connecting to IPC directly.
You can also configure which features of IPC are available with an IPC block:
ipc {
ipc <executable> {
...
}
You may use * for <executable> to configure the default policy for all clients.
Configuring IPC policies for specific executables is not supported on FreeBSD, and
the default policy will be applied to all IPC connections.
The following commands are available within this block:
**bar-config** <enabled|disabled>::
@ -201,7 +204,7 @@ The following commands are available within this block:
You can also control which IPC events can be raised with an events block:
ipc {
ipc <executable> {
events {
...
}
@ -227,7 +230,8 @@ The following commands are vaild within an ipc events block:
**workspace** <enabled|disabled>::
Controls workspace notifications.
Disabling some of these may cause swaybar to behave incorrectly.
In each of these blocks, you may use * (as in "* enabled" or "* disabled") to
control access to every feature at once.
Authors
-------