Write example security config, start on code

2024-11-16 19:49:56 +01:00 · 2016-12-01 19:27:35 -05:00 · 2016-12-01 19:27:35 -05:00 · 5831f7ab68
commit 5831f7ab68
parent cd5694fdb5
2 changed files with 75 additions and 0 deletions
--- a/config.d/security
+++ b/config.d/security
@ -0,0 +1,52 @@
+# sway security rules
+#
+# Read sway-security(7) for details on how to secure your sway install.
+#
+# You MUST read this man page if you intend to attempt to secure your sway
+# installation.
+
+# Configures which programs are allowed to use which sway features
+permit $PREFIX/swaylock lock
+permit $PREFIX/swaybar panel
+permit $PREFIX/swaybg background
+permit $PREFIX/swaygrab screenshot
+
+permit * fullscreen keyboard mouse
+
+# Configures which IPC features are enabled
+ipc {
+    command enabled
+    outputs enabled
+    workspaces enabled
+    tree enabled
+    marks enabled
+    bar-config enabled
+    inputs enabled
+
+    events {
+        workspace enabled
+        output enabled
+        mode enabled
+        window enabled
+        bar-config enabled
+        binding enabled
+        modifier enabled
+        input enabled
+    }
+}
+
+# Limits the contexts from which certain commands are permitted
+commands {
+    fullscreen bindsym criteria
+    bindsym config
+    exit bindsym
+    kill bindsym
+
+    # You should not change these unless you know what you're doing - it could
+    # cripple your security
+    reload bindsym
+    restart bindsym
+    permit config
+    reject config
+    ipc config
+}
--- a/sway/main.c
+++ b/sway/main.c
@ -4,6 +4,7 @@
 #include <wlc/wlc.h>
 #include <sys/wait.h>
 #include <sys/types.h>
+#include <sys/stat.h>
 #include <sys/un.h>
 #include <signal.h>
 #include <unistd.h>
@ -142,6 +143,27 @@ static void log_kernel() {
 	fclose(f);
 }

+static void security_sanity_check() {
+	// TODO: Notify users visually if this has issues
+	struct stat s = {0};
+	if (stat("/proc", &s)) {
+		sway_log(L_ERROR,
+			"!! DANGER !! /proc is not available - sway CANNOT enforce security rules!");
+	}
+	if (!stat(SYSCONFDIR "/sway", &s)) {
+		if (s.st_uid != 0 || s.st_gid != 0 || s.st_mode != 00755) {
+			sway_log(L_ERROR,
+				"!! DANGER !! " SYSCONFDIR "/sway is not secure! It should be owned by root and set to 0755");
+		}
+	}
+	// TODO: check that these command policies are set
+    // reload bindsym
+    // restart bindsym
+    // permit config
+    // reject config
+    // ipc config
+}
+
 int main(int argc, char **argv) {
 	static int verbose = 0, debug = 0, validate = 0;

@ -256,6 +278,7 @@ int main(int argc, char **argv) {
 	}
 	wlc_log_set_handler(wlc_log_handler);
 	detect_proprietary();
+	security_sanity_check();

 	input_devices = create_list();