sway

i3-compatible Wayland compositor
git clone https://git.awy.one/sway
Log | Files | Refs | README | LICENSE
commit 7dbecdde95d1f309d8fdd02fe480dc3fbef7c7c1
parent 76614efb16527420017291cd47de176b11440d38
Author: Drew DeVault <sir@cmpwn.com>
Date:   Sun, 19 Feb 2017 02:36:36 -0500

Revise IPC security configuration

Diffstat:

Asecurity.d/00-defaults.in | 47+++++++++++++++++++++++++++++++++++++++++++++++


Dsecurity.in | 46----------------------------------------------


Msway/CMakeLists.txt | 2+-


Msway/sway-security.7.txt | 34+++++++++++++++++++---------------


4 files changed, 67 insertions(+), 62 deletions(-)

diff --git a/security.d/00-defaults.in b/security.d/00-defaults.in
@@ -0,0 +1,47 @@
+# sway security rules
+#
+# Read sway-security(7) for details on how to secure your sway install.
+#
+# You MUST read this man page if you intend to attempt to secure your sway
+# installation.
+#
+# This file should live at __SYSCONFDIR__/sway/security and will be
+# automatically read by sway.
+
+# Configures enabled compositor features for specific programs
+permit * fullscreen keyboard mouse
+permit __PREFIX__/bin/swaylock lock
+permit __PREFIX__/bin/swaybg background
+permit __PREFIX__/bin/swaygrab screenshot
+permit __PREFIX__/bin/swaybar panel
+
+# Configures enabled IPC features for specific programs
+ipc __PREFIX__/bin/swaymsg {
+    * enabled
+
+    events {
+        * disabled
+    }
+}
+
+ipc __PREFIX__/bin/swaybar {
+    bar-config enabled
+    outputs enabled
+    workspaces enabled
+    command enabled
+}
+
+ipc __PREFIX__/bin/swaygrab {
+    outputs enabled
+    tree enabled
+}
+
+# Limits the contexts from which certain commands are permitted
+commands {
+    * all
+
+    fullscreen binding criteria
+    bindsym config
+    exit binding
+    kill binding
+}
diff --git a/security.in b/security.in
@@ -1,46 +0,0 @@
-# sway security rules
-#
-# Read sway-security(7) for details on how to secure your sway install.
-#
-# You MUST read this man page if you intend to attempt to secure your sway
-# installation.
-#
-# This file should live at __SYSCONFDIR__/sway/security and will be
-# automatically read by sway.
-
-# Configures which programs are allowed to use which sway features
-permit * fullscreen keyboard mouse ipc
-permit __PREFIX__/bin/swaylock lock
-permit __PREFIX__/bin/swaybar panel
-permit __PREFIX__/bin/swaybg background
-permit __PREFIX__/bin/swaygrab screenshot
-
-# Configures which IPC features are enabled
-ipc {
-    command enabled
-    outputs enabled
-    workspaces enabled
-    tree enabled
-    marks enabled
-    bar-config enabled
-    inputs enabled
-
-    events {
-        workspace enabled
-        output enabled
-        mode enabled
-        window enabled
-        input enabled
-        binding disabled
-    }
-}
-
-# Limits the contexts from which certain commands are permitted
-commands {
-    * all
-
-    fullscreen binding criteria
-    bindsym config
-    exit binding
-    kill binding
-}
diff --git a/sway/CMakeLists.txt b/sway/CMakeLists.txt
@@ -91,7 +91,7 @@ function(add_config name source destination)
 endfunction()
 
 add_config(config config sway)
-add_config(security security sway)
+add_config(00-defaults security.d/00-defaults sway/security.d)
 
 add_manpage(sway 1)
 add_manpage(sway 5)
diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt
@@ -19,8 +19,13 @@ usually best suited to a distro maintainer who wants to ship a secure sway
 environment in their distro. Sway provides a number of means of securing it but
 you must make a few changes external to sway first.
 
-Security-related configuration is only valid in /etc/sway/config (or whatever path
-is appropriate for your system).
+Configuration of security features is limited to files in the security directory
+(this is likely /etc/sway/security.d/*, but depends on your installation prefix).
+Files in this directory must be owned by root:root and chmod 600. The default
+security configuration is installed to /etc/sway/security.d/00-defaults, and
+should not be modified - it will be updated with the latest recommended security
+defaults between releases. To override the defaults, you should add more files to
+this directory.
 
 Environment security
 --------------------
@@ -160,22 +165,20 @@ Setting a command policy overwrites any previous policy that was in place.
 IPC policies
 ------------
 
-You may whitelist IPC access like so:
+Disabling IPC access via swaymsg is encouraged if you intend to secure the IPC
+socket, because any program that can execute swaymsg could circumvent its own
+security policy by simply invoking swaymsg.
 
-	permit /usr/bin/swaybar ipc
-	permit /usr/bin/swaygrab ipc
-	# etc
+You can configure which features of IPC are available for particular clients:
 
-Note that it's suggested you do not enable swaymsg to access IPC if you intend to
-secure your IPC socket, because any program could just run swaymsg itself instead
-of connecting to IPC directly.
-
-You can also configure which features of IPC are available with an IPC block:
-
-	ipc {
+	ipc <executable> {
 		...
 	}
 
+You may use * for <executable> to configure the default policy for all clients.
+Configuring IPC policies for specific executables is not supported on FreeBSD, and
+the default policy will be applied to all IPC connections.
+
 The following commands are available within this block:
 
 **bar-config** <enabled|disabled>::
@@ -201,7 +204,7 @@ The following commands are available within this block:
 
 You can also control which IPC events can be raised with an events block:
 
-	ipc {
+	ipc <executable> {
 		events {
 			...
 		}
@@ -227,7 +230,8 @@ The following commands are vaild within an ipc events block:
 **workspace** <enabled|disabled>::
 	Controls workspace notifications.
 
-Disabling some of these may cause swaybar to behave incorrectly.
+In each of these blocks, you may use * (as in "* enabled" or "* disabled") to
+control access to every feature at once.
 
 Authors
 -------