diff --git a/config.d/security b/config.d/security new file mode 100644 index 00000000..bff55f0f --- /dev/null +++ b/config.d/security @@ -0,0 +1,52 @@ +# sway security rules +# +# Read sway-security(7) for details on how to secure your sway install. +# +# You MUST read this man page if you intend to attempt to secure your sway +# installation. + +# Configures which programs are allowed to use which sway features +permit $PREFIX/swaylock lock +permit $PREFIX/swaybar panel +permit $PREFIX/swaybg background +permit $PREFIX/swaygrab screenshot + +permit * fullscreen keyboard mouse + +# Configures which IPC features are enabled +ipc { + command enabled + outputs enabled + workspaces enabled + tree enabled + marks enabled + bar-config enabled + inputs enabled + + events { + workspace enabled + output enabled + mode enabled + window enabled + bar-config enabled + binding enabled + modifier enabled + input enabled + } +} + +# Limits the contexts from which certain commands are permitted +commands { + fullscreen bindsym criteria + bindsym config + exit bindsym + kill bindsym + + # You should not change these unless you know what you're doing - it could + # cripple your security + reload bindsym + restart bindsym + permit config + reject config + ipc config +} diff --git a/sway/main.c b/sway/main.c index a040cec9..4704f900 100644 --- a/sway/main.c +++ b/sway/main.c @@ -4,6 +4,7 @@ #include #include #include +#include #include #include #include @@ -142,6 +143,27 @@ static void log_kernel() { fclose(f); } +static void security_sanity_check() { + // TODO: Notify users visually if this has issues + struct stat s = {0}; + if (stat("/proc", &s)) { + sway_log(L_ERROR, + "!! DANGER !! /proc is not available - sway CANNOT enforce security rules!"); + } + if (!stat(SYSCONFDIR "/sway", &s)) { + if (s.st_uid != 0 || s.st_gid != 0 || s.st_mode != 00755) { + sway_log(L_ERROR, + "!! DANGER !! " SYSCONFDIR "/sway is not secure! It should be owned by root and set to 0755"); + } + } + // TODO: check that these command policies are set + // reload bindsym + // restart bindsym + // permit config + // reject config + // ipc config +} + int main(int argc, char **argv) { static int verbose = 0, debug = 0, validate = 0; @@ -256,6 +278,7 @@ int main(int argc, char **argv) { } wlc_log_set_handler(wlc_log_handler); detect_proprietary(); + security_sanity_check(); input_devices = create_list();