From 7dbecdde95d1f309d8fdd02fe480dc3fbef7c7c1 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Sun, 19 Feb 2017 02:36:36 -0500 Subject: [PATCH] Revise IPC security configuration --- security.in => security.d/00-defaults.in | 37 ++++++++++++------------ sway/CMakeLists.txt | 2 +- sway/sway-security.7.txt | 34 ++++++++++++---------- 3 files changed, 39 insertions(+), 34 deletions(-) rename security.in => security.d/00-defaults.in (69%) diff --git a/security.in b/security.d/00-defaults.in similarity index 69% rename from security.in rename to security.d/00-defaults.in index 16897ade..99859edd 100644 --- a/security.in +++ b/security.d/00-defaults.in @@ -8,33 +8,34 @@ # This file should live at __SYSCONFDIR__/sway/security and will be # automatically read by sway. -# Configures which programs are allowed to use which sway features -permit * fullscreen keyboard mouse ipc +# Configures enabled compositor features for specific programs +permit * fullscreen keyboard mouse permit __PREFIX__/bin/swaylock lock -permit __PREFIX__/bin/swaybar panel permit __PREFIX__/bin/swaybg background permit __PREFIX__/bin/swaygrab screenshot +permit __PREFIX__/bin/swaybar panel -# Configures which IPC features are enabled -ipc { - command enabled - outputs enabled - workspaces enabled - tree enabled - marks enabled - bar-config enabled - inputs enabled +# Configures enabled IPC features for specific programs +ipc __PREFIX__/bin/swaymsg { + * enabled events { - workspace enabled - output enabled - mode enabled - window enabled - input enabled - binding disabled + * disabled } } +ipc __PREFIX__/bin/swaybar { + bar-config enabled + outputs enabled + workspaces enabled + command enabled +} + +ipc __PREFIX__/bin/swaygrab { + outputs enabled + tree enabled +} + # Limits the contexts from which certain commands are permitted commands { * all diff --git a/sway/CMakeLists.txt b/sway/CMakeLists.txt index d5453003..981f8a07 100644 --- a/sway/CMakeLists.txt +++ b/sway/CMakeLists.txt @@ -91,7 +91,7 @@ function(add_config name source destination) endfunction() add_config(config config sway) -add_config(security security sway) +add_config(00-defaults security.d/00-defaults sway/security.d) add_manpage(sway 1) add_manpage(sway 5) diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt index 7d8aa4ad..98e3f5ac 100644 --- a/sway/sway-security.7.txt +++ b/sway/sway-security.7.txt @@ -19,8 +19,13 @@ usually best suited to a distro maintainer who wants to ship a secure sway environment in their distro. Sway provides a number of means of securing it but you must make a few changes external to sway first. -Security-related configuration is only valid in /etc/sway/config (or whatever path -is appropriate for your system). +Configuration of security features is limited to files in the security directory +(this is likely /etc/sway/security.d/*, but depends on your installation prefix). +Files in this directory must be owned by root:root and chmod 600. The default +security configuration is installed to /etc/sway/security.d/00-defaults, and +should not be modified - it will be updated with the latest recommended security +defaults between releases. To override the defaults, you should add more files to +this directory. Environment security -------------------- @@ -160,22 +165,20 @@ Setting a command policy overwrites any previous policy that was in place. IPC policies ------------ -You may whitelist IPC access like so: +Disabling IPC access via swaymsg is encouraged if you intend to secure the IPC +socket, because any program that can execute swaymsg could circumvent its own +security policy by simply invoking swaymsg. - permit /usr/bin/swaybar ipc - permit /usr/bin/swaygrab ipc - # etc +You can configure which features of IPC are available for particular clients: -Note that it's suggested you do not enable swaymsg to access IPC if you intend to -secure your IPC socket, because any program could just run swaymsg itself instead -of connecting to IPC directly. - -You can also configure which features of IPC are available with an IPC block: - - ipc { + ipc { ... } +You may use * for to configure the default policy for all clients. +Configuring IPC policies for specific executables is not supported on FreeBSD, and +the default policy will be applied to all IPC connections. + The following commands are available within this block: **bar-config** :: @@ -201,7 +204,7 @@ The following commands are available within this block: You can also control which IPC events can be raised with an events block: - ipc { + ipc { events { ... } @@ -227,7 +230,8 @@ The following commands are vaild within an ipc events block: **workspace** :: Controls workspace notifications. -Disabling some of these may cause swaybar to behave incorrectly. +In each of these blocks, you may use * (as in "* enabled" or "* disabled") to +control access to every feature at once. Authors -------