diff options
| author | Drew DeVault <sir@cmpwn.com> | 2016-12-01 21:51:07 -0500 |
|---|---|---|
| committer | Drew DeVault <sir@cmpwn.com> | 2016-12-01 21:51:07 -0500 |
| commit | 21e1b2bef3d3cda3d10d4dc2aafe5fcac583c2a5 (patch) | |
| tree | 40a28228200d8199680c9d52ebe7a90ad0ab7997 | |
| parent | 76cab04b4d7828f3c4f607c49e1e6ad78aa6e3da (diff) | |
Add security checks for background, panel, lock
| -rw-r--r-- | sway/extensions.c | 25 | ||||
| -rw-r--r-- | sway/security.c | 4 |
2 files changed, 27 insertions, 2 deletions
diff --git a/sway/extensions.c b/sway/extensions.c index 60cd8d41..96c7e60d 100644 --- a/sway/extensions.c +++ b/sway/extensions.c @@ -7,6 +7,7 @@ #include "sway/layout.h" #include "sway/input_state.h" #include "sway/extensions.h" +#include "sway/security.h" #include "sway/ipc-server.h" #include "log.h" @@ -68,6 +69,12 @@ void lock_surface_destructor(struct wl_resource *resource) { static void set_background(struct wl_client *client, struct wl_resource *resource, struct wl_resource *_output, struct wl_resource *surface) { + pid_t pid; + wl_client_get_credentials(client, &pid, NULL, NULL); + if (!(get_feature_policy(pid) & FEATURE_BACKGROUND)) { + sway_log(L_INFO, "Denying background feature to %d", pid); + return; + } wlc_handle output = wlc_handle_from_wl_output_resource(_output); if (!output) { return; @@ -86,6 +93,12 @@ static void set_background(struct wl_client *client, struct wl_resource *resourc static void set_panel(struct wl_client *client, struct wl_resource *resource, struct wl_resource *_output, struct wl_resource *surface) { + pid_t pid; + wl_client_get_credentials(client, &pid, NULL, NULL); + if (!(get_feature_policy(pid) & FEATURE_PANEL)) { + sway_log(L_INFO, "Denying panel feature to %d", pid); + return; + } wlc_handle output = wlc_handle_from_wl_output_resource(_output); if (!output) { return; @@ -111,6 +124,12 @@ static void desktop_unlock(struct wl_client *client, struct wl_resource *resourc static void set_lock_surface(struct wl_client *client, struct wl_resource *resource, struct wl_resource *_output, struct wl_resource *surface) { + pid_t pid; + wl_client_get_credentials(client, &pid, NULL, NULL); + if (!(get_feature_policy(pid) & FEATURE_LOCK)) { + sway_log(L_INFO, "Denying lock feature to %d", pid); + return; + } swayc_t *output = swayc_by_handle(wlc_handle_from_wl_output_resource(_output)); swayc_t *view = swayc_by_handle(wlc_handle_from_wl_surface_resource(surface)); sway_log(L_DEBUG, "Setting lock surface to %p", view); @@ -155,6 +174,12 @@ static void desktop_ready(struct wl_client *client, struct wl_resource *resource } static void set_panel_position(struct wl_client *client, struct wl_resource *resource, uint32_t position) { + pid_t pid; + wl_client_get_credentials(client, &pid, NULL, NULL); + if (!(get_feature_policy(pid) & FEATURE_PANEL)) { + sway_log(L_INFO, "Denying panel feature to %d", pid); + return; + } struct panel_config *config = find_or_create_panel_config(resource); sway_log(L_DEBUG, "Panel position for wl_resource %p changed %d => %d", resource, config->panel_position, position); config->panel_position = position; diff --git a/sway/security.c b/sway/security.c index 776bd527..a4cecf16 100644 --- a/sway/security.c +++ b/sway/security.c @@ -34,7 +34,7 @@ enum secure_feature get_feature_policy(pid_t pid) { for (int i = 0; i < config->feature_policies->length; ++i) { struct feature_policy *policy = config->feature_policies->items[i]; - if (strcmp(policy->program, "*")) { + if (strcmp(policy->program, "*") == 0) { default_policy = policy->features; } if (strcmp(policy->program, link) == 0) { @@ -50,7 +50,7 @@ enum command_context get_command_policy(const char *cmd) { for (int i = 0; i < config->command_policies->length; ++i) { struct command_policy *policy = config->command_policies->items[i]; - if (strcmp(policy->command, "*")) { + if (strcmp(policy->command, "*") == 0) { default_policy = policy->context; } if (strcmp(policy->command, cmd) == 0) { |