Enforce IPC security policy

author: Drew DeVault <sir@cmpwn.com> 2016-12-02 17:55:03 -0500
committer: Drew DeVault <sir@cmpwn.com> 2016-12-02 17:55:03 -0500
commit: 62dad7148f7b7b314f0297e191861ae3f03e9e1f (patch)
tree: 45bc560d7a197200ff3658cbbb5763e860bf1372
parent: c8dc4925d1e0f5d5086a4c15415ee9fb0b7e6155 (diff)
3 files changed, 65 insertions, 13 deletions
diff --git a/include/sway/config.h b/include/sway/config.h
index 1154b871..192e697c 100644
--- a/include/sway/config.h
+++ b/include/sway/config.h
@@ -209,6 +209,23 @@ struct feature_policy {
 	uint32_t features;
 };
 
+enum ipc_feature {
+	IPC_FEATURE_COMMAND = 1,
+	IPC_FEATURE_GET_WORKSPACES = 2,
+	IPC_FEATURE_GET_OUTPUTS = 4,
+	IPC_FEATURE_GET_TREE = 8,
+	IPC_FEATURE_GET_MARKS = 16,
+	IPC_FEATURE_GET_BAR_CONFIG = 32,
+	IPC_FEATURE_GET_VERSION = 64,
+	IPC_FEATURE_GET_INPUTS = 128,
+	IPC_FEATURE_EVENT_WORKSPACE = 256,
+	IPC_FEATURE_EVENT_OUTPUT = 512,
+	IPC_FEATURE_EVENT_MODE = 1024,
+	IPC_FEATURE_EVENT_WINDOW = 2048,
+	IPC_FEATURE_EVENT_BINDING = 4096,
+	IPC_FEATURE_EVENT_INPUT = 8192
+};
+
 /**
  * The configuration struct. The result of loading a config file.
  */
diff --git a/sway/commands/ipc.c b/sway/commands/ipc.c
index e6ae27a4..f96e9980 100644
--- a/sway/commands/ipc.c
+++ b/sway/commands/ipc.c
@@ -62,13 +62,13 @@ struct cmd_results *cmd_ipc_cmd(int argc, char **argv) {
 		char *name;
 		enum ipc_command_type type;
 	} types[] = {
-		{ "command", IPC_COMMAND },
-		{ "workspaces", IPC_GET_WORKSPACES },
-		{ "outputs", IPC_GET_OUTPUTS },
-		{ "tree", IPC_GET_TREE },
-		{ "marks", IPC_GET_MARKS },
-		{ "bar-config", IPC_GET_BAR_CONFIG },
-		{ "inputs", IPC_GET_INPUTS },
+		{ "command", IPC_FEATURE_COMMAND },
+		{ "workspaces", IPC_FEATURE_GET_WORKSPACES },
+		{ "outputs", IPC_FEATURE_GET_OUTPUTS },
+		{ "tree", IPC_FEATURE_GET_TREE },
+		{ "marks", IPC_FEATURE_GET_MARKS },
+		{ "bar-config", IPC_FEATURE_GET_BAR_CONFIG },
+		{ "inputs", IPC_FEATURE_GET_INPUTS },
 	};
 
 	uint32_t type = 0;
@@ -111,12 +111,12 @@ struct cmd_results *cmd_ipc_event_cmd(int argc, char **argv) {
 		char *name;
 		enum ipc_command_type type;
 	} types[] = {
-		{ "workspace", event_mask(IPC_EVENT_WORKSPACE) },
-		{ "output", event_mask(IPC_EVENT_OUTPUT) },
-		{ "mode", event_mask(IPC_EVENT_MODE) },
-		{ "window", event_mask(IPC_EVENT_WINDOW) },
-		{ "binding", event_mask(IPC_EVENT_BINDING) },
-		{ "input", event_mask(IPC_EVENT_INPUT) },
+		{ "workspace", IPC_FEATURE_EVENT_WORKSPACE },
+		{ "output", IPC_FEATURE_EVENT_OUTPUT },
+		{ "mode", IPC_FEATURE_EVENT_MODE },
+		{ "window", IPC_FEATURE_EVENT_WINDOW },
+		{ "binding", IPC_FEATURE_EVENT_BINDING },
+		{ "input", IPC_FEATURE_EVENT_INPUT },
 	};
 
 	uint32_t type = 0;
diff --git a/sway/ipc-server.c b/sway/ipc-server.c
index ef741e3b..15791c5e 100644
--- a/sway/ipc-server.c
+++ b/sway/ipc-server.c
@@ -307,9 +307,14 @@ void ipc_client_handle_command(struct ipc_client *client) {
 	}
 	buf[client->payload_length] = '\0';
 
+	const char *error_denied = "{ \"success\": false, \"error\": \"Permission denied\" }";
+
 	switch (client->current_command) {
 	case IPC_COMMAND:
 	{
+		if (!(config->ipc_policy & IPC_FEATURE_COMMAND)) {
+			goto exit_denied;
+		}
 		struct cmd_results *results = handle_command(buf, CONTEXT_IPC);
 		const char *json = cmd_results_to_json(results);
 		char reply[256];
@@ -359,6 +364,9 @@ void ipc_client_handle_command(struct ipc_client *client) {
 
 	case IPC_GET_WORKSPACES:
 	{
+		if (!(config->ipc_policy & IPC_FEATURE_GET_WORKSPACES)) {
+			goto exit_denied;
+		}
 		json_object *workspaces = json_object_new_array();
 		container_map(&root_container, ipc_get_workspaces_callback, workspaces);
 		const char *json_string = json_object_to_json_string(workspaces);
@@ -369,6 +377,9 @@ void ipc_client_handle_command(struct ipc_client *client) {
 
 	case IPC_GET_INPUTS:
 	{
+		if (!(config->ipc_policy & IPC_FEATURE_GET_INPUTS)) {
+			goto exit_denied;
+		}
 		json_object *inputs = json_object_new_array();
 		if (input_devices) {
 			for(int i=0; i<input_devices->length; i++) {
@@ -388,6 +399,9 @@ void ipc_client_handle_command(struct ipc_client *client) {
 
 	case IPC_GET_OUTPUTS:
 	{
+		if (!(config->ipc_policy & IPC_FEATURE_GET_OUTPUTS)) {
+			goto exit_denied;
+		}
 		json_object *outputs = json_object_new_array();
 		container_map(&root_container, ipc_get_outputs_callback, outputs);
 		const char *json_string = json_object_to_json_string(outputs);
@@ -398,6 +412,9 @@ void ipc_client_handle_command(struct ipc_client *client) {
 
 	case IPC_GET_TREE:
 	{
+		if (!(config->ipc_policy & IPC_FEATURE_GET_TREE)) {
+			goto exit_denied;
+		}
 		json_object *tree = ipc_json_describe_container_recursive(&root_container);
 		const char *json_string = json_object_to_json_string(tree);
 		ipc_send_reply(client, json_string, (uint32_t) strlen(json_string));
@@ -458,6 +475,9 @@ void ipc_client_handle_command(struct ipc_client *client) {
 
 	case IPC_GET_BAR_CONFIG:
 	{
+		if (!(config->ipc_policy & IPC_FEATURE_GET_BAR_CONFIG)) {
+			goto exit_denied;
+		}
 		if (!buf[0]) {
 			// Send list of configured bar IDs
 			json_object *bars = json_object_new_array();
@@ -498,6 +518,9 @@ void ipc_client_handle_command(struct ipc_client *client) {
 		goto exit_cleanup;
 	}
 
+exit_denied:
+	ipc_send_reply(client, error_denied, (uint32_t)strlen(error_denied));
+
 exit_cleanup:
 	client->payload_length = 0;
 	free(buf);
@@ -562,6 +585,9 @@ void ipc_send_event(const char *json_string, enum ipc_command_type event) {
 }
 
 void ipc_event_workspace(swayc_t *old, swayc_t *new, const char *change) {
+	if (!(config->ipc_policy & IPC_FEATURE_EVENT_WORKSPACE)) {
+		return;
+	}
 	sway_log(L_DEBUG, "Sending workspace::%s event", change);
 	json_object *obj = json_object_new_object();
 	json_object_object_add(obj, "change", json_object_new_string(change));
@@ -586,6 +612,9 @@ void ipc_event_workspace(swayc_t *old, swayc_t *new, const char *change) {
 }
 
 void ipc_event_window(swayc_t *window, const char *change) {
+	if (!(config->ipc_policy & IPC_FEATURE_EVENT_WINDOW)) {
+		return;
+	}
 	sway_log(L_DEBUG, "Sending window::%s event", change);
 	json_object *obj = json_object_new_object();
 	json_object_object_add(obj, "change", json_object_new_string(change));
@@ -611,6 +640,9 @@ void ipc_event_barconfig_update(struct bar_config *bar) {
 }
 
 void ipc_event_mode(const char *mode) {
+	if (!(config->ipc_policy & IPC_FEATURE_EVENT_MODE)) {
+		return;
+	}
 	sway_log(L_DEBUG, "Sending mode::%s event", mode);
 	json_object *obj = json_object_new_object();
 	json_object_object_add(obj, "change", json_object_new_string(mode));
@@ -636,6 +668,9 @@ void ipc_event_modifier(uint32_t modifier, const char *state) {
 }
 
 static void ipc_event_binding(json_object *sb_obj) {
+	if (!(config->ipc_policy & IPC_FEATURE_EVENT_BINDING)) {
+		return;
+	}
 	sway_log(L_DEBUG, "Sending binding::run event");
 	json_object *obj = json_object_new_object();
 	json_object_object_add(obj, "change", json_object_new_string("run"));
author	Drew DeVault <sir@cmpwn.com>	2016-12-02 17:55:03 -0500
committer	Drew DeVault <sir@cmpwn.com>	2016-12-02 17:55:03 -0500
commit	62dad7148f7b7b314f0297e191861ae3f03e9e1f (patch)
tree	45bc560d7a197200ff3658cbbb5763e860bf1372
parent	c8dc4925d1e0f5d5086a4c15415ee9fb0b7e6155 (diff)