Check for CAP_SYS_PTRACE

author: Drew DeVault <sir@cmpwn.com> 2016-12-02 18:37:01 -0500
committer: Drew DeVault <sir@cmpwn.com> 2016-12-02 18:37:01 -0500
commit: 8577095db77eef62af05fd2acbd9bd2c28b901f6 (patch)
tree: ca0cd048676ad3c516db717e94103e5b45d41894
parent: d353da248b4653d7bc027ff0dceca946cdd0b22f (diff)
download: sway-8577095db77eef62af05fd2acbd9bd2c28b901f6.tar.xz
2 files changed, 11 insertions, 0 deletions
diff --git a/sway/CMakeLists.txt b/sway/CMakeLists.txt
index 15fa1720..d1afadb6 100644
--- a/sway/CMakeLists.txt
+++ b/sway/CMakeLists.txt
@@ -55,6 +55,7 @@ target_link_libraries(sway
 	${PANGO_LIBRARIES}
 	${JSONC_LIBRARIES}
 	m
+    cap
 )
 
 install(
diff --git a/sway/main.c b/sway/main.c
index 9746cfb2..73c4b5f2 100644
--- a/sway/main.c
+++ b/sway/main.c
@@ -9,6 +9,7 @@
 #include <signal.h>
 #include <unistd.h>
 #include <getopt.h>
+#include <sys/capability.h>
 #include "sway/extensions.h"
 #include "sway/layout.h"
 #include "sway/config.h"
@@ -151,6 +152,15 @@ static void security_sanity_check() {
 		sway_log(L_ERROR,
 			"!! DANGER !! /proc is not available - sway CANNOT enforce security rules!");
 	}
+	cap_flag_value_t v;
+	cap_t cap = cap_get_proc();
+	if (!cap || cap_get_flag(cap, CAP_SYS_PTRACE, CAP_PERMITTED, &v) != 0 || v != CAP_SET) {
+		sway_log(L_ERROR,
+			"!! DANGER !! Sway does not have CAP_SYS_PTRACE and cannot enforce security rules for processes running as other users.");
+	}
+	if (cap) {
+		cap_free(cap);
+	}
 	if (!stat(SYSCONFDIR "/sway", &s)) {
 		if (s.st_uid != 0 || s.st_gid != 0
 				|| (s.st_mode & S_IWGRP) || (s.st_mode & S_IWOTH)) {
author	Drew DeVault <sir@cmpwn.com>	2016-12-02 18:37:01 -0500
committer	Drew DeVault <sir@cmpwn.com>	2016-12-02 18:37:01 -0500
commit	8577095db77eef62af05fd2acbd9bd2c28b901f6 (patch)
tree	ca0cd048676ad3c516db717e94103e5b45d41894
parent	d353da248b4653d7bc027ff0dceca946cdd0b22f (diff)
download	sway-8577095db77eef62af05fd2acbd9bd2c28b901f6.tar.xz