aboutsummaryrefslogtreecommitdiff
path: root/sway/commands
diff options
context:
space:
mode:
authorDrew DeVault <sir@cmpwn.com>2017-02-21 05:18:42 -0500
committerGitHub <noreply@github.com>2017-02-21 05:18:42 -0500
commitf68d2fb33c433d13def0921db561eb23d400683c (patch)
treecd8ec8565a63cd5b047e45b001debed16d6a2bdd /sway/commands
parent76614efb16527420017291cd47de176b11440d38 (diff)
parent276630eb9632fe2323d02c5d4113062830c49082 (diff)
Merge pull request #1080 from SirCmpwn/ipc-security
Revise IPC security configuration
Diffstat (limited to 'sway/commands')
-rw-r--r--sway/commands/commands.c8
-rw-r--r--sway/commands/ipc.c28
-rw-r--r--sway/commands/permit.c21
3 files changed, 25 insertions, 32 deletions
diff --git a/sway/commands/commands.c b/sway/commands/commands.c
index 8c7ed487..0c64970c 100644
--- a/sway/commands/commands.c
+++ b/sway/commands/commands.c
@@ -10,6 +10,9 @@ struct cmd_results *cmd_commands(int argc, char **argv) {
if ((error = checkarg(argc, "commands", EXPECTED_EQUAL_TO, 1))) {
return error;
}
+ if ((error = check_security_config())) {
+ return error;
+ }
if (strcmp(argv[0], "{") != 0) {
return cmd_results_new(CMD_FAILURE, "commands", "Expected block declaration");
@@ -19,10 +22,5 @@ struct cmd_results *cmd_commands(int argc, char **argv) {
return cmd_results_new(CMD_FAILURE, "commands", "Can only be used in config file.");
}
- if (!current_config_path || strcmp(SYSCONFDIR "/sway/security", current_config_path) != 0) {
- return cmd_results_new(CMD_INVALID, "permit",
- "This command is only permitted to run from " SYSCONFDIR "/sway/security");
- }
-
return cmd_results_new(CMD_BLOCK_COMMANDS, NULL, NULL);
}
diff --git a/sway/commands/ipc.c b/sway/commands/ipc.c
index 113a975b..8a7b849f 100644
--- a/sway/commands/ipc.c
+++ b/sway/commands/ipc.c
@@ -1,18 +1,26 @@
#include <stdio.h>
#include <string.h>
+#include "sway/security.h"
#include "sway/commands.h"
#include "sway/config.h"
#include "ipc.h"
#include "log.h"
#include "util.h"
+static struct ipc_policy *current_policy = NULL;
+
struct cmd_results *cmd_ipc(int argc, char **argv) {
struct cmd_results *error = NULL;
- if ((error = checkarg(argc, "ipc", EXPECTED_EQUAL_TO, 1))) {
+ if ((error = checkarg(argc, "ipc", EXPECTED_EQUAL_TO, 2))) {
+ return error;
+ }
+ if ((error = check_security_config())) {
return error;
}
- if (config->reading && strcmp("{", argv[0]) != 0) {
+ const char *program = argv[0];
+
+ if (config->reading && strcmp("{", argv[1]) != 0) {
return cmd_results_new(CMD_INVALID, "ipc",
"Expected '{' at start of IPC config definition.");
}
@@ -21,10 +29,8 @@ struct cmd_results *cmd_ipc(int argc, char **argv) {
return cmd_results_new(CMD_FAILURE, "ipc", "Can only be used in config file.");
}
- if (!current_config_path || strcmp(SYSCONFDIR "/sway/security", current_config_path) != 0) {
- return cmd_results_new(CMD_INVALID, "permit",
- "This command is only permitted to run from " SYSCONFDIR "/sway/security");
- }
+ current_policy = alloc_ipc_policy(program);
+ list_add(config->ipc_policies, current_policy);
return cmd_results_new(CMD_BLOCK_IPC, NULL, NULL);
}
@@ -67,6 +73,7 @@ struct cmd_results *cmd_ipc_cmd(int argc, char **argv) {
char *name;
enum ipc_feature type;
} types[] = {
+ { "*", IPC_FEATURE_ALL_COMMANDS },
{ "command", IPC_FEATURE_COMMAND },
{ "workspaces", IPC_FEATURE_GET_WORKSPACES },
{ "outputs", IPC_FEATURE_GET_OUTPUTS },
@@ -86,10 +93,10 @@ struct cmd_results *cmd_ipc_cmd(int argc, char **argv) {
}
if (enabled) {
- config->ipc_policy |= type;
+ current_policy->features |= type;
sway_log(L_DEBUG, "Enabled IPC %s feature", argv[-1]);
} else {
- config->ipc_policy &= ~type;
+ current_policy->features &= ~type;
sway_log(L_DEBUG, "Disabled IPC %s feature", argv[-1]);
}
@@ -116,6 +123,7 @@ struct cmd_results *cmd_ipc_event_cmd(int argc, char **argv) {
char *name;
enum ipc_feature type;
} types[] = {
+ { "*", IPC_FEATURE_ALL_EVENTS },
{ "workspace", IPC_FEATURE_EVENT_WORKSPACE },
{ "output", IPC_FEATURE_EVENT_OUTPUT },
{ "mode", IPC_FEATURE_EVENT_MODE },
@@ -134,10 +142,10 @@ struct cmd_results *cmd_ipc_event_cmd(int argc, char **argv) {
}
if (enabled) {
- config->ipc_policy |= type;
+ current_policy->features |= type;
sway_log(L_DEBUG, "Enabled IPC %s event", argv[-1]);
} else {
- config->ipc_policy &= ~type;
+ current_policy->features &= ~type;
sway_log(L_DEBUG, "Disabled IPC %s event", argv[-1]);
}
diff --git a/sway/commands/permit.c b/sway/commands/permit.c
index 1b2a30bf..e2bec2e2 100644
--- a/sway/commands/permit.c
+++ b/sway/commands/permit.c
@@ -19,7 +19,6 @@ static enum secure_feature get_features(int argc, char **argv,
{ "fullscreen", FEATURE_FULLSCREEN },
{ "keyboard", FEATURE_KEYBOARD },
{ "mouse", FEATURE_MOUSE },
- { "ipc", FEATURE_IPC },
};
for (int i = 1; i < argc; ++i) {
@@ -63,19 +62,13 @@ struct cmd_results *cmd_permit(int argc, char **argv) {
if ((error = checkarg(argc, "permit", EXPECTED_MORE_THAN, 1))) {
return error;
}
-
- if (!current_config_path || strcmp(SYSCONFDIR "/sway/security", current_config_path) != 0) {
- return cmd_results_new(CMD_INVALID, "permit",
- "This command is only permitted to run from " SYSCONFDIR "/sway/security");
+ if ((error = check_security_config())) {
+ return error;
}
struct feature_policy *policy = get_policy(argv[0]);
policy->features |= get_features(argc, argv, &error);
- if (error) {
- return error;
- }
-
sway_log(L_DEBUG, "Permissions granted to %s for features %d",
policy->program, policy->features);
@@ -87,19 +80,13 @@ struct cmd_results *cmd_reject(int argc, char **argv) {
if ((error = checkarg(argc, "reject", EXPECTED_MORE_THAN, 1))) {
return error;
}
-
- if (!current_config_path || strcmp(SYSCONFDIR "/sway/security", current_config_path) != 0) {
- return cmd_results_new(CMD_INVALID, "permit",
- "This command is only permitted to run from " SYSCONFDIR "/sway/security");
+ if ((error = check_security_config())) {
+ return error;
}
struct feature_policy *policy = get_policy(argv[0]);
policy->features &= ~get_features(argc, argv, &error);
- if (error) {
- return error;
- }
-
sway_log(L_DEBUG, "Permissions granted to %s for features %d",
policy->program, policy->features);
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-18 22:29:37 +0000