diff options
| author | Drew DeVault <sir@cmpwn.com> | 2017-02-21 05:18:42 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-02-21 05:18:42 -0500 |
| commit | f68d2fb33c433d13def0921db561eb23d400683c (patch) | |
| tree | cd8ec8565a63cd5b047e45b001debed16d6a2bdd /sway/sway-security.7.txt | |
| parent | 76614efb16527420017291cd47de176b11440d38 (diff) | |
| parent | 276630eb9632fe2323d02c5d4113062830c49082 (diff) | |
Merge pull request #1080 from SirCmpwn/ipc-security
Revise IPC security configuration
Diffstat (limited to 'sway/sway-security.7.txt')
| -rw-r--r-- | sway/sway-security.7.txt | 34 |
1 files changed, 19 insertions, 15 deletions
diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt index 7d8aa4ad..fb47ffcf 100644 --- a/sway/sway-security.7.txt +++ b/sway/sway-security.7.txt @@ -19,8 +19,13 @@ usually best suited to a distro maintainer who wants to ship a secure sway environment in their distro. Sway provides a number of means of securing it but you must make a few changes external to sway first. -Security-related configuration is only valid in /etc/sway/config (or whatever path -is appropriate for your system). +Configuration of security features is limited to files in the security directory +(this is likely /etc/sway/security.d/*, but depends on your installation prefix). +Files in this directory must be owned by root:root and chmod 644. The default +security configuration is installed to /etc/sway/security.d/00-defaults, and +should not be modified - it will be updated with the latest recommended security +defaults between releases. To override the defaults, you should add more files to +this directory. Environment security -------------------- @@ -160,22 +165,20 @@ Setting a command policy overwrites any previous policy that was in place. IPC policies ------------ -You may whitelist IPC access like so: +Disabling IPC access via swaymsg is encouraged if you intend to secure the IPC +socket, because any program that can execute swaymsg could circumvent its own +security policy by simply invoking swaymsg. - permit /usr/bin/swaybar ipc - permit /usr/bin/swaygrab ipc - # etc +You can configure which features of IPC are available for particular clients: -Note that it's suggested you do not enable swaymsg to access IPC if you intend to -secure your IPC socket, because any program could just run swaymsg itself instead -of connecting to IPC directly. - -You can also configure which features of IPC are available with an IPC block: - - ipc { + ipc <executable> { ... } +You may use * for <executable> to configure the default policy for all clients. +Configuring IPC policies for specific executables is not supported on FreeBSD, and +the default policy will be applied to all IPC connections. + The following commands are available within this block: **bar-config** <enabled|disabled>:: @@ -201,7 +204,7 @@ The following commands are available within this block: You can also control which IPC events can be raised with an events block: - ipc { + ipc <executable> { events { ... } @@ -227,7 +230,8 @@ The following commands are vaild within an ipc events block: **workspace** <enabled|disabled>:: Controls workspace notifications. -Disabling some of these may cause swaybar to behave incorrectly. +In each of these blocks, you may use * (as in "* enabled" or "* disabled") to +control access to every feature at once. Authors ------- |