aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--include/security.h4
-rw-r--r--include/sway/config.h1
-rw-r--r--include/sway/security.h9
-rw-r--r--sway/CMakeLists.txt1
-rw-r--r--sway/security.c54
5 files changed, 66 insertions, 3 deletions
diff --git a/include/security.h b/include/security.h
index efc25ce6..3a5dbca0 100644
--- a/include/security.h
+++ b/include/security.h
@@ -3,7 +3,7 @@
#include <unistd.h>
#include "sway/config.h"
-const struct feature_permissions *get_permissions(pid_t pid);
-enum command_context get_command_context(const char *cmd);
+enum secure_features get_feature_policy(pid_t pid);
+enum command_context get_command_policy(const char *cmd);
#endif
diff --git a/include/sway/config.h b/include/sway/config.h
index 3744386c..14a86e49 100644
--- a/include/sway/config.h
+++ b/include/sway/config.h
@@ -206,7 +206,6 @@ enum secure_feature {
struct feature_policy {
char *program;
- bool permit;
enum secure_feature features;
};
diff --git a/include/sway/security.h b/include/sway/security.h
new file mode 100644
index 00000000..efc25ce6
--- /dev/null
+++ b/include/sway/security.h
@@ -0,0 +1,9 @@
+#ifndef _SWAY_SECURITY_H
+#define _SWAY_SECURITY_H
+#include <unistd.h>
+#include "sway/config.h"
+
+const struct feature_permissions *get_permissions(pid_t pid);
+enum command_context get_command_context(const char *cmd);
+
+#endif
diff --git a/sway/CMakeLists.txt b/sway/CMakeLists.txt
index bb9ea81f..9349c30d 100644
--- a/sway/CMakeLists.txt
+++ b/sway/CMakeLists.txt
@@ -35,6 +35,7 @@ add_executable(sway
output.c
workspace.c
border.c
+ security.c
)
add_definitions(
diff --git a/sway/security.c b/sway/security.c
new file mode 100644
index 00000000..c72d54f6
--- /dev/null
+++ b/sway/security.c
@@ -0,0 +1,54 @@
+#include <unistd.h>
+#include <stdio.h>
+#include "sway/config.h"
+#include "sway/security.h"
+#include "log.h"
+
+enum secure_feature get_feature_policy(pid_t pid) {
+ const char *fmt = "/proc/%d/exe";
+ int pathlen = snprintf(NULL, 0, fmt, pid);
+ char *path = malloc(pathlen + 1);
+ snprintf(path, pathlen + 1, fmt, pid);
+ static char link[2048];
+
+ enum secure_feature default_policy =
+ FEATURE_FULLSCREEN | FEATURE_KEYBOARD | FEATURE_MOUSE;
+
+ ssize_t len = readlink(path, link, sizeof(link));
+ if (len < 0) {
+ sway_log(L_INFO,
+ "WARNING: unable to read %s for security check. Using default policy.",
+ path);
+ strcpy(link, "*");
+ } else {
+ link[len] = '\0';
+ }
+
+ for (int i = 0; i < config->feature_policies->length; ++i) {
+ struct feature_policy *policy = config->feature_policies->items[i];
+ if (strcmp(policy->program, "*")) {
+ default_policy = policy->features;
+ }
+ if (strcmp(policy->program, link) == 0) {
+ return policy->features;
+ }
+ }
+
+ return default_policy;
+}
+
+enum command_context get_command_policy(const char *cmd) {
+ enum command_context default_policy = CONTEXT_ALL;
+
+ for (int i = 0; i < config->command_policies->length; ++i) {
+ struct command_policy *policy = config->command_policies->items[i];
+ if (strcmp(policy->command, "*")) {
+ default_policy = policy->context;
+ }
+ if (strcmp(policy->command, cmd) == 0) {
+ return policy->context;
+ }
+ }
+
+ return default_policy;
+}