aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--config.d/security.in (renamed from config.d/security)8
-rw-r--r--config.in (renamed from config)8
-rw-r--r--include/security.h9
-rw-r--r--include/sway/commands.h2
-rw-r--r--include/sway/security.h6
-rw-r--r--sway/commands.c2
-rw-r--r--sway/commands/permit.c95
-rw-r--r--sway/security.c7
8 files changed, 115 insertions, 22 deletions
diff --git a/config.d/security b/config.d/security.in
index fe75d8ea..f59b2980 100644
--- a/config.d/security
+++ b/config.d/security.in
@@ -6,10 +6,10 @@
# installation.
# Configures which programs are allowed to use which sway features
-permit $PREFIX/swaylock lock
-permit $PREFIX/swaybar panel
-permit $PREFIX/swaybg background
-permit $PREFIX/swaygrab screenshot
+permit __PREFIX__/swaylock lock
+permit __PREFIX__/swaybar panel
+permit __PREFIX__/swaybg background
+permit __PREFIX__/swaygrab screenshot
permit * fullscreen keyboard mouse
diff --git a/config b/config.in
index 47bf1e4f..ddd0fec5 100644
--- a/config
+++ b/config.in
@@ -195,10 +195,4 @@ bar {
}
}
-# You may want this:
-#
-# include ~/.config/sway/conf.d/*
-#
-# Protip:
-#
-# include ~/.config/sway/`hostname`/*
+include __SYSCONFDIR__/etc/sway/config.d/*
diff --git a/include/security.h b/include/security.h
deleted file mode 100644
index 3a5dbca0..00000000
--- a/include/security.h
+++ /dev/null
@@ -1,9 +0,0 @@
-#ifndef _SWAY_SECURITY_H
-#define _SWAY_SECURITY_H
-#include <unistd.h>
-#include "sway/config.h"
-
-enum secure_features get_feature_policy(pid_t pid);
-enum command_context get_command_policy(const char *cmd);
-
-#endif
diff --git a/include/sway/commands.h b/include/sway/commands.h
index db5e94d9..1d5d56ac 100644
--- a/include/sway/commands.h
+++ b/include/sway/commands.h
@@ -122,6 +122,8 @@ sway_cmd cmd_new_float;
sway_cmd cmd_new_window;
sway_cmd cmd_orientation;
sway_cmd cmd_output;
+sway_cmd cmd_permit;
+sway_cmd cmd_reject;
sway_cmd cmd_reload;
sway_cmd cmd_resize;
sway_cmd cmd_scratchpad;
diff --git a/include/sway/security.h b/include/sway/security.h
index efc25ce6..ae2de0d8 100644
--- a/include/sway/security.h
+++ b/include/sway/security.h
@@ -3,7 +3,9 @@
#include <unistd.h>
#include "sway/config.h"
-const struct feature_permissions *get_permissions(pid_t pid);
-enum command_context get_command_context(const char *cmd);
+enum secure_feature get_feature_policy(pid_t pid);
+enum command_context get_command_policy(const char *cmd);
+
+struct feature_policy *alloc_feature_policy(const char *program);
#endif
diff --git a/sway/commands.c b/sway/commands.c
index de29a7af..e2bafcb2 100644
--- a/sway/commands.c
+++ b/sway/commands.c
@@ -187,6 +187,8 @@ static struct cmd_handler handlers[] = {
{ "new_float", cmd_new_float },
{ "new_window", cmd_new_window },
{ "output", cmd_output },
+ { "permit", cmd_permit },
+ { "reject", cmd_reject },
{ "reload", cmd_reload },
{ "resize", cmd_resize },
{ "scratchpad", cmd_scratchpad },
diff --git a/sway/commands/permit.c b/sway/commands/permit.c
new file mode 100644
index 00000000..8a7bb98c
--- /dev/null
+++ b/sway/commands/permit.c
@@ -0,0 +1,95 @@
+#include <string.h>
+#include "sway/commands.h"
+#include "sway/config.h"
+#include "sway/security.h"
+#include "log.h"
+
+static enum secure_feature get_features(int argc, char **argv,
+ struct cmd_results **error) {
+ enum secure_feature features = 0;
+
+ struct {
+ char *name;
+ enum secure_feature feature;
+ } feature_names[] = {
+ { "lock", FEATURE_LOCK },
+ { "panel", FEATURE_PANEL },
+ { "background", FEATURE_BACKGROUND },
+ { "screenshot", FEATURE_SCREENSHOT },
+ { "fullscreen", FEATURE_FULLSCREEN },
+ { "keyboard", FEATURE_KEYBOARD },
+ { "mouse", FEATURE_MOUSE },
+ };
+ size_t names_len = sizeof(feature_names) /
+ (sizeof(char *) + sizeof(enum secure_feature));
+
+ for (int i = 1; i < argc; ++i) {
+ size_t j;
+ for (j = 0; j < names_len; ++j) {
+ if (strcmp(feature_names[j].name, argv[i]) == 0) {
+ break;
+ }
+ }
+ if (j == names_len) {
+ *error = cmd_results_new(CMD_INVALID,
+ "permit", "Invalid feature grant %s", argv[i]);
+ return 0;
+ }
+ features |= feature_names[j].feature;
+ }
+ return features;
+}
+
+static struct feature_policy *get_policy(const char *name) {
+ struct feature_policy *policy = NULL;
+ for (int i = 0; i < config->feature_policies->length; ++i) {
+ struct feature_policy *p = config->feature_policies->items[i];
+ if (strcmp(p->program, name) == 0) {
+ policy = p;
+ break;
+ }
+ }
+ if (!policy) {
+ policy = alloc_feature_policy(name);
+ list_add(config->feature_policies, policy);
+ }
+ return policy;
+}
+
+struct cmd_results *cmd_permit(int argc, char **argv) {
+ struct cmd_results *error = NULL;
+ if ((error = checkarg(argc, "permit", EXPECTED_MORE_THAN, 1))) {
+ return error;
+ }
+
+ struct feature_policy *policy = get_policy(argv[0]);
+ policy->features |= get_features(argc, argv, &error);
+
+ if (error) {
+ return error;
+ }
+
+ sway_log(L_DEBUG, "Permissions granted to %s for features %d",
+ policy->program, policy->features);
+
+ return cmd_results_new(CMD_SUCCESS, NULL, NULL);
+}
+
+struct cmd_results *cmd_reject(int argc, char **argv) {
+ struct cmd_results *error = NULL;
+ if ((error = checkarg(argc, "reject", EXPECTED_MORE_THAN, 1))) {
+ return error;
+ }
+
+ struct feature_policy *policy = get_policy(argv[0]);
+ policy->features &= ~get_features(argc, argv, &error);
+
+ if (error) {
+ return error;
+ }
+
+ sway_log(L_DEBUG, "Permissions granted to %s for features %d",
+ policy->program, policy->features);
+
+ return cmd_results_new(CMD_SUCCESS, NULL, NULL);
+}
diff --git a/sway/security.c b/sway/security.c
index 00e5e8d7..776bd527 100644
--- a/sway/security.c
+++ b/sway/security.c
@@ -4,6 +4,13 @@
#include "sway/security.h"
#include "log.h"
+struct feature_policy *alloc_feature_policy(const char *program) {
+ struct feature_policy *policy = malloc(sizeof(struct feature_policy));
+ policy->program = strdup(program);
+ policy->features = FEATURE_FULLSCREEN | FEATURE_KEYBOARD | FEATURE_MOUSE;
+ return policy;
+}
+
enum secure_feature get_feature_policy(pid_t pid) {
const char *fmt = "/proc/%d/exe";
int pathlen = snprintf(NULL, 0, fmt, pid);