aboutsummaryrefslogtreecommitdiff
path: root/sway/main.c
diff options
context:
space:
mode:
Diffstat (limited to 'sway/main.c')
-rw-r--r--sway/main.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/sway/main.c b/sway/main.c
index 9746cfb2..73c4b5f2 100644
--- a/sway/main.c
+++ b/sway/main.c
@@ -9,6 +9,7 @@
#include <signal.h>
#include <unistd.h>
#include <getopt.h>
+#include <sys/capability.h>
#include "sway/extensions.h"
#include "sway/layout.h"
#include "sway/config.h"
@@ -151,6 +152,15 @@ static void security_sanity_check() {
sway_log(L_ERROR,
"!! DANGER !! /proc is not available - sway CANNOT enforce security rules!");
}
+ cap_flag_value_t v;
+ cap_t cap = cap_get_proc();
+ if (!cap || cap_get_flag(cap, CAP_SYS_PTRACE, CAP_PERMITTED, &v) != 0 || v != CAP_SET) {
+ sway_log(L_ERROR,
+ "!! DANGER !! Sway does not have CAP_SYS_PTRACE and cannot enforce security rules for processes running as other users.");
+ }
+ if (cap) {
+ cap_free(cap);
+ }
if (!stat(SYSCONFDIR "/sway", &s)) {
if (s.st_uid != 0 || s.st_gid != 0
|| (s.st_mode & S_IWGRP) || (s.st_mode & S_IWOTH)) {