From 7dbecdde95d1f309d8fdd02fe480dc3fbef7c7c1 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Sun, 19 Feb 2017 02:36:36 -0500 Subject: Revise IPC security configuration --- security.d/00-defaults.in | 47 +++++++++++++++++++++++++++++++++++++++++++++++ security.in | 46 ---------------------------------------------- sway/CMakeLists.txt | 2 +- sway/sway-security.7.txt | 34 +++++++++++++++++++--------------- 4 files changed, 67 insertions(+), 62 deletions(-) create mode 100644 security.d/00-defaults.in delete mode 100644 security.in diff --git a/security.d/00-defaults.in b/security.d/00-defaults.in new file mode 100644 index 00000000..99859edd --- /dev/null +++ b/security.d/00-defaults.in @@ -0,0 +1,47 @@ +# sway security rules +# +# Read sway-security(7) for details on how to secure your sway install. +# +# You MUST read this man page if you intend to attempt to secure your sway +# installation. +# +# This file should live at __SYSCONFDIR__/sway/security and will be +# automatically read by sway. + +# Configures enabled compositor features for specific programs +permit * fullscreen keyboard mouse +permit __PREFIX__/bin/swaylock lock +permit __PREFIX__/bin/swaybg background +permit __PREFIX__/bin/swaygrab screenshot +permit __PREFIX__/bin/swaybar panel + +# Configures enabled IPC features for specific programs +ipc __PREFIX__/bin/swaymsg { + * enabled + + events { + * disabled + } +} + +ipc __PREFIX__/bin/swaybar { + bar-config enabled + outputs enabled + workspaces enabled + command enabled +} + +ipc __PREFIX__/bin/swaygrab { + outputs enabled + tree enabled +} + +# Limits the contexts from which certain commands are permitted +commands { + * all + + fullscreen binding criteria + bindsym config + exit binding + kill binding +} diff --git a/security.in b/security.in deleted file mode 100644 index 16897ade..00000000 --- a/security.in +++ /dev/null @@ -1,46 +0,0 @@ -# sway security rules -# -# Read sway-security(7) for details on how to secure your sway install. -# -# You MUST read this man page if you intend to attempt to secure your sway -# installation. -# -# This file should live at __SYSCONFDIR__/sway/security and will be -# automatically read by sway. - -# Configures which programs are allowed to use which sway features -permit * fullscreen keyboard mouse ipc -permit __PREFIX__/bin/swaylock lock -permit __PREFIX__/bin/swaybar panel -permit __PREFIX__/bin/swaybg background -permit __PREFIX__/bin/swaygrab screenshot - -# Configures which IPC features are enabled -ipc { - command enabled - outputs enabled - workspaces enabled - tree enabled - marks enabled - bar-config enabled - inputs enabled - - events { - workspace enabled - output enabled - mode enabled - window enabled - input enabled - binding disabled - } -} - -# Limits the contexts from which certain commands are permitted -commands { - * all - - fullscreen binding criteria - bindsym config - exit binding - kill binding -} diff --git a/sway/CMakeLists.txt b/sway/CMakeLists.txt index d5453003..981f8a07 100644 --- a/sway/CMakeLists.txt +++ b/sway/CMakeLists.txt @@ -91,7 +91,7 @@ function(add_config name source destination) endfunction() add_config(config config sway) -add_config(security security sway) +add_config(00-defaults security.d/00-defaults sway/security.d) add_manpage(sway 1) add_manpage(sway 5) diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt index 7d8aa4ad..98e3f5ac 100644 --- a/sway/sway-security.7.txt +++ b/sway/sway-security.7.txt @@ -19,8 +19,13 @@ usually best suited to a distro maintainer who wants to ship a secure sway environment in their distro. Sway provides a number of means of securing it but you must make a few changes external to sway first. -Security-related configuration is only valid in /etc/sway/config (or whatever path -is appropriate for your system). +Configuration of security features is limited to files in the security directory +(this is likely /etc/sway/security.d/*, but depends on your installation prefix). +Files in this directory must be owned by root:root and chmod 600. The default +security configuration is installed to /etc/sway/security.d/00-defaults, and +should not be modified - it will be updated with the latest recommended security +defaults between releases. To override the defaults, you should add more files to +this directory. Environment security -------------------- @@ -160,22 +165,20 @@ Setting a command policy overwrites any previous policy that was in place. IPC policies ------------ -You may whitelist IPC access like so: +Disabling IPC access via swaymsg is encouraged if you intend to secure the IPC +socket, because any program that can execute swaymsg could circumvent its own +security policy by simply invoking swaymsg. - permit /usr/bin/swaybar ipc - permit /usr/bin/swaygrab ipc - # etc +You can configure which features of IPC are available for particular clients: -Note that it's suggested you do not enable swaymsg to access IPC if you intend to -secure your IPC socket, because any program could just run swaymsg itself instead -of connecting to IPC directly. - -You can also configure which features of IPC are available with an IPC block: - - ipc { + ipc { ... } +You may use * for to configure the default policy for all clients. +Configuring IPC policies for specific executables is not supported on FreeBSD, and +the default policy will be applied to all IPC connections. + The following commands are available within this block: **bar-config** :: @@ -201,7 +204,7 @@ The following commands are available within this block: You can also control which IPC events can be raised with an events block: - ipc { + ipc { events { ... } @@ -227,7 +230,8 @@ The following commands are vaild within an ipc events block: **workspace** :: Controls workspace notifications. -Disabling some of these may cause swaybar to behave incorrectly. +In each of these blocks, you may use * (as in "* enabled" or "* disabled") to +control access to every feature at once. Authors ------- -- cgit v1.2.3