From 26752932003145c89a0cd8d39c9944d6f5917837 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Thu, 1 Dec 2016 19:58:11 -0500 Subject: Implement policy lookups --- sway/CMakeLists.txt | 1 + 1 file changed, 1 insertion(+) (limited to 'sway/CMakeLists.txt') diff --git a/sway/CMakeLists.txt b/sway/CMakeLists.txt index bb9ea81f..9349c30d 100644 --- a/sway/CMakeLists.txt +++ b/sway/CMakeLists.txt @@ -35,6 +35,7 @@ add_executable(sway output.c workspace.c border.c + security.c ) add_definitions( -- cgit v1.2.3 From 3dbeb9c35cd3cd71b318370b776bdaa00436a356 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Fri, 2 Dec 2016 10:05:43 -0500 Subject: Add sway-security(7) --- config.d/security.in | 3 +- sway/CMakeLists.txt | 1 + sway/sway-security.7.txt | 229 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 231 insertions(+), 2 deletions(-) create mode 100644 sway/sway-security.7.txt (limited to 'sway/CMakeLists.txt') diff --git a/config.d/security.in b/config.d/security.in index f59b2980..a1efb98f 100644 --- a/config.d/security.in +++ b/config.d/security.in @@ -28,10 +28,9 @@ ipc { output enabled mode enabled window enabled - bar-config enabled - binding enabled modifier enabled input enabled + binding disabled } } diff --git a/sway/CMakeLists.txt b/sway/CMakeLists.txt index 9349c30d..89388220 100644 --- a/sway/CMakeLists.txt +++ b/sway/CMakeLists.txt @@ -73,3 +73,4 @@ add_manpage(sway 1) add_manpage(sway 5) add_manpage(sway-input 5) add_manpage(sway-bar 5) +add_manpage(sway-security 7) diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt new file mode 100644 index 00000000..f3d4a229 --- /dev/null +++ b/sway/sway-security.7.txt @@ -0,0 +1,229 @@ +///// +vim:set ts=4 sw=4 tw=82 noet: +///// +sway-security (7) +================= + +Name +---- +sway-security - Guidelines for securing your sway install + +Security Overview +----------------- + +**Sway is NOT secure**. We are working on it but do not trust that we have it all +figured out yet. The following man page is provisional. + +Securing sway requires careful configuration of your environment, the sort that's +usually best suited to a distro maintainer who wants to ship a secure sway +environment in their distro. Sway provides a number of means of securing it but +you must make a few changes external to sway first. + +Configuration security +---------------------- + +Many of Sway's security features are configurable. It's important that a possibly +untrusted program is not able to edit this. Security rules are kept in +_/etc/sway/config.d/security_ (usually), which should only be writable by root. +However, configuration of security rules is not limited to this file - any config +file that sway loads (including i.e. _~/.config/sway/config_) should not be editable +by the user you intend to run programs as. One simple strategy is to use +/etc/sway/config instead of a config file in your home directory, but that doesn't +work well for multi-user systems. A more robust strategy is to run untrusted +programs as another user, or in a sandbox. Configuring this is up to you. + +Note that _/etc/sway/config.d/*_ must be included explicitly from your config file. +This is done by default in /etc/sway/config but you must check your own config if +you choose to place it in other locations. + +Environment security +-------------------- + +LD_PRELOAD is a mechanism designed by GNU for the purpose of ruining the security +of your system. One of the many ways LD_PRELOAD kills security is by making +Wayland keyloggers possible. + +There are a number of strategies for dealing with this but they all suck a little. +In order of most practical to least practical: + +1. Only run important programs via exec. Sway's exec command will ensure that + LD_PRELOAD is unset when running programs. + +2. Remove LD_PRELOAD support from your dynamic loader (requires patching libc). + This may break programs that rely on LD_PRELOAD for legitimate functionality, + but this is the most effective solution. + +3. Use static linking for important programs. Of course statically linked programs + are unaffected by the security dumpster fire that is dynamic linking. + +Note that should you choose method 1, you MUST ensure that sway itself isn't +compromised by LD_PRELOAD. It probably isn't, but you can be sure by setting +/usr/bin/sway to a+s (setuid), which will instruct the dynamic linker not to +permit LD_PRELOAD for it (and will also run it as root, which sway will shortly +drop). You could also statically link sway itself. + +Read your log +------------- + +Sway does sanity checks and prints big red warnings to stderr if they fail. Read +them. + +Feature policies +---------------- + +Certain sway features are security sensitive and may be configured with security +policies. These features are: + +**background**:: + Permission for a program to become the background. + +**fullscreen**:: + Permission to become fullscreen. Note that users can always make a window + fullscreen themselves with the fullscreen command. + +**keyboard**:: + Permission to receive keyboard events. + +**lock**:: + Permission for a program to act as a screen locker. This involves becoming + fullscreen (on all outputs) and accepting all keyboard and mouse input for the + duration of the process. + +**mouse**:: + Permission to receive mouse events. + +**panel**:: + Permission for a program to stick its windows to the sides of the screen. + +**screenshot**:: + Permission to take screenshots or record the screen. + +By default, all programs are granted **fullscreen**, **keyboard**, and **mouse** +permissions. You can use the following config commands to control a program's +access: + +**permit** :: + Permits to use (each feature seperated by a space). + may be * to affect the default policy. + +**reject** :: + Disallows from using (each feature seperated by a space). + may be * to affect the default policy. + +Note that policy enforcement requires procfs to be mounted at /proc and the sway +process to be able to access _/proc/[pid]/exe_ (see **procfs(5)** for details on +this access - setcap cap_sys_ptrace=eip /usr/bin/sway should do the trick). If +sway is unable to read _/proc/[pid]/exe_, it will apply the default policy. + +Command policies +---------------- + +You can also control the context from which a command may execute. The different +contexts you can control are: + +**config**:: + Can be run from your config file. + +**binding**:: + Can be run from bindsym or bindcode commands. + +**ipc**:: + Can be run by IPC clients. + +**criteria**:: + Can be run when evaluating window criteria. + +By default a command is allowed to execute in any context. To configure this, open +a commands block and fill it with policies: + + commands { + + ... + } + +For example, you could do this to limit the use of the focus command to just +binding and critiera: + + commands { + focus binding criteria + } + +IPC policies +------------ + +By default all programs can connect to IPC for backwards compatability with i3. +However, you can whitelist IPC access like so: + + reject * ipc + permit /usr/bin/swaybar ipc + permit /usr/bin/swaygrab ipc + # etc + +Note that it's suggested you do not enable swaymsg to access IPC if you intend to +secure your IPC socket, because any program could just run swaymsg itself instead +of connecting to IPC directly. + +You can also configure which features of IPC are available with an IPC block: + + ipc { + ... + } + +The following commands are available within this block: + +**bar-config** :: + Controls GET_BAR_CONFIG (required for swaybar to work at all). + +**command** :: + Controls executing sway commands via IPC. + +**inputs** :: + Controls GET_INPUTS (input device information). + +**marks** :: + Controls GET_MARKS. + +**outputs** :: + Controls GET_OUTPUTS. + +**tree** :: + Controls GET_TREE. + +**workspaces** :: + Controls GET_WORKSPACES. + +You can also control which IPC events can be raised with an events block: + + ipc { + events { + ... + } + } + +The following commands are vaild within an ipc events block: + +**binding** :: + Controls keybinding notifications (disabled by default). + +**input** :: + Controls input device hotplugging notifications. + +**mode** :: + Controls output hotplugging notifications. + +**output** :: + Controls output hotplugging notifications. + +**window** :: + Controls window event notifications. + +**workspace** :: + Controls workspace notifications. + +Disabling some of these may cause swaybar to behave incorrectly. + +Authors +------- +Maintained by Drew DeVault , who is assisted by other open +source contributors. For more information about sway development, see +. -- cgit v1.2.3 From 25a4a85a59802d3e437129370945d4b4a662c7b2 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Fri, 2 Dec 2016 15:56:36 -0500 Subject: Run config files through sed and install to /etc --- config.d/security.in | 8 ++++---- config.in | 2 +- sway/CMakeLists.txt | 30 +++++++++++++++++++++++++----- swaylock/CMakeLists.txt | 2 +- 4 files changed, 31 insertions(+), 11 deletions(-) (limited to 'sway/CMakeLists.txt') diff --git a/config.d/security.in b/config.d/security.in index a1efb98f..b5690dc7 100644 --- a/config.d/security.in +++ b/config.d/security.in @@ -6,10 +6,10 @@ # installation. # Configures which programs are allowed to use which sway features -permit __PREFIX__/swaylock lock -permit __PREFIX__/swaybar panel -permit __PREFIX__/swaybg background -permit __PREFIX__/swaygrab screenshot +permit __PREFIX__/bin/swaylock lock +permit __PREFIX__/bin/swaybar panel +permit __PREFIX__/bin/swaybg background +permit __PREFIX__/bin/swaygrab screenshot permit * fullscreen keyboard mouse diff --git a/config.in b/config.in index ddd0fec5..3cb0525e 100644 --- a/config.in +++ b/config.in @@ -195,4 +195,4 @@ bar { } } -include __SYSCONFDIR__/etc/sway/config.d/* +include __SYSCONFDIR__/sway/config.d/* diff --git a/sway/CMakeLists.txt b/sway/CMakeLists.txt index 89388220..15fa1720 100644 --- a/sway/CMakeLists.txt +++ b/sway/CMakeLists.txt @@ -63,11 +63,31 @@ install( DESTINATION bin COMPONENT runtime ) -install( - FILES ${PROJECT_SOURCE_DIR}/config - DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/sway/ - COMPONENT configuration -) + +add_custom_target(configs ALL) + +function(add_config name source destination) + add_custom_command( + OUTPUT ${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/${name} + COMMAND sed -r + 's?__PREFIX__?${CMAKE_INSTALL_PREFIX}?g\; s?__SYSCONFDIR__?${CMAKE_INSTALL_FULL_SYSCONFDIR}?g' + ${PROJECT_SOURCE_DIR}/${source}.in > ${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/${name} + DEPENDS ${PROJECT_SOURCE_DIR}/${source}.in + COMMENT "Generating config file ${source}" + ) + + install( + FILES ${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/${name} + DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/${destination} + COMPONENT configuration + ) + + add_custom_target(config-${name} DEPENDS ${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/${name}) + add_dependencies(configs config-${name}) +endfunction() + +add_config(config config sway) +add_config(security config.d/security sway/config.d) add_manpage(sway 1) add_manpage(sway 5) diff --git a/swaylock/CMakeLists.txt b/swaylock/CMakeLists.txt index febbd1af..4aec6424 100644 --- a/swaylock/CMakeLists.txt +++ b/swaylock/CMakeLists.txt @@ -42,7 +42,7 @@ install( install( FILES ${CMAKE_CURRENT_SOURCE_DIR}/pam/swaylock - DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/pam.d/ + DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/pam.d/ COMPONENT data ) -- cgit v1.2.3 From 8577095db77eef62af05fd2acbd9bd2c28b901f6 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Fri, 2 Dec 2016 18:37:01 -0500 Subject: Check for CAP_SYS_PTRACE --- sway/CMakeLists.txt | 1 + sway/main.c | 10 ++++++++++ 2 files changed, 11 insertions(+) (limited to 'sway/CMakeLists.txt') diff --git a/sway/CMakeLists.txt b/sway/CMakeLists.txt index 15fa1720..d1afadb6 100644 --- a/sway/CMakeLists.txt +++ b/sway/CMakeLists.txt @@ -55,6 +55,7 @@ target_link_libraries(sway ${PANGO_LIBRARIES} ${JSONC_LIBRARIES} m + cap ) install( diff --git a/sway/main.c b/sway/main.c index 9746cfb2..73c4b5f2 100644 --- a/sway/main.c +++ b/sway/main.c @@ -9,6 +9,7 @@ #include #include #include +#include #include "sway/extensions.h" #include "sway/layout.h" #include "sway/config.h" @@ -151,6 +152,15 @@ static void security_sanity_check() { sway_log(L_ERROR, "!! DANGER !! /proc is not available - sway CANNOT enforce security rules!"); } + cap_flag_value_t v; + cap_t cap = cap_get_proc(); + if (!cap || cap_get_flag(cap, CAP_SYS_PTRACE, CAP_PERMITTED, &v) != 0 || v != CAP_SET) { + sway_log(L_ERROR, + "!! DANGER !! Sway does not have CAP_SYS_PTRACE and cannot enforce security rules for processes running as other users."); + } + if (cap) { + cap_free(cap); + } if (!stat(SYSCONFDIR "/sway", &s)) { if (s.st_uid != 0 || s.st_gid != 0 || (s.st_mode & S_IWGRP) || (s.st_mode & S_IWOTH)) { -- cgit v1.2.3