From 76cab04b4d7828f3c4f607c49e1e6ad78aa6e3da Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Thu, 1 Dec 2016 21:36:43 -0500 Subject: Implement permit and reject commands --- config.d/security.in | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 config.d/security.in (limited to 'config.d/security.in') diff --git a/config.d/security.in b/config.d/security.in new file mode 100644 index 00000000..f59b2980 --- /dev/null +++ b/config.d/security.in @@ -0,0 +1,52 @@ +# sway security rules +# +# Read sway-security(7) for details on how to secure your sway install. +# +# You MUST read this man page if you intend to attempt to secure your sway +# installation. + +# Configures which programs are allowed to use which sway features +permit __PREFIX__/swaylock lock +permit __PREFIX__/swaybar panel +permit __PREFIX__/swaybg background +permit __PREFIX__/swaygrab screenshot + +permit * fullscreen keyboard mouse + +# Configures which IPC features are enabled +ipc { + command enabled + outputs enabled + workspaces enabled + tree enabled + marks enabled + bar-config enabled + inputs enabled + + events { + workspace enabled + output enabled + mode enabled + window enabled + bar-config enabled + binding enabled + modifier enabled + input enabled + } +} + +# Limits the contexts from which certain commands are permitted +commands { + fullscreen binding criteria + bindsym config + exit binding + kill binding + + # You should not change these unless you know what you're doing - it could + # cripple your security + reload binding + restart binding + permit config + reject config + ipc config +} -- cgit v1.2.3 From 3dbeb9c35cd3cd71b318370b776bdaa00436a356 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Fri, 2 Dec 2016 10:05:43 -0500 Subject: Add sway-security(7) --- config.d/security.in | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'config.d/security.in') diff --git a/config.d/security.in b/config.d/security.in index f59b2980..a1efb98f 100644 --- a/config.d/security.in +++ b/config.d/security.in @@ -28,10 +28,9 @@ ipc { output enabled mode enabled window enabled - bar-config enabled - binding enabled modifier enabled input enabled + binding disabled } } -- cgit v1.2.3 From 25a4a85a59802d3e437129370945d4b4a662c7b2 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Fri, 2 Dec 2016 15:56:36 -0500 Subject: Run config files through sed and install to /etc --- config.d/security.in | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'config.d/security.in') diff --git a/config.d/security.in b/config.d/security.in index a1efb98f..b5690dc7 100644 --- a/config.d/security.in +++ b/config.d/security.in @@ -6,10 +6,10 @@ # installation. # Configures which programs are allowed to use which sway features -permit __PREFIX__/swaylock lock -permit __PREFIX__/swaybar panel -permit __PREFIX__/swaybg background -permit __PREFIX__/swaygrab screenshot +permit __PREFIX__/bin/swaylock lock +permit __PREFIX__/bin/swaybar panel +permit __PREFIX__/bin/swaybg background +permit __PREFIX__/bin/swaygrab screenshot permit * fullscreen keyboard mouse -- cgit v1.2.3 From e7a764fdf450a8259ddbc17446dd720fa1157b44 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Sat, 3 Dec 2016 12:38:42 -0500 Subject: Disallow everything by default And update config.d/security to configure sane defaults --- config.d/security.in | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'config.d/security.in') diff --git a/config.d/security.in b/config.d/security.in index b5690dc7..47592b05 100644 --- a/config.d/security.in +++ b/config.d/security.in @@ -6,13 +6,12 @@ # installation. # Configures which programs are allowed to use which sway features +permit * fullscreen keyboard mouse ipc permit __PREFIX__/bin/swaylock lock permit __PREFIX__/bin/swaybar panel permit __PREFIX__/bin/swaybg background permit __PREFIX__/bin/swaygrab screenshot -permit * fullscreen keyboard mouse - # Configures which IPC features are enabled ipc { command enabled @@ -36,6 +35,8 @@ ipc { # Limits the contexts from which certain commands are permitted commands { + * all + fullscreen binding criteria bindsym config exit binding -- cgit v1.2.3