From 44cc0ef125332f1fe3dad7d16ed0a78a25cd1974 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Thu, 1 Dec 2016 19:38:36 -0500 Subject: Add config related code and initial headers --- include/sway/config.h | 39 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) (limited to 'include/sway') diff --git a/include/sway/config.h b/include/sway/config.h index 8d077ee7..3744386c 100644 --- a/include/sway/config.h +++ b/include/sway/config.h @@ -103,9 +103,6 @@ struct pid_workspace { time_t *time_added; }; -void pid_workspace_add(struct pid_workspace *pw); -void free_pid_workspace(struct pid_workspace *pw); - struct bar_config { /** * One of "dock", "hide", "invisible" @@ -184,6 +181,35 @@ enum edge_border_types { E_BOTH /**< hide vertical and horizontal edge borders */ }; +enum command_context { + CONTEXT_CONFIG = 1, + CONTEXT_BINDING = 2, + CONTEXT_IPC = 4, + CONTEXT_CRITERIA = 8, + CONTEXT_ALL = 0xFFFFFFFF, +}; + +struct command_policy { + char *command; + enum command_context context; +}; + +enum secure_feature { + FEATURE_LOCK = 1, + FEATURE_PANEL = 2, + FEATURE_BACKGROUND = 4, + FEATURE_SCREENSHOT = 8, + FEATURE_FULLSCREEN = 16, + FEATURE_KEYBOARD = 32, + FEATURE_MOUSE = 64, +}; + +struct feature_policy { + char *program; + bool permit; + enum secure_feature features; +}; + /** * The configuration struct. The result of loading a config file. */ @@ -252,8 +278,15 @@ struct sway_config { int32_t floating_maximum_height; int32_t floating_minimum_width; int32_t floating_minimum_height; + + // Security + list_t *command_policies; + list_t *feature_policies; }; +void pid_workspace_add(struct pid_workspace *pw); +void free_pid_workspace(struct pid_workspace *pw); + /** * Loads the main config from the given path. is_active should be true when * reloading the config. -- cgit v1.2.3 From 26752932003145c89a0cd8d39c9944d6f5917837 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Thu, 1 Dec 2016 19:58:11 -0500 Subject: Implement policy lookups --- include/sway/config.h | 1 - include/sway/security.h | 9 +++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 include/sway/security.h (limited to 'include/sway') diff --git a/include/sway/config.h b/include/sway/config.h index 3744386c..14a86e49 100644 --- a/include/sway/config.h +++ b/include/sway/config.h @@ -206,7 +206,6 @@ enum secure_feature { struct feature_policy { char *program; - bool permit; enum secure_feature features; }; diff --git a/include/sway/security.h b/include/sway/security.h new file mode 100644 index 00000000..efc25ce6 --- /dev/null +++ b/include/sway/security.h @@ -0,0 +1,9 @@ +#ifndef _SWAY_SECURITY_H +#define _SWAY_SECURITY_H +#include +#include "sway/config.h" + +const struct feature_permissions *get_permissions(pid_t pid); +enum command_context get_command_context(const char *cmd); + +#endif -- cgit v1.2.3 From 76cab04b4d7828f3c4f607c49e1e6ad78aa6e3da Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Thu, 1 Dec 2016 21:36:43 -0500 Subject: Implement permit and reject commands --- include/sway/commands.h | 2 ++ include/sway/security.h | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'include/sway') diff --git a/include/sway/commands.h b/include/sway/commands.h index db5e94d9..1d5d56ac 100644 --- a/include/sway/commands.h +++ b/include/sway/commands.h @@ -122,6 +122,8 @@ sway_cmd cmd_new_float; sway_cmd cmd_new_window; sway_cmd cmd_orientation; sway_cmd cmd_output; +sway_cmd cmd_permit; +sway_cmd cmd_reject; sway_cmd cmd_reload; sway_cmd cmd_resize; sway_cmd cmd_scratchpad; diff --git a/include/sway/security.h b/include/sway/security.h index efc25ce6..ae2de0d8 100644 --- a/include/sway/security.h +++ b/include/sway/security.h @@ -3,7 +3,9 @@ #include #include "sway/config.h" -const struct feature_permissions *get_permissions(pid_t pid); -enum command_context get_command_context(const char *cmd); +enum secure_feature get_feature_policy(pid_t pid); +enum command_context get_command_policy(const char *cmd); + +struct feature_policy *alloc_feature_policy(const char *program); #endif -- cgit v1.2.3 From f23880b1fdd70a21b04317c18208a1f3ce356839 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Fri, 2 Dec 2016 08:10:03 -0500 Subject: Add support for command policies in config file --- include/sway/commands.h | 10 +++++++++- include/sway/security.h | 1 + 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'include/sway') diff --git a/include/sway/commands.h b/include/sway/commands.h index 1d5d56ac..ccc3cf58 100644 --- a/include/sway/commands.h +++ b/include/sway/commands.h @@ -18,7 +18,10 @@ enum cmd_status { CMD_BLOCK_MODE, CMD_BLOCK_BAR, CMD_BLOCK_BAR_COLORS, - CMD_BLOCK_INPUT + CMD_BLOCK_INPUT, + CMD_BLOCK_COMMANDS, + CMD_BLOCK_IPC, + CMD_BLOCK_IPC_EVENTS, }; /** @@ -58,6 +61,10 @@ struct cmd_results *handle_command(char *command); * Do not use this under normal conditions. */ struct cmd_results *config_command(char *command, enum cmd_status block); +/* + * Parses a command policy rule. + */ +struct cmd_results *config_commands_command(char *exec); /** * Allocates a cmd_results object. @@ -93,6 +100,7 @@ sway_cmd cmd_client_unfocused; sway_cmd cmd_client_urgent; sway_cmd cmd_client_placeholder; sway_cmd cmd_client_background; +sway_cmd cmd_commands; sway_cmd cmd_debuglog; sway_cmd cmd_exec; sway_cmd cmd_exec_always; diff --git a/include/sway/security.h b/include/sway/security.h index ae2de0d8..aa51fd81 100644 --- a/include/sway/security.h +++ b/include/sway/security.h @@ -7,5 +7,6 @@ enum secure_feature get_feature_policy(pid_t pid); enum command_context get_command_policy(const char *cmd); struct feature_policy *alloc_feature_policy(const char *program); +struct command_policy *alloc_command_policy(const char *command); #endif -- cgit v1.2.3 From 39cf9a82f7c1f7e5d7b4952cabf215c8459a99e2 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Fri, 2 Dec 2016 08:17:45 -0500 Subject: Enforce command policies --- include/sway/commands.h | 2 +- include/sway/security.h | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) (limited to 'include/sway') diff --git a/include/sway/commands.h b/include/sway/commands.h index ccc3cf58..9e8d013e 100644 --- a/include/sway/commands.h +++ b/include/sway/commands.h @@ -54,7 +54,7 @@ int sp_index; /** * Parse and handles a command. */ -struct cmd_results *handle_command(char *command); +struct cmd_results *handle_command(char *command, enum command_context context); /** * Parse and handles a command during config file loading. * diff --git a/include/sway/security.h b/include/sway/security.h index aa51fd81..1cc85bee 100644 --- a/include/sway/security.h +++ b/include/sway/security.h @@ -6,6 +6,8 @@ enum secure_feature get_feature_policy(pid_t pid); enum command_context get_command_policy(const char *cmd); +const char *command_policy_str(enum command_context context); + struct feature_policy *alloc_feature_policy(const char *program); struct command_policy *alloc_command_policy(const char *command); -- cgit v1.2.3 From e9e1a6a409a276310e1015763184641547e7823c Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Fri, 2 Dec 2016 16:08:45 -0500 Subject: Add IPC policy to config Also reduces enum abuse, cc @minus7 --- include/sway/config.h | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'include/sway') diff --git a/include/sway/config.h b/include/sway/config.h index 14a86e49..1154b871 100644 --- a/include/sway/config.h +++ b/include/sway/config.h @@ -135,7 +135,7 @@ struct bar_config { int height; // -1 not defined int tray_padding; bool workspace_buttons; - bool wrap_scroll; + bool wrap_scroll; char *separator_symbol; bool strip_workspace_numbers; bool binding_mode_indicator; @@ -191,7 +191,7 @@ enum command_context { struct command_policy { char *command; - enum command_context context; + uint32_t context; }; enum secure_feature { @@ -206,7 +206,7 @@ enum secure_feature { struct feature_policy { char *program; - enum secure_feature features; + uint32_t features; }; /** @@ -228,7 +228,7 @@ struct sway_config { uint32_t floating_mod; uint32_t dragging_key; uint32_t resizing_key; - char *floating_scroll_up_cmd; + char *floating_scroll_up_cmd; char *floating_scroll_down_cmd; char *floating_scroll_left_cmd; char *floating_scroll_right_cmd; @@ -281,6 +281,7 @@ struct sway_config { // Security list_t *command_policies; list_t *feature_policies; + uint32_t ipc_policy; }; void pid_workspace_add(struct pid_workspace *pw); -- cgit v1.2.3 From c8dc4925d1e0f5d5086a4c15415ee9fb0b7e6155 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Fri, 2 Dec 2016 17:34:26 -0500 Subject: Add IPC security policy command handlers --- include/sway/commands.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'include/sway') diff --git a/include/sway/commands.h b/include/sway/commands.h index 9e8d013e..3ab8d5af 100644 --- a/include/sway/commands.h +++ b/include/sway/commands.h @@ -120,6 +120,7 @@ sway_cmd cmd_gaps; sway_cmd cmd_hide_edge_borders; sway_cmd cmd_include; sway_cmd cmd_input; +sway_cmd cmd_ipc; sway_cmd cmd_kill; sway_cmd cmd_layout; sway_cmd cmd_log_colors; @@ -192,4 +193,8 @@ sway_cmd input_cmd_pointer_accel; sway_cmd input_cmd_scroll_method; sway_cmd input_cmd_tap; +sway_cmd cmd_ipc_cmd; +sway_cmd cmd_ipc_events; +sway_cmd cmd_ipc_event_cmd; + #endif -- cgit v1.2.3 From 62dad7148f7b7b314f0297e191861ae3f03e9e1f Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Fri, 2 Dec 2016 17:55:03 -0500 Subject: Enforce IPC security policy --- include/sway/config.h | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'include/sway') diff --git a/include/sway/config.h b/include/sway/config.h index 1154b871..192e697c 100644 --- a/include/sway/config.h +++ b/include/sway/config.h @@ -209,6 +209,23 @@ struct feature_policy { uint32_t features; }; +enum ipc_feature { + IPC_FEATURE_COMMAND = 1, + IPC_FEATURE_GET_WORKSPACES = 2, + IPC_FEATURE_GET_OUTPUTS = 4, + IPC_FEATURE_GET_TREE = 8, + IPC_FEATURE_GET_MARKS = 16, + IPC_FEATURE_GET_BAR_CONFIG = 32, + IPC_FEATURE_GET_VERSION = 64, + IPC_FEATURE_GET_INPUTS = 128, + IPC_FEATURE_EVENT_WORKSPACE = 256, + IPC_FEATURE_EVENT_OUTPUT = 512, + IPC_FEATURE_EVENT_MODE = 1024, + IPC_FEATURE_EVENT_WINDOW = 2048, + IPC_FEATURE_EVENT_BINDING = 4096, + IPC_FEATURE_EVENT_INPUT = 8192 +}; + /** * The configuration struct. The result of loading a config file. */ -- cgit v1.2.3 From d353da248b4653d7bc027ff0dceca946cdd0b22f Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Fri, 2 Dec 2016 18:08:15 -0500 Subject: Add ipc connection feature policy controls --- include/sway/config.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/sway') diff --git a/include/sway/config.h b/include/sway/config.h index 192e697c..2c6b83e7 100644 --- a/include/sway/config.h +++ b/include/sway/config.h @@ -202,6 +202,7 @@ enum secure_feature { FEATURE_FULLSCREEN = 16, FEATURE_KEYBOARD = 32, FEATURE_MOUSE = 64, + FEATURE_IPC = 128, }; struct feature_policy { -- cgit v1.2.3