From 7dbecdde95d1f309d8fdd02fe480dc3fbef7c7c1 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Sun, 19 Feb 2017 02:36:36 -0500 Subject: Revise IPC security configuration --- security.d/00-defaults.in | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 security.d/00-defaults.in (limited to 'security.d') diff --git a/security.d/00-defaults.in b/security.d/00-defaults.in new file mode 100644 index 00000000..99859edd --- /dev/null +++ b/security.d/00-defaults.in @@ -0,0 +1,47 @@ +# sway security rules +# +# Read sway-security(7) for details on how to secure your sway install. +# +# You MUST read this man page if you intend to attempt to secure your sway +# installation. +# +# This file should live at __SYSCONFDIR__/sway/security and will be +# automatically read by sway. + +# Configures enabled compositor features for specific programs +permit * fullscreen keyboard mouse +permit __PREFIX__/bin/swaylock lock +permit __PREFIX__/bin/swaybg background +permit __PREFIX__/bin/swaygrab screenshot +permit __PREFIX__/bin/swaybar panel + +# Configures enabled IPC features for specific programs +ipc __PREFIX__/bin/swaymsg { + * enabled + + events { + * disabled + } +} + +ipc __PREFIX__/bin/swaybar { + bar-config enabled + outputs enabled + workspaces enabled + command enabled +} + +ipc __PREFIX__/bin/swaygrab { + outputs enabled + tree enabled +} + +# Limits the contexts from which certain commands are permitted +commands { + * all + + fullscreen binding criteria + bindsym config + exit binding + kill binding +} -- cgit v1.2.3 From 126ce571dab09d84d8ee1b760981dbba7cbc1000 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Mon, 20 Feb 2017 07:42:08 -0500 Subject: Read configs from /etc/sway/security.d/* --- security.d/00-defaults.in | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'security.d') diff --git a/security.d/00-defaults.in b/security.d/00-defaults.in index 99859edd..f319e446 100644 --- a/security.d/00-defaults.in +++ b/security.d/00-defaults.in @@ -29,6 +29,11 @@ ipc __PREFIX__/bin/swaybar { outputs enabled workspaces enabled command enabled + + events { + workspace enabled + mode enabled + } } ipc __PREFIX__/bin/swaygrab { -- cgit v1.2.3 From 276630eb9632fe2323d02c5d4113062830c49082 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Mon, 20 Feb 2017 23:24:13 -0500 Subject: Update 00-defaults.in --- security.d/00-defaults.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'security.d') diff --git a/security.d/00-defaults.in b/security.d/00-defaults.in index f319e446..34831c65 100644 --- a/security.d/00-defaults.in +++ b/security.d/00-defaults.in @@ -5,8 +5,8 @@ # You MUST read this man page if you intend to attempt to secure your sway # installation. # -# This file should live at __SYSCONFDIR__/sway/security and will be -# automatically read by sway. +# DO NOT CHANGE THIS FILE. Override these defaults by writing new files in +# __SYSCONFDIR__/sway/security.d/* # Configures enabled compositor features for specific programs permit * fullscreen keyboard mouse -- cgit v1.2.3