From b10721b89e3f3992b2476c55237a25dbeb0bce46 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Mon, 20 Feb 2017 06:11:43 -0500 Subject: Add initial support code for new IPC security --- sway/commands/ipc.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'sway/commands/ipc.c') diff --git a/sway/commands/ipc.c b/sway/commands/ipc.c index 113a975b..44d7a010 100644 --- a/sway/commands/ipc.c +++ b/sway/commands/ipc.c @@ -86,10 +86,10 @@ struct cmd_results *cmd_ipc_cmd(int argc, char **argv) { } if (enabled) { - config->ipc_policy |= type; - sway_log(L_DEBUG, "Enabled IPC %s feature", argv[-1]); + //config->ipc_policy |= type; + sway_log(L_DEBUG, "Enabled IPC %s feature %d", argv[-1], (int)type); } else { - config->ipc_policy &= ~type; + //config->ipc_policy &= ~type; sway_log(L_DEBUG, "Disabled IPC %s feature", argv[-1]); } @@ -134,10 +134,10 @@ struct cmd_results *cmd_ipc_event_cmd(int argc, char **argv) { } if (enabled) { - config->ipc_policy |= type; - sway_log(L_DEBUG, "Enabled IPC %s event", argv[-1]); + //config->ipc_policy |= type; + sway_log(L_DEBUG, "Enabled IPC %s event %d", argv[-1], (int)type); } else { - config->ipc_policy &= ~type; + //config->ipc_policy &= ~type; sway_log(L_DEBUG, "Disabled IPC %s event", argv[-1]); } -- cgit v1.2.3 From 1980a0835804b205da1fa00187640ae8a0c4f9be Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Mon, 20 Feb 2017 06:30:25 -0500 Subject: Enforce new IPC policies --- sway/commands/ipc.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) (limited to 'sway/commands/ipc.c') diff --git a/sway/commands/ipc.c b/sway/commands/ipc.c index 44d7a010..6b29706e 100644 --- a/sway/commands/ipc.c +++ b/sway/commands/ipc.c @@ -1,18 +1,23 @@ #include #include +#include "sway/security.h" #include "sway/commands.h" #include "sway/config.h" #include "ipc.h" #include "log.h" #include "util.h" +static struct ipc_policy *current_policy = NULL; + struct cmd_results *cmd_ipc(int argc, char **argv) { struct cmd_results *error = NULL; - if ((error = checkarg(argc, "ipc", EXPECTED_EQUAL_TO, 1))) { + if ((error = checkarg(argc, "ipc", EXPECTED_EQUAL_TO, 2))) { return error; } - if (config->reading && strcmp("{", argv[0]) != 0) { + const char *program = argv[0]; + + if (config->reading && strcmp("{", argv[1]) != 0) { return cmd_results_new(CMD_INVALID, "ipc", "Expected '{' at start of IPC config definition."); } @@ -26,6 +31,8 @@ struct cmd_results *cmd_ipc(int argc, char **argv) { "This command is only permitted to run from " SYSCONFDIR "/sway/security"); } + current_policy = alloc_ipc_policy(program); + return cmd_results_new(CMD_BLOCK_IPC, NULL, NULL); } @@ -86,10 +93,10 @@ struct cmd_results *cmd_ipc_cmd(int argc, char **argv) { } if (enabled) { - //config->ipc_policy |= type; - sway_log(L_DEBUG, "Enabled IPC %s feature %d", argv[-1], (int)type); + current_policy->features |= type; + sway_log(L_DEBUG, "Enabled IPC %s feature", argv[-1]); } else { - //config->ipc_policy &= ~type; + current_policy->features &= ~type; sway_log(L_DEBUG, "Disabled IPC %s feature", argv[-1]); } @@ -134,10 +141,10 @@ struct cmd_results *cmd_ipc_event_cmd(int argc, char **argv) { } if (enabled) { - //config->ipc_policy |= type; - sway_log(L_DEBUG, "Enabled IPC %s event %d", argv[-1], (int)type); + current_policy->features |= type; + sway_log(L_DEBUG, "Enabled IPC %s event", argv[-1]); } else { - //config->ipc_policy &= ~type; + current_policy->features &= ~type; sway_log(L_DEBUG, "Disabled IPC %s event", argv[-1]); } -- cgit v1.2.3 From eabfb6c5598d5b655b40d8677d97b58cce757ef5 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Mon, 20 Feb 2017 06:48:33 -0500 Subject: Add * policies and fix bug --- sway/commands/ipc.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'sway/commands/ipc.c') diff --git a/sway/commands/ipc.c b/sway/commands/ipc.c index 6b29706e..d49aab64 100644 --- a/sway/commands/ipc.c +++ b/sway/commands/ipc.c @@ -32,6 +32,7 @@ struct cmd_results *cmd_ipc(int argc, char **argv) { } current_policy = alloc_ipc_policy(program); + list_add(config->ipc_policies, current_policy); return cmd_results_new(CMD_BLOCK_IPC, NULL, NULL); } @@ -74,6 +75,7 @@ struct cmd_results *cmd_ipc_cmd(int argc, char **argv) { char *name; enum ipc_feature type; } types[] = { + { "*", IPC_FEATURE_ALL_COMMANDS }, { "command", IPC_FEATURE_COMMAND }, { "workspaces", IPC_FEATURE_GET_WORKSPACES }, { "outputs", IPC_FEATURE_GET_OUTPUTS }, @@ -123,6 +125,7 @@ struct cmd_results *cmd_ipc_event_cmd(int argc, char **argv) { char *name; enum ipc_feature type; } types[] = { + { "*", IPC_FEATURE_ALL_EVENTS }, { "workspace", IPC_FEATURE_EVENT_WORKSPACE }, { "output", IPC_FEATURE_EVENT_OUTPUT }, { "mode", IPC_FEATURE_EVENT_MODE }, -- cgit v1.2.3 From 126ce571dab09d84d8ee1b760981dbba7cbc1000 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Mon, 20 Feb 2017 07:42:08 -0500 Subject: Read configs from /etc/sway/security.d/* --- sway/commands/ipc.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'sway/commands/ipc.c') diff --git a/sway/commands/ipc.c b/sway/commands/ipc.c index d49aab64..8a7b849f 100644 --- a/sway/commands/ipc.c +++ b/sway/commands/ipc.c @@ -14,6 +14,9 @@ struct cmd_results *cmd_ipc(int argc, char **argv) { if ((error = checkarg(argc, "ipc", EXPECTED_EQUAL_TO, 2))) { return error; } + if ((error = check_security_config())) { + return error; + } const char *program = argv[0]; @@ -26,11 +29,6 @@ struct cmd_results *cmd_ipc(int argc, char **argv) { return cmd_results_new(CMD_FAILURE, "ipc", "Can only be used in config file."); } - if (!current_config_path || strcmp(SYSCONFDIR "/sway/security", current_config_path) != 0) { - return cmd_results_new(CMD_INVALID, "permit", - "This command is only permitted to run from " SYSCONFDIR "/sway/security"); - } - current_policy = alloc_ipc_policy(program); list_add(config->ipc_policies, current_policy); -- cgit v1.2.3