Implement policy lookups

2025-11-03 09:01:43 -05:00 · 2016-12-01 19:58:11 -05:00 · 2016-12-01 19:58:11 -05:00 · 2675293200
commit 2675293200
parent 44cc0ef125
5 changed files with 66 additions and 3 deletions
--- a/include/security.h
+++ b/include/security.h
@ -3,7 +3,7 @@
 #include <unistd.h>
 #include "sway/config.h"

-const struct feature_permissions *get_permissions(pid_t pid);
-enum command_context get_command_context(const char *cmd);
+enum secure_features get_feature_policy(pid_t pid);
+enum command_context get_command_policy(const char *cmd);

 #endif
--- a/include/sway/config.h
+++ b/include/sway/config.h
@ -206,7 +206,6 @@ enum secure_feature {

 struct feature_policy {
 	char *program;
-	bool permit;
 	enum secure_feature features;
 };

--- a/include/sway/security.h
+++ b/include/sway/security.h
@ -0,0 +1,9 @@
+#ifndef _SWAY_SECURITY_H
+#define _SWAY_SECURITY_H
+#include <unistd.h>
+#include "sway/config.h"
+
+const struct feature_permissions *get_permissions(pid_t pid);
+enum command_context get_command_context(const char *cmd);
+
+#endif
--- a/sway/CMakeLists.txt
+++ b/sway/CMakeLists.txt
@ -35,6 +35,7 @@ add_executable(sway
 	output.c
 	workspace.c
 	border.c
+    security.c
 )

 add_definitions(
--- a/sway/security.c
+++ b/sway/security.c
@ -0,0 +1,54 @@
+#include <unistd.h>
+#include <stdio.h>
+#include "sway/config.h"
+#include "sway/security.h"
+#include "log.h"
+
+enum secure_feature get_feature_policy(pid_t pid) {
+	const char *fmt = "/proc/%d/exe";
+	int pathlen = snprintf(NULL, 0, fmt, pid);
+	char *path = malloc(pathlen + 1);
+	snprintf(path, pathlen + 1, fmt, pid);
+	static char link[2048];
+
+	enum secure_feature default_policy =
+		FEATURE_FULLSCREEN | FEATURE_KEYBOARD | FEATURE_MOUSE;
+
+	ssize_t len = readlink(path, link, sizeof(link));
+	if (len < 0) {
+		sway_log(L_INFO,
+			"WARNING: unable to read %s for security check. Using default policy.",
+			path);
+		strcpy(link, "*");
+	} else {
+		link[len] = '\0';
+	}
+
+	for (int i = 0; i < config->feature_policies->length; ++i) {
+		struct feature_policy *policy = config->feature_policies->items[i];
+		if (strcmp(policy->program, "*")) {
+			default_policy = policy->features;
+		}
+		if (strcmp(policy->program, link) == 0) {
+			return policy->features;
+		}
+	}
+
+	return default_policy;
+}
+
+enum command_context get_command_policy(const char *cmd) {
+	enum command_context default_policy = CONTEXT_ALL;
+
+	for (int i = 0; i < config->command_policies->length; ++i) {
+		struct command_policy *policy = config->command_policies->items[i];
+		if (strcmp(policy->command, "*")) {
+			default_policy = policy->context;
+		}
+		if (strcmp(policy->command, cmd) == 0) {
+			return policy->context;
+		}
+	}
+
+	return default_policy;
+}