mirrors/sway
1
0
Fork 0
mirror of https://github.com/swaywm/sway.git synced 2025-11-03 09:01:43 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Check for CAP_SYS_PTRACE

Browse source
This commit is contained in:
Drew DeVault 2016-12-02 18:37:01 -05:00
parent d353da248b
commit 8577095db7
2 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
sway/CMakeLists.txt
View file

@ -55,6 +55,7 @@ target_link_libraries(sway
${PANGO_LIBRARIES} ${PANGO_LIBRARIES}
${JSONC_LIBRARIES} ${JSONC_LIBRARIES}
m m
cap
) )
install( install(

10
sway/main.c
View file

@ -9,6 +9,7 @@
#include <signal.h> #include <signal.h>
#include <unistd.h> #include <unistd.h>
#include <getopt.h> #include <getopt.h>
#include <sys/capability.h>
#include "sway/extensions.h" #include "sway/extensions.h"
#include "sway/layout.h" #include "sway/layout.h"
#include "sway/config.h" #include "sway/config.h"
@ -151,6 +152,15 @@ static void security_sanity_check() {
sway_log(L_ERROR, sway_log(L_ERROR,
"!! DANGER !! /proc is not available - sway CANNOT enforce security rules!"); "!! DANGER !! /proc is not available - sway CANNOT enforce security rules!");
} }
cap_flag_value_t v;
cap_t cap = cap_get_proc();
if (!cap || cap_get_flag(cap, CAP_SYS_PTRACE, CAP_PERMITTED, &v) != 0 || v != CAP_SET) {
sway_log(L_ERROR,
"!! DANGER !! Sway does not have CAP_SYS_PTRACE and cannot enforce security rules for processes running as other users.");
}
if (cap) {
cap_free(cap);
}
if (!stat(SYSCONFDIR "/sway", &s)) { if (!stat(SYSCONFDIR "/sway", &s)) {
if (s.st_uid != 0 || s.st_gid != 0 if (s.st_uid != 0 || s.st_gid != 0
|| (s.st_mode & S_IWGRP) || (s.st_mode & S_IWOTH)) { || (s.st_mode & S_IWGRP) || (s.st_mode & S_IWOTH)) {