Add sway-security(7)

2026-04-29 06:46:22 -04:00 · 2018-07-28 11:14:13 -04:00 · 2018-07-28 11:14:13 -04:00 · b80a4b27f1
commit b80a4b27f1
parent 4bebee620f
3 changed files with 125 additions and 41 deletions
--- a/meson.build
+++ b/meson.build
@ -89,6 +89,7 @@ if scdoc.found()
 		'sway/sway.5.scd',
 		'sway/sway-bar.5.scd',
 		'sway/sway-input.5.scd',
 		'sway/sway-security.7.scd',
 		'swaylock/swaylock.1.scd',
 		'swaymsg/swaymsg.1.scd',
 		'swayidle/swayidle.1.scd',
--- a/security.d/00-defaults.in
+++ b/security.d/00-defaults.in
@ -5,46 +5,12 @@
 # You MUST read this man page if you intend to attempt to secure your sway
 # installation.
 #
-# DO NOT CHANGE THIS FILE. Override these defaults by writing new files in
+# DO NOT CHANGE THIS FILE.
 #
 # Override these defaults by writing new files in
 # @sysconfdir@/sway/security.d/*
-# Configures enabled compositor features for specific programs
+permit * fullscreen
-permit * fullscreen keyboard mouse
+permit @prefix@/bin/swaylock zwlr_layer_shell_v1 zwlr_input_inhibt_manager_v1
-permit @prefix@/bin/swaylock lock
+permit @prefix@/bin/swaybg zwlr_layer_shell_v1
-permit @prefix@/bin/swaybg background
+permit @prefix@/bin/swaybar zwlr_layer_shell_v1
 permit @prefix@/bin/swaybar panel
 # Configures enabled IPC features for specific programs
 ipc @prefix@/bin/swaymsg {
    * enabled
    events {
        * disabled
    }
 }
 ipc @prefix@/bin/swaybar {
    bar-config enabled
    outputs enabled
    workspaces enabled
    command enabled
    events {
        workspace enabled
        mode enabled
    }
 }
 ipc @prefix@/bin/swaylock {
    outputs enabled
 }
 # Limits the contexts from which certain commands are permitted
 commands {
    * all
    fullscreen binding criteria
    bindsym config
    exit binding
    kill binding
 }
--- a/sway/sway-security.7.scd
+++ b/sway/sway-security.7.scd
@ -0,0 +1,117 @@
 sway-security(7)
 # NAME
 sway-security - Guidelines for securing your sway install
 # SECURITY OVERVIEW
 *Sway is not considered secure*. We are working on it but do not trust that we
 have it all figured out yet. The following man page is provisional.
 Securing sway requires careful configuration of your environment, the sort
 that's usually best suited to a distribution maintainer who wants to ship a
 secure sway environment in their distribution. Sway provides a number of means
 of securing it but you must make a few changes external to sway first.
 Configuration of security features is limited to files in the security
 directory (this is likely _/etc/sway/security.d/\*_, but depends on your
 installation prefix).  Files in this directory must be owned by _root:root_ and
 chmod _644_ or _444_. The default security configuration is installed to
 _/etc/sway/security.d/00-defaults_, and should not be modified - it will be
 updated with the latest recommended security defaults between releases. To
 override the defaults, you should add more files to this directory.
 Package maintainers who ship software which needs extra permissions for sway
 should include a file in this directory for that purpose.
 # ENVIRONMENT SECURITY
 *LD\_PRELOAD* is a mechanism designed to ruin the security of your system.
 There are a number of strategies for dealing with this, but they all suck a
 little. In order of most practical to least practical:
 . Only run important programs via exec. Sway's exec command will ensure that
  *LD\_PRELOAD* is unset when running programs.
 . Remove *LD\_PRELOAD* support from your dynamic loader (requires patching
  libc). This may break programs that rely on *LD\_PRELOAD* for legitimate
  functionality, but this is the most effective solution.
 . Use static linking for important programs. Of course statically linked
  programs are unaffected by the dynamic linking security dumpster fire.
 Note that should you choose method 1, you MUST ensure that sway itself isn't
 compromised by *LD\_PRELOAD*. It probably isn't, but you can be sure by setting
 _/usr/bin/sway_ to a+s (setuid), which will instruct the dynamic linker not to
 permit *LD\_PRELOAD* for it (and will also run it as root, which sway will
 shortly drop). You could also statically link sway itself.
 Note that *LD\_LIBRARY\_PATH* has all of these problems, and the same
 solutions.
 # IPC SECURITY
 Clients which have access to the IPC socket can use any IPC feature they want.
 Ensure untrusted clients do not have access to the IPC socket.
 # FEATURE POLICIES
 Certain sway features are security sensitive and may be configured with
 security policies. These features are:
 *fullscreen*
 	Permission to become fullscreen. Note that users can always make a window
 	fullscreen themselves with the fullscreen command.
 Additional features can be controlled by the name of their Wayland global.
 By default, no permissions are granted (though saner defaults are provided in
 _/etc/sway/config.d/security_). You can use the following configuration options
 to control a program's access:
 *permit* <executable> <features...>
 	Permits _executable_ to use _features_ (each feature separated by a space).
 	_executable_ may be \* to affect the default policy, or the full path to
 	the executable file.
 *reject* <executable> <features...>
 	Disallows _executable_ from using _features_ (each feature separated by a
 	space). _executable_ may be \* to affect the default policy, or the full
 	path to the executable file.
 By default, the following Wayland globals are hidden by default unless a
 *permit* statement is issued for them:
 *zwlr\_data\_control\_manager\_v1*
 	Used to monitor all clipboard activity.
 *zwlr\_export\_dmabuf\_manager\_v1*, *zwlr\_screencopy\_manager\_v1*
 	Both of these protocols are used to capture images of your screen.
 *zwlr\_gamma\_control\_manager\_v1*
 	Used to control gamma settings, i.e. Redshift functionality.
 *zwlr\_input\_inhibit\_manager\_v1*
 	Used to obtain exclusive input access, by lock screens and the like.
 *zwlr\_layer\_shell\_v1*
 	Used for panels, wallpapers, notifications, and other desktop components.
 *zwp\_virtual\_keyboard\_manager\_v1*
 	Used by on-screen keyboards.
 *IMPORTANT*: Sway is only able to enforce the security policy for clients which
 are spawned by sway via the *exec* or *exec\_always* sway commands. You can use
 *swaymsg(1)* to run the *exec* command externally. Any commands not executed in
 this manner are given the default policy.
 When you first declare a policy for an executable, it will inherit the default
 policy. Further changes to the default policy will not retroactively affect
 which permissions an earlier policy inherits. You must explicitly reject any
 features from the default policy that you do not want an executable to receive
 permission for.
 # AUTHORS
 Maintained by Drew DeVault <sir@cmpwn.com>, who is assisted by other open
 source contributors. For more information about sway development, see
 https://github.com/swaywm/sway.