Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security features #981

Merged
merged 31 commits into from
Dec 4, 2016
Merged

Security features #981

merged 31 commits into from
Dec 4, 2016

Conversation

ddevault
Copy link
Contributor

@ddevault ddevault commented Dec 2, 2016
edited
Loading

  • Default security config for /etc/sway/config.d/
  • Run config files through sed to replace PREFIX and SYSCONFDIR
  • Config structure changes & support code
  • Implement the permit and reject commands
  • Feature policies
    • background
    • panel
    • lock
    • lock
    • fullscreen
    • keyboard
    • mouse
    • ipc
  • Command policies
  • IPC security
    • Enable/disable features
    • Enable/disable events
  • Startup sanity check
    • Check permissions on /etc/sway
    • Check procfs is available
    • Check for CAP_SYS_PTRACE
    • Check for security sensitive command policies
  • Write sway-security(7)
  • Drop -Denable-binding-event from cmake

To do seperately:

  • Optimize permission checks
  • Feature policies
    • screenshot
  • New Wayland protocol extensions
    • Screenshot
  • Startup sanity check
    • Check permissions of all config files
    • Inform user visually of sanity check failures
  • Gracefully handle permission errors in swaybar, swaygrab, swaymsg, etc
  • Paranoid mode for swaygrab
  • Standard mechanisms for sandboxing (collab with wayland-devel)
  • Configure IPC features per-executable
  • Match on /proc/[pid]/cmdline in addition to exe for permissions

I'm accepting PRs against the security branch if anyone wants to help. Feedback welcome.

@ddevault
Write example security config, start on code
5831f7a
@ddevault
Add config related code and initial headers
44cc0ef
@ddevault
Implement policy lookups
2675293
@ddevault
Memory leak
1a8a42f
@ddevault
Implement permit and reject commands
76cab04
@ddevault
Add security checks for background, panel, lock
21e1b2b
@ddevault
Shut Clang up
dc4b57c
@ddevault
Enforce fullscreen permissions
ffdbb9d
@ddevault
Enforce keyboard permissions
8aeeacf
@ddevault
Enforce mouse permissions
0d39568
@ddevault
Add support for command policies in config file
f23880b
@ddevault
Enforce command policies
39cf9a8
@ddevault
Flesh out security_sanity_check
04fc10f
@ddevault
Unset LD_PRELOAD on startup (before dropping root)
10c2125 
LD_PRELOAD enables keyloggers to easily be made. This solution isn't
perfect - really a secure system wouldn't have LD_PRELOAD at all. It was
a stupid idea in the first place.
@ddevault
Add sway-security(7)
3dbeb9c
@ddevault
Add docs on what features sway programs require
4d312f7
@ddevault
Clarify when keyboard/mouse features work
1a143e6
@ddevault
Deal with LD_LIBRARY_PATH
a4e92ad
@ddevault
Soften up environment security
c61746a 
So no one gets their feewings hurt
@ddevault
Clarify that executable has to be a full path
0c8dc0e
@ddevault
Clarify lock permission consequences
751e6d2
@ddevault
Copy link
Contributor Author

ddevault commented Dec 2, 2016

Paging @yohanesu75 for FreeBSD review

@ddevault ddevault changed the title [WIP] Security features Security features Dec 2, 2016
@ddevault
Copy link
Contributor Author

ddevault commented Dec 2, 2016

Alright, this pull request should be good to go. Going to leave it open for a couple of days to gather feedback and reviews - please take a look at this and let me know what you think. Can you find some flaws?

Will tag 0.12-rc1 once this is merged (will grab #963 too).

@minus7
Copy link
Contributor

minus7 commented Dec 3, 2016

Regarding default policies: Imho the default, without explicit configuration, should be to deny everything. This way there's no possibity to miss denying some permission when trying to create a secure setup. The config then has to explicity have to grant "default" permissions (like keyboard/mouse/fullscreen) explicitly via wildcard match. From a usage perspective this isn't a problem because an example ("default") config is shipped anyway.

(Careful with the word "default" here, as it's used to refer to two different contexts)

@ddevault
Disallow everything by default
e7a764f 
And update config.d/security to configure sane defaults
@ddevault ddevault merged commit 5778c59 into master Dec 4, 2016
@ddevault ddevault deleted the security branch December 4, 2016 13:30
@ddevault ddevault mentioned this pull request Dec 4, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ddevault @minus7 @kamiyaa