Implement permit and reject commands

1 files changed, 52 insertions, 0 deletions

diff --git a/config.d/security.in b/config.d/security.in
new file mode 100644
index 00000000..f59b2980
--- /dev/null
+++ b/config.d/security.in
@@ -0,0 +1,52 @@
+# sway security rules
+#
+# Read sway-security(7) for details on how to secure your sway install.
+#
+# You MUST read this man page if you intend to attempt to secure your sway
+# installation.
+
+# Configures which programs are allowed to use which sway features
+permit __PREFIX__/swaylock lock
+permit __PREFIX__/swaybar panel
+permit __PREFIX__/swaybg background
+permit __PREFIX__/swaygrab screenshot
+
+permit * fullscreen keyboard mouse
+
+# Configures which IPC features are enabled
+ipc {
+    command enabled
+    outputs enabled
+    workspaces enabled
+    tree enabled
+    marks enabled
+    bar-config enabled
+    inputs enabled
+
+    events {
+        workspace enabled
+        output enabled
+        mode enabled
+        window enabled
+        bar-config enabled
+        binding enabled
+        modifier enabled
+        input enabled
+    }
+}
+
+# Limits the contexts from which certain commands are permitted
+commands {
+    fullscreen binding criteria
+    bindsym config
+    exit binding
+    kill binding
+
+    # You should not change these unless you know what you're doing - it could
+    # cripple your security
+    reload binding
+    restart binding
+    permit config
+    reject config
+    ipc config
+}