Improve The Security Model #270
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* The IPC functionality has been modulized * Makefile and docs are updated * SWEET parser has been integrated * Daemon now looks for config file in the XDG_CONFIG_DIR correctly * Server and Daemon have been integrated using socket based IPC * Instance tracking for the server to prevent cpu load * Daemon can be lauched using the setuid bit * Event based environment refresh integrated for the server and daemon * Daemon now reads the env from the server * De-escalated thread used to execute commmands in daemon * Old IPC model has been retired * Polkit dependency has been removed * Command execution has been ported from server to daemon
newtoallofthis123
force-pushed
the
priveledge-management
branch
from
63ded99
to
694fab0
Compare
Shinyzenith
approved these changes
Sep 28, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
GSoc Project 2: Improve Security Model for SWHKD
For full context and technical details: GSoC Logs
Changes
Server no longer executes commands: The server is now only used for getting the environment from the user space that the daemon can use to execute the process. This means that server only responds with the env and can no longer act as a command execution medium
Server and daemon communicate using an event based system: A hash based system is used to ensure that the env is refreshed only when needed. The server and daemon communicate using a socket based IPC.
Remove Polkit dependency: Now the daemon can be run simply by setting the uid bit to
0or usingsudoordoas. Hence the polkit andpkexecdependency has now been retiredUser config file reading: The initial connection to the server is blocking, hence it is guaranteed that the daemon has access to the user's env. Hence, swhkd can now use the config file at
XDG_CONFIG_DIR/swhkdby default.Thread deescalation: The commands that are parsed and detected by the daemon are executed by the daemon it self in an deescalated thread. The daemon communicates with this thread using
tokio::mpc::channel.Update Documentation and MakeFile: The MakeFile and Documentation has been appropriately updated so to get this change, simply running the appropriate make command will work
Final Flow
The final flow of the daemon is as follows:
The daemon is launched in the root space and the server is launched in the user space.
This is reminiscent of the old IPC model as such:
./swhks && doas ./swhkdThe
doasorsudocan be skipped by making the swhkd binary a setuid binary.This can be done by running the following command:
Right after this is done, the first connection to the server is made and the server sends the env to the daemon.
This is blocking.
A thread is spawned that is valid throughout the lifetime of the daemon.
The thread is also de-escalated to the user space and can communicate with the daemon through a channel.
Next, the daemon starts listening for the key events.
When a key event is detected, the daemon just sends it to the thread through the channel which executes it.
When the env is updated and the env hash changes, an event is sent that refreshes the env.