Skip to content

sway: new policy module #1037

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
WavyEbuilder wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

sway: new policy module #1037

WavyEbuilder wants to merge 3 commits into from

Conversation

@WavyEbuilder
Copy link
Contributor

@WavyEbuilder WavyEbuilder commented Nov 1, 2025

Very WIP atm. PR created early such that others can give feedback as it progresses given that Wayland is still very novel in reference policy.

@pebenito Couple questions while I'm working on this:

  • I'm considering going the $1_sway_t approach - do you think this is useful? I noticed that we don't rely solely on UBAC for protection (e.g. with $1_systemd_t and hence I think given the scope of the compositor this might be desirable.
  • I did consider giving the wayland_compositor typeattribute manage files perms on wayland_compositor_tmpfs_type, but decided against this so that different running compositors can't "contaminate" each others tmpfs's - I don't think this is a huge deal, but it adds a bit of repetition for consumers of the Wayland module (each compositor needs to give itself manage file perms + map on its tmpfs). Would you like me to change this? I personally think having them be separate is the best approach, but of course open to suggestions/ideas.

Anyone else please also free to leave reviews and/or comment, very much open to opinions for this.

cc @aerusso @0xC0ncord

Thanks!

@WavyEbuilder WavyEbuilder force-pushed the sway branch 2 times, most recently from 38a0d14 to f49a66f Compare November 1, 2025 02:32
@WavyEbuilder
Copy link
Contributor Author

WavyEbuilder commented Nov 2, 2025

w.r.t to needing $1_sway_t, I just realised I don't have a choice anyway, I of course need to domtrans things executed by sway out, and because it prefixes with /bin/sh before executing, that's obviously going to need to be to the respective $user_ts, and there is of course no domtranses to different domains from the same file entrypoint for the same domain. So I guess that settles that.

@WavyEbuilder WavyEbuilder force-pushed the sway branch 4 times, most recently from d90b59c to 0640d78 Compare November 3, 2025 00:27
@WavyEbuilder
sway: new policy module
f0b167e 
Signed-off-by: Rahul Sandhu <nvraxn@gmail.com>
@WavyEbuilder
wayland: grant access to /dev/input for libinput
03d5a18 
Signed-off-by: Rahul Sandhu <nvraxn@gmail.com>
@WavyEbuilder
wayland: allow talking to logind over dbus
3ef24a6 
Signed-off-by: Rahul Sandhu <nvraxn@gmail.com>
@WavyEbuilder
Copy link
Contributor Author

WavyEbuilder commented Nov 3, 2025

There's a lot of Wayland module related changes now that I'm using it in an actual compositor, so I'll split that out into a separate PR as that can be merged before this (ideally we can get some of the base sway tools in this one too, e.g. swaynag and swaymsg).

@pebenito
Copy link
Member

pebenito commented Nov 18, 2025
edited
Loading

I did consider giving the wayland_compositor typeattribute manage files perms on wayland_compositor_tmpfs_type, but decided against this so that different running compositors can't "contaminate" each others tmpfs's

I'm not familiar with these aspects of wayland, but I suspect they should be separate too.

I don't think this is a huge deal, but it adds a bit of repetition for consumers of the Wayland module (each compositor needs to give itself manage file perms + map on its tmpfs). Would you like me to change this? I personally think having them be separate is the best approach, but of course open to suggestions/ideas.

Perhaps a template would help with the repetition.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@WavyEbuilder @pebenito