permissions: add permission con

trol

pages/Configuring/Environment-variables.md

@@ -1,5 +1,5 @@
 ---
-weight: 15
+weight: 16
 title: Environment variables
 ---
 

pages/Configuring/Example-configurations.md

@@ -1,5 +1,5 @@
 ---
-weight: 18
+weight: 19
 title: Example configurations
 ---
 

pages/Configuring/Expanding-functionality.md

@@ -1,5 +1,5 @@
 ---
-weight: 13
+weight: 14
 title: Expanding functionality
 ---
 

pages/Configuring/Multi-GPU.md

@@ -1,5 +1,5 @@
 ---
-weight: 16
+weight: 17
 title: Multi-GPU
 ---
 

pages/Configuring/Performance.md

@@ -1,5 +1,5 @@
 ---
-weight: 19
+weight: 20
 title: Performance
 ---
 

pages/Configuring/Permissions.md

@@ -0,0 +1,74 @@
+---
+weight: 12
+title: Permissions
+---
+
+If you have `hyprland-qtutils` installed, you can make use of Hyprland's built-in
+permission system.
+
+For now, it only has one permission, but it might include more in the future.
+
+## Permissions
+
+Permissions work a bit like Android ones. If an app tries to do something sensitive with
+the compositor (Hyprland), Hyprland will pop up a notification asking you if you
+want to let it do that.
+
+{{< callout type=info >}}
+
+Before setting up permissions, make sure you enable them by setting
+`ecosystem:enforce_permissions = true`, as it's disabled by default.
+
+{{</ callout >}}
+
+
+### Configuring permissions
+
+Configuring them is simple:
+
+```ini
+permission = regex, permission, mode
+```
+
+for example:
+```ini
+permission = /usr/bin/grim, screencopy, allow
+```
+Will allow `/usr/bin/grim` to always capture your screen without asking.
+
+
+### Permisision modes
+
+There are 3 modes:
+- `allow`: Don't ask, just allow the app to proceed.
+- `ask`: Pop up a notification every time the app tries to do something sensitive. These popups allow you to Deny, Allow until the app exits, or Allow until Hyprland exits.
+- `deny`: Don't ask, always deny the application access.
+
+
+### Permission list
+
+`screencopy`:
+ - Access to your screen _without_ going through xdg-desktop-portal-hyprland. Examples include: `grim`, `wl-screenrec`, `wf-recorder`.
+ - If denied, will render a black screen with a "permission denied" text.
+ - Why deny? For apps / scripts that might maliciously try to capture your screen without your knowledge by using wayland protocols directly.
+
+
+## Notes
+
+**xdg-desktop-portal** implementations (including xdph) are just regular applications. They will go through permissions too. You might want to consider
+adding a rule like this:
+```ini
+permission = /usr/(lib|libexec|lib64)/xdg-desktop-portal-hyprland, screencopy, allow
+```
+if you are not allowing screencopy for all apps.
+
+<br/>
+
+On some **BSD** systems paths might not work. In such cases, you might want to disable permissions altogether, by setting
+```ini
+ecosystem {
+  enforce_permissions = false
+}
+```
+otherwise, you have no _config_ control over permissions (popups will still work, although will not show paths, and "remember" will not be available).
+

pages/Configuring/Uncommon-tips-&-tricks.md

@@ -1,5 +1,5 @@
 ---
-weight: 17
+weight: 18
 title: Uncommon tips & tricks
 ---
 

pages/Configuring/Using-hyprctl.md

@@ -1,5 +1,5 @@
 ---
-weight: 12
+weight: 13
 title: Using hyprctl
 ---
 

pages/Configuring/Variables.md

@@ -492,6 +492,7 @@ _Subcategory `group:groupbar:`_
 | --- | --- | --- | --- |
 | no_update_news | disable the popup that shows up when you update hyprland to a new version. | bool | false |
 | no_donation_nag | disable the popup that shows up twice a year encouraging to donate. | bool | false |
+| enforce_permissions | whether to enable [permission control](../Permissions). | bool | false |
 
 ### Experimental
 

pages/Configuring/XWayland.md

@@ -1,5 +1,5 @@
 ---
-weight: 14
+weight: 15
 title: XWayland
 ---