hyprwm/hyprland-wiki
1
0
Fork 0
mirror of https://github.com/hyprwm/hyprland-wiki.git synced 2025-05-12 21:20:37 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
hyprland-wiki/pages/Configuring/Permissions.md
Vaxry 61a1541074
Some checks failed
Update Website / notify-parent-repo (push) Has been cancelled
Details
permissions: add regex example
2025-05-08 23:57:45 +01:00

2.8 KiB
Raw Blame History

weight title
12 Permissions

If you have hyprland-qtutils installed, you can make use of Hyprland's built-in permission system.

For now, it only has one permission, but it might include more in the future.

Permissions

Permissions work a bit like Android ones. If an app tries to do something sensitive with the compositor (Hyprland), Hyprland will pop up a notification asking you if you want to let it do that.

{{< callout type=info >}}

Before setting up permissions, make sure you enable them by setting ecosystem:enforce_permissions = true, as it's disabled by default.

{{</ callout >}}

Configuring permissions

{{< callout type=important >}}

Permissions set up in the config are not reloaded on-the-fly and require a Hyprland restart for security reasons.

{{</ callout >}}

Configuring them is simple:

permission = regex, permission, mode

for example:

permission = /usr/bin/grim, screencopy, allow

Will allow /usr/bin/grim to always capture your screen without asking.

permission = /usr/bin/appsuite-.*, screencopy, allow

Will allow any app whose path starts with /usr/bin/appsuite- to capture your screen without asking.

Permisision modes

There are 3 modes:

  • allow: Don't ask, just allow the app to proceed.
  • ask: Pop up a notification every time the app tries to do something sensitive. These popups allow you to Deny, Allow until the app exits, or Allow until Hyprland exits.
  • deny: Don't ask, always deny the application access.

Permission list

screencopy:

  • Access to your screen without going through xdg-desktop-portal-hyprland. Examples include: grim, wl-screenrec, wf-recorder.
  • If denied, will render a black screen with a "permission denied" text.
  • Why deny? For apps / scripts that might maliciously try to capture your screen without your knowledge by using wayland protocols directly.

plugin:

  • Access to load a plugin. Can be either a regex for the app binary, or plugin path.
  • Do not allow hyprctl to load your plugins by default (attacker could issue hyprctl plugin load /tmp/my-malicious-plugin.so) - use either deny to disable or ask to be prompted.

Notes

xdg-desktop-portal implementations (including xdph) are just regular applications. They will go through permissions too. You might want to consider adding a rule like this:

permission = /usr/(lib|libexec|lib64)/xdg-desktop-portal-hyprland, screencopy, allow

if you are not allowing screencopy for all apps.


On some BSD systems paths might not work. In such cases, you might want to disable permissions altogether, by setting

ecosystem {
  enforce_permissions = false
}

otherwise, you have no config control over permissions (popups will still work, although will not show paths, and "remember" will not be available).