From 72cb5d24b6894334da021157c626556a8e99b6ff Mon Sep 17 00:00:00 2001
From: Vaxry <vaxry@vaxry.net>
Date: Wed, 30 Apr 2025 00:35:32 +0100
Subject: [PATCH] permissions: disable automatic reloading of permissions from
 cfg

security reasons, avoid reading them live. Ideally we'd lock them behind sudo, but we can't do that.
---
 example/hyprland.conf        | 2 ++
 src/config/ConfigManager.cpp | 5 ++---
 src/config/defaultConfig.hpp | 2 ++
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/example/hyprland.conf b/example/hyprland.conf
index 3b63f6a8d..da9625bf6 100644
--- a/example/hyprland.conf
+++ b/example/hyprland.conf
@@ -57,6 +57,8 @@ env = HYPRCURSOR_SIZE,24
 ###################
 
 # See https://wiki.hyprland.org/Configuring/Permissions/
+# Please note permission changes here require a Hyprland restart and are not applied on-the-fly
+# for security reasons
 
 # ecosystem {
 #   enforce_permissions = 1
diff --git a/src/config/ConfigManager.cpp b/src/config/ConfigManager.cpp
index 0c45186ea..3c0f2cf8b 100644
--- a/src/config/ConfigManager.cpp
+++ b/src/config/ConfigManager.cpp
@@ -989,8 +989,6 @@ std::optional<std::string> CConfigManager::resetHLConfig() {
     m_failedPluginConfigValues.clear();
     m_finalExecRequests.clear();
 
-    g_pDynamicPermissionManager->clearConfigPermissions();
-
     // paths
     m_configPaths.clear();
     std::string mainConfigPath = getMainConfigPath();
@@ -2911,7 +2909,8 @@ std::optional<std::string> CConfigManager::handlePermission(const std::string& c
     if (mode == PERMISSION_RULE_ALLOW_MODE_UNKNOWN)
         return "unknown permission allow mode";
 
-    g_pDynamicPermissionManager->addConfigPermissionRule(data[0], type, mode);
+    if (m_isFirstLaunch)
+        g_pDynamicPermissionManager->addConfigPermissionRule(data[0], type, mode);
 
     return {};
 }
diff --git a/src/config/defaultConfig.hpp b/src/config/defaultConfig.hpp
index 626114706..a9ea66948 100644
--- a/src/config/defaultConfig.hpp
+++ b/src/config/defaultConfig.hpp
@@ -70,6 +70,8 @@ env = HYPRCURSOR_SIZE,24
 ###################
 
 # See https://wiki.hyprland.org/Configuring/Permissions/
+# Please note permission changes here require a Hyprland restart and are not applied on-the-fly
+# for security reasons
 
 # ecosystem {
 #   enforce_permissions = 1