nail down trusted Teliva channels a little more

In each session, Teliva has to bootstrap a trusted channel with the
computer owner while running arbitrarily untrusted code. So let's get
really, really precise about what the trusted channel consists of:
  - the bottom-most row of screen containing the menu
  - the keystrokes the owner types in
  - ncurses COLOR_PAIR slots 254 (menu) and 255 (error)

One reason the menu colors are important: we don't want people to get
used to apps that hide the menu colors by setting default
foreground/background to invisible and then drawing their own menu one
row up.

The error COLOR_PAIR I don't see any reason to carve out right now, but
it seems like a good idea for Teliva the framework to not get into the
habit of apps doing some things for it.

I'm not sure how realistic all this is (I feel quite ill-equipped to
think about security), but it seems worthwhile to err on the side of
paranoia. Teliva will be paranoid so people don't have to be.

1 files changed, 6 insertions, 1 deletions

diff --git a/src/lua.c b/src/lua.c
index c46f9c4..22872a6 100644
--- a/src/lua.c
+++ b/src/lua.c
@@ -1126,6 +1126,11 @@ static int pmain (lua_State *L) {
 
 
 extern void draw_menu (lua_State *);
+void render_trusted_teliva_data (lua_State *L) {
+  init_pair(COLOR_PAIR_ERROR, COLOR_ERROR_FOREGROUND, COLOR_ERROR_BACKGROUND);
+  init_pair(COLOR_PAIR_MENU, COLOR_FOREGROUND, COLOR_BACKGROUND);
+  draw_menu(L);
+}
 
 
 int main (int argc, char **argv) {
@@ -1145,7 +1150,7 @@ int main (int argc, char **argv) {
   keypad(stdscr, 1);
   start_color();
   assume_default_colors(COLOR_FOREGROUND, COLOR_BACKGROUND);
-  draw_menu(L);
+  render_trusted_teliva_data(L);
   echo();
   s.argc = argc;
   s.argv = argv;