From 3bfe1ebabc115ce4bbef83fb49eb05232e9f59ff Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Tue, 29 Nov 2022 14:58:50 +0100
Subject: [PATCH] improve sandbox stability

---
 zathura/seccomp-filters.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/zathura/seccomp-filters.c b/zathura/seccomp-filters.c
index 61e1a26..24d91d4 100644
--- a/zathura/seccomp-filters.c
+++ b/zathura/seccomp-filters.c
@@ -31,6 +31,7 @@
 
 #define DENY_RULE(call) ADD_RULE("kill", SCMP_ACT_KILL, call, 0)
 #define ALLOW_RULE(call) ADD_RULE("allow", SCMP_ACT_ALLOW, call, 0)
+#define ERRNO_RULE(call) ADD_RULE("errno", SCMP_ACT_ERRNO(ENOSYS), call, 0)
 
 int
 seccomp_enable_basic_filter(void)
@@ -242,6 +243,18 @@ seccomp_enable_strict_filter(zathura_t* zathura)
   ALLOW_RULE(timer_create);
   ALLOW_RULE(timer_delete);
 
+  /* Gracefully fail syscalls that may be used by dependencies in the future 
+     These rules will still block the syscalls but since there usually is fallback code 
+     for new syscalls, it will not shut down zathura and give us more time to
+     analyse the newly required syscall before potentionally allowing it.
+  */
+
+  ERRNO_RULE(openat2);
+  ERRNO_RULE(faccessat2);
+  ERRNO_RULE(pwritev2);
+#ifdef __NR_readfile
+  ERRNO_RULE(readfile);
+#endif
 
 /* Permit X11 specific syscalls */
 #ifdef GDK_WINDOWING_X11
@@ -284,7 +297,7 @@ seccomp_enable_strict_filter(zathura_t* zathura)
               CLONE_PARENT_SETTID | \
               CLONE_CHILD_CLEARTID));
   /* trigger fallback to clone */
-  ADD_RULE("errno", SCMP_ACT_ERRNO(ENOSYS), clone3, 0);
+  ERRNO_RULE(clone3);
 
   /* fcntl filter - not yet working */
   /*ADD_RULE("allow", SCMP_ACT_ALLOW, fcntl, 1, SCMP_CMP(0, SCMP_CMP_EQ, \