From 02a8877f771b3af4c5a8758ded756aae7f469dcb Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Mon, 14 Sep 2020 21:33:17 +0200
Subject: [PATCH] sandbox cleanup

---
 zathura/seccomp-filters.c | 76 ++++++++-------------------------------
 1 file changed, 15 insertions(+), 61 deletions(-)

diff --git a/zathura/seccomp-filters.c b/zathura/seccomp-filters.c
index 45786ca..84dc022 100644
--- a/zathura/seccomp-filters.c
+++ b/zathura/seccomp-filters.c
@@ -186,15 +186,15 @@ seccomp_enable_strict_filter(void)
   ALLOW_RULE(mprotect);
   ALLOW_RULE(mremap);
   ALLOW_RULE(munmap);
-  //ALLOW_RULE (open);  /* (zathura needs to open for writing) TODO: avoid needing this somehow */
-  //ALLOW_RULE (openat);
+  /* ALLOW_RULE (open); specified below */
+  /* ALLOW_RULE (openat); specified below */
   ALLOW_RULE(pipe);
   ALLOW_RULE(pipe2);
   ALLOW_RULE(poll);
   ALLOW_RULE(pwrite64); /* TODO: build detailed filter */
   ALLOW_RULE(pread64);
   /* ALLOW_RULE (prlimit64); */
-  /* ALLOW_RULE (prctl);   specified below  */
+  /* ALLOW_RULE (prctl); specified below  */
   ALLOW_RULE(read);
   ALLOW_RULE(readlink);
   ALLOW_RULE(recvfrom);
@@ -214,6 +214,7 @@ seccomp_enable_strict_filter(void)
   ALLOW_RULE(shmget);
   ALLOW_RULE(shutdown);
   ALLOW_RULE(stat);
+  ALLOW_RULE(statx);
   ALLOW_RULE(statfs);
   /* ALLOW_RULE (socket); */
   ALLOW_RULE(sysinfo);
@@ -223,8 +224,17 @@ seccomp_enable_strict_filter(void)
   ALLOW_RULE(writev);
   ALLOW_RULE(wait4);  /* trying to open links should not crash the app */
 
-  ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), sched_setattr, 0);
-  ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), sched_getattr, 0);
+  /* ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), sched_setattr, 0); */
+  /* ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), sched_getattr, 0); */
+
+  /* required by glib */
+  ALLOW_RULE(sched_setattr);
+  ALLOW_RULE(sched_getattr);
+
+  /* required by some X11 setups */
+  ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), umask, 0);
+  ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), socket, 0);
+
 
   /* required for testing only */
   ALLOW_RULE(timer_create);
@@ -234,8 +244,6 @@ seccomp_enable_strict_filter(void)
   ADD_RULE("allow", SCMP_ACT_ALLOW, ioctl, 1, SCMP_CMP(0, SCMP_CMP_EQ, 1));
   ADD_RULE("allow", SCMP_ACT_ALLOW, ioctl, 1, SCMP_CMP(0, SCMP_CMP_EQ, 2));
 
-  /* needed by gtk??? (does not load content without) */
-
   /* special restrictions for prctl, only allow PR_SET_NAME/PR_SET_PDEATHSIG */
   ADD_RULE("allow", SCMP_ACT_ALLOW, prctl, 1, SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_NAME));
   ADD_RULE("allow", SCMP_ACT_ALLOW, prctl, 1, SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_PDEATHSIG));
@@ -292,60 +300,6 @@ seccomp_enable_strict_filter(void)
   /* when zathura is run on wayland, with X11 server available but blocked, unset the DISPLAY variable */
   /* otherwise it will try to connect to X11 using inet socket protocol */
 
-  /*  ------------ experimental filters --------------- */
-
-  /* /\* this filter is susceptible to TOCTOU race conditions, providing limited use *\/ */
-  /* /\* allow opening only specified files identified by their file descriptors*\/ */
-
-  /*  this requires either a list of all files to open (A LOT!!!) */
-  /*  or needs to be applied only after initialisation, right before parsing */
-  /*  if(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, */
-  /*       SCMP_CMP(SCMP_CMP_EQ, fd)) < 0) /\* or < 1 ??? *\/ */
-  /*      goto out; */
-
-  /* /\* restricting write access *\/ */
-
-  /* /\* allow stdin *\/ */
-  /*  if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, */
-  /*                          SCMP_CMP(0, SCMP_CMP_EQ, 0)) < 0 ) */
-  /*      goto out; */
-
-  /* /\* allow stdout *\/ */
-  /*  if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, */
-  /*                              SCMP_CMP(0, SCMP_CMP_EQ, 1)) < 0 ) */
-  /*      goto out; */
-
-
-  /* /\* allow stderr *\/ */
-  /* if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, */
-  /*                              SCMP_CMP(0, SCMP_CMP_EQ, 2)) < 0 ) */
-  /*     goto out; */
-
-  /* /\* restrict writev (write a vector) access *\/ */
-  /*  this does not seem reliable but it surprisingly is. investigate more */
-  /* if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(writev), 1, */
-  /*                             SCMP_CMP(0, SCMP_CMP_EQ, 3)) < 0 ) */
-  /*     goto out; */
-
-  /* test if repeating this after some time or denying it works */
-
-
-  /*  first attempt to filter poll requests */
-  /*  if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), 1, */
-  /*                          SCMP_CMP(0, SCMP_CMP_MASKED_EQ, POLLIN | POLL, 0)) < 0) */
-  /*    goto out; */
-
-
-  /* /\* restrict fcntl calls *\/ */
-  /*  this syscall sets the file descriptor to read write */
-  /* if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 1, */
-  /*                             SCMP_CMP(0, SCMP_CMP_EQ, 3)) < 0 ) */
-  /*     goto out; */
-  /*  fcntl(3, F_GETFL)                       = 0x2 (flags O_RDWR) */
-  /*  fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK)    = 0 */
-  /*  fcntl(3, F_SETFD, FD_CLOEXEC)           = 0 */
-
-  /*  ------------------ end of experimental filters ------------------ */
 
   /* applying filter... */
   if (seccomp_load(ctx) >= 0) {