mirrors/zathura
1
0
Fork 0
mirror of https://git.pwmt.org/pwmt/zathura.git synced 2025-02-27 17:54:39 +01:00
Code Issues Projects Releases Packages Wiki Activity

sandbox improvements

Browse source
This commit is contained in:
valoq 2022-05-08 13:43:56 +02:00
parent de0d881f9c
commit 076cec96b5
Failed to generate hash of commit
1 changed files with 2 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
zathura/seccomp-filters.c
View file

@ -227,7 +227,7 @@ seccomp_enable_strict_filter(zathura_t* zathura)
ALLOW_RULE(statx); ALLOW_RULE(statx);
ALLOW_RULE(statfs); ALLOW_RULE(statfs);
ALLOW_RULE(sysinfo); ALLOW_RULE(sysinfo);
ALLOW_RULE(umask); /* required by X11 */ /* ALLOW_RULE(umask); allowed for X11 only below */
ALLOW_RULE(uname); ALLOW_RULE(uname);
ALLOW_RULE(unlink); ALLOW_RULE(unlink);
ALLOW_RULE(write); ALLOW_RULE(write);
@ -253,6 +253,7 @@ seccomp_enable_strict_filter(zathura_t* zathura)
ALLOW_RULE(mkdir); ALLOW_RULE(mkdir);
ALLOW_RULE(setsockopt); ALLOW_RULE(setsockopt);
ALLOW_RULE(connect); ALLOW_RULE(connect);
ALLOW_RULE(umask);
} }
else { else {
girara_debug("On Wayland, blocking X11 syscalls"); girara_debug("On Wayland, blocking X11 syscalls");
@ -315,8 +316,6 @@ seccomp_enable_strict_filter(zathura_t* zathura)
* mkdir: needed for first run only to create /run/user/UID/dconf (before seccomp init) * mkdir: needed for first run only to create /run/user/UID/dconf (before seccomp init)
* wait4: required to attempt opening links (which is then blocked) * wait4: required to attempt opening links (which is then blocked)
* *
* X11 environments require umask and socket syscalls after sandbox setup
* no longer supported since X11 cannot be easily secured anyway
* *
* TODO: prevent dbus socket connection before sandbox init - by checking the sandbox settings in zathurarc * TODO: prevent dbus socket connection before sandbox init - by checking the sandbox settings in zathurarc
* *