mirror of
https://git.pwmt.org/pwmt/zathura.git
synced 2025-01-28 16:14:55 +01:00
seccomp fixes
This commit is contained in:
parent
2a48d2df0f
commit
0e5dc9f284
4 changed files with 11 additions and 7 deletions
8
README
8
README
|
@ -33,9 +33,11 @@ The use of magic to detect mime types is optional and can be disabled by
|
||||||
configuring the build system with -Denable-magic=false.
|
configuring the build system with -Denable-magic=false.
|
||||||
|
|
||||||
The use of seccomp to create a sandboxed environment is optional and can be
|
The use of seccomp to create a sandboxed environment is optional and can be
|
||||||
enabled by configure the build system with -Denable-seccomp=true. Note that the
|
disabled by configure the build system with -Denable-seccomp=false.
|
||||||
sandbox is currently only available as experimental preview. Some commands,
|
The sandbox will by default be set to "normal" mode, which should not interfere
|
||||||
shortcuts and other functionality might break.
|
with the normal operation of zathura. For strict sandbox mode set "sandbox strict"
|
||||||
|
in zathurarc. Strict sandbox mode will reduce the available functionality of zathura
|
||||||
|
and provide a read only document viewer.
|
||||||
|
|
||||||
Installation
|
Installation
|
||||||
------------
|
------------
|
||||||
|
|
|
@ -15,6 +15,6 @@ option('enable-magic',
|
||||||
)
|
)
|
||||||
option('enable-seccomp',
|
option('enable-seccomp',
|
||||||
type: 'boolean',
|
type: 'boolean',
|
||||||
value: false,
|
value: true,
|
||||||
description: 'Enable experimental seccomp support if available.'
|
description: 'Enable experimental seccomp support if available.'
|
||||||
)
|
)
|
||||||
|
|
|
@ -248,17 +248,17 @@ seccomp_enable_strict_filter(void)
|
||||||
|
|
||||||
/* special restrictions for openat, prevent opening files for writing */
|
/* special restrictions for openat, prevent opening files for writing */
|
||||||
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
|
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
|
||||||
SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0) {
|
SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0) {
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
|
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
|
||||||
SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0) {
|
SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0) {
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
|
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
|
||||||
SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0) {
|
SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0) {
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -442,6 +442,8 @@ zathura_init(zathura_t* zathura)
|
||||||
if (seccomp_enable_strict_filter() != 0) {
|
if (seccomp_enable_strict_filter() != 0) {
|
||||||
goto error_free;
|
goto error_free;
|
||||||
}
|
}
|
||||||
|
/* unset the input method to avoid communication with external services */
|
||||||
|
unsetenv("GTK_IM_MODULE");
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
Loading…
Reference in a new issue