mirrors/zathura
1
0
Fork 0
mirror of https://git.pwmt.org/pwmt/zathura.git synced 2025-01-15 09:46:01 +01:00
Code Issues Projects Releases Packages Wiki Activity

seccomp fixes

Browse source
This commit is contained in:
valoq 2018-07-08 12:17:53 +02:00
parent 2a48d2df0f
commit 0e5dc9f284
Failed to generate hash of commit
4 changed files with 11 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
README
View file

@ -33,9 +33,11 @@ The use of magic to detect mime types is optional and can be disabled by
configuring the build system with -Denable-magic=false. configuring the build system with -Denable-magic=false.
The use of seccomp to create a sandboxed environment is optional and can be The use of seccomp to create a sandboxed environment is optional and can be
enabled by configure the build system with -Denable-seccomp=true. Note that the disabled by configure the build system with -Denable-seccomp=false.
sandbox is currently only available as experimental preview. Some commands, The sandbox will by default be set to "normal" mode, which should not interfere
shortcuts and other functionality might break. with the normal operation of zathura. For strict sandbox mode set "sandbox strict"
in zathurarc. Strict sandbox mode will reduce the available functionality of zathura
and provide a read only document viewer.
Installation Installation
------------ ------------

2
meson_options.txt
View file

@ -15,6 +15,6 @@ option('enable-magic',
) )
option('enable-seccomp', option('enable-seccomp',
type: 'boolean', type: 'boolean',
value: false, value: true,
description: 'Enable experimental seccomp support if available.' description: 'Enable experimental seccomp support if available.'
) )

6
zathura/seccomp-filters.c
View file

@ -248,17 +248,17 @@ seccomp_enable_strict_filter(void)
/* special restrictions for openat, prevent opening files for writing */ /* special restrictions for openat, prevent opening files for writing */
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1, if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0) { SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0) {
goto out; goto out;
} }
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1, if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0) { SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0) {
goto out; goto out;
} }
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1, if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0) { SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0) {
goto out; goto out;
} }

2
zathura/zathura.c
View file

@ -442,6 +442,8 @@ zathura_init(zathura_t* zathura)
if (seccomp_enable_strict_filter() != 0) { if (seccomp_enable_strict_filter() != 0) {
goto error_free; goto error_free;
} }
/* unset the input method to avoid communication with external services */
unsetenv("GTK_IM_MODULE");
break; break;
} }
#endif #endif