mirror of
https://git.pwmt.org/pwmt/zathura.git
synced 2025-01-16 02:45:51 +01:00
improve seccomp filter
This commit is contained in:
parent
81e541e3f0
commit
193bfd3081
1 changed files with 49 additions and 39 deletions
|
@ -59,7 +59,7 @@ seccomp_enable_basic_filter(void)
|
||||||
DENY_RULE(acct);
|
DENY_RULE(acct);
|
||||||
DENY_RULE(add_key);
|
DENY_RULE(add_key);
|
||||||
DENY_RULE(adjtimex);
|
DENY_RULE(adjtimex);
|
||||||
DENY_RULE(chroot);
|
/* DENY_RULE(chroot); used by firefox */
|
||||||
DENY_RULE(clock_adjtime);
|
DENY_RULE(clock_adjtime);
|
||||||
DENY_RULE(create_module);
|
DENY_RULE(create_module);
|
||||||
DENY_RULE(delete_module);
|
DENY_RULE(delete_module);
|
||||||
|
@ -86,6 +86,9 @@ seccomp_enable_basic_filter(void)
|
||||||
DENY_RULE(migrate_pages);
|
DENY_RULE(migrate_pages);
|
||||||
DENY_RULE(modify_ldt);
|
DENY_RULE(modify_ldt);
|
||||||
DENY_RULE(mount);
|
DENY_RULE(mount);
|
||||||
|
#ifdef __NR_mount_setattr
|
||||||
|
DENY_RULE(mount_setattr);
|
||||||
|
#endif
|
||||||
DENY_RULE(move_pages);
|
DENY_RULE(move_pages);
|
||||||
DENY_RULE(name_to_handle_at);
|
DENY_RULE(name_to_handle_at);
|
||||||
DENY_RULE(open_by_handle_at);
|
DENY_RULE(open_by_handle_at);
|
||||||
|
@ -103,6 +106,7 @@ seccomp_enable_basic_filter(void)
|
||||||
DENY_RULE(sysfs);
|
DENY_RULE(sysfs);
|
||||||
DENY_RULE(syslog);
|
DENY_RULE(syslog);
|
||||||
DENY_RULE(tuxcall);
|
DENY_RULE(tuxcall);
|
||||||
|
DENY_RULE(umount);
|
||||||
DENY_RULE(umount2);
|
DENY_RULE(umount2);
|
||||||
DENY_RULE(uselib);
|
DENY_RULE(uselib);
|
||||||
DENY_RULE(vmsplice);
|
DENY_RULE(vmsplice);
|
||||||
|
@ -160,36 +164,36 @@ seccomp_enable_strict_filter(zathura_t* zathura)
|
||||||
ALLOW_RULE(brk);
|
ALLOW_RULE(brk);
|
||||||
/* ALLOW_RULE(clock_getres); unused? */
|
/* ALLOW_RULE(clock_getres); unused? */
|
||||||
/* ALLOW_RULE(clone); specified below, clone3 see comment below */
|
/* ALLOW_RULE(clone); specified below, clone3 see comment below */
|
||||||
ALLOW_RULE(clock_gettime);
|
ALLOW_RULE(clock_gettime); /* used when vDSO function is unavailable */
|
||||||
ALLOW_RULE(close);
|
ALLOW_RULE(close);
|
||||||
|
ALLOW_RULE(epoll_create1);
|
||||||
|
ALLOW_RULE(epoll_ctl);
|
||||||
ALLOW_RULE(eventfd2);
|
ALLOW_RULE(eventfd2);
|
||||||
ALLOW_RULE(exit);
|
ALLOW_RULE(exit);
|
||||||
ALLOW_RULE(exit_group);
|
ALLOW_RULE(exit_group);
|
||||||
/* ALLOW_RULE(epoll_create); outdated, to be removed */
|
/* ALLOW_RULE(epoll_create); outdated, to be removed */
|
||||||
ALLOW_RULE(epoll_create1);
|
/* ALLOW_RULE(fadvise64); */
|
||||||
ALLOW_RULE(epoll_ctl);
|
|
||||||
ALLOW_RULE(fadvise64);
|
|
||||||
ALLOW_RULE(fallocate);
|
ALLOW_RULE(fallocate);
|
||||||
ALLOW_RULE(fcntl); /* TODO: build detailed filter */
|
ALLOW_RULE(fcntl); /* TODO: build detailed filter */
|
||||||
ALLOW_RULE(fstat); /* used by older libc, stat (below), lstat(below), fstatat, newfstatat(below) */
|
ALLOW_RULE(fstat); /* used by older libc, stat (below), lstat(below), fstatat, newfstatat(below) */
|
||||||
ALLOW_RULE(fstatfs); /* statfs (below) */
|
ALLOW_RULE(fstatfs); /* statfs (below) */
|
||||||
ALLOW_RULE(ftruncate);
|
ALLOW_RULE(ftruncate);
|
||||||
ALLOW_RULE(futex);
|
ALLOW_RULE(futex);
|
||||||
/* ALLOW_RULE(getdents); unused? */
|
/* ALLOW_RULE(getdents); 32 bit only */
|
||||||
ALLOW_RULE(getdents64);
|
ALLOW_RULE(getdents64);
|
||||||
ALLOW_RULE(getegid);
|
ALLOW_RULE(getegid);
|
||||||
ALLOW_RULE(geteuid);
|
ALLOW_RULE(geteuid);
|
||||||
ALLOW_RULE(getgid);
|
ALLOW_RULE(getgid);
|
||||||
ALLOW_RULE(getuid);
|
|
||||||
ALLOW_RULE(getpid);
|
ALLOW_RULE(getpid);
|
||||||
ALLOW_RULE(getppid); /* required inside containers */
|
ALLOW_RULE(getppid); /* required inside containers */
|
||||||
ALLOW_RULE(gettid);
|
ALLOW_RULE(gettid);
|
||||||
ALLOW_RULE(gettimeofday);
|
ALLOW_RULE(gettimeofday); /* used when vDSO function is unavailable */
|
||||||
ALLOW_RULE(getrandom);
|
ALLOW_RULE(getuid);
|
||||||
ALLOW_RULE(getresgid);
|
ALLOW_RULE(getrandom); /* occasionally required */
|
||||||
ALLOW_RULE(getresuid);
|
/* ALLOW_RULE(getresgid); */
|
||||||
|
/* ALLOW_RULE(getresuid); */
|
||||||
/* ALLOW_RULE(getrlimit); unused? */
|
/* ALLOW_RULE(getrlimit); unused? */
|
||||||
ALLOW_RULE(getpeername);
|
/* ALLOW_RULE(getpeername); not required if database is initializes properly */
|
||||||
ALLOW_RULE(inotify_add_watch); /* required by filemonitor feature */
|
ALLOW_RULE(inotify_add_watch); /* required by filemonitor feature */
|
||||||
ALLOW_RULE(inotify_init1); /* used by filemonitor, inotify_init (glib<2.9) */
|
ALLOW_RULE(inotify_init1); /* used by filemonitor, inotify_init (glib<2.9) */
|
||||||
ALLOW_RULE(inotify_rm_watch); /* used by filemonitor */
|
ALLOW_RULE(inotify_rm_watch); /* used by filemonitor */
|
||||||
|
@ -200,40 +204,42 @@ seccomp_enable_strict_filter(zathura_t* zathura)
|
||||||
ALLOW_RULE(memfd_create);
|
ALLOW_RULE(memfd_create);
|
||||||
ALLOW_RULE(mmap);
|
ALLOW_RULE(mmap);
|
||||||
ALLOW_RULE(mprotect);
|
ALLOW_RULE(mprotect);
|
||||||
ALLOW_RULE(mremap);
|
/* ALLOW_RULE(mremap); */
|
||||||
ALLOW_RULE(munmap);
|
ALLOW_RULE(munmap);
|
||||||
ALLOW_RULE(newfstatat);
|
ALLOW_RULE(newfstatat);
|
||||||
/* ALLOW_RULE (open); specified below */
|
/* ALLOW_RULE (open); specified below */
|
||||||
/* ALLOW_RULE (openat); specified below */
|
/* ALLOW_RULE (openat); specified below */
|
||||||
/* ALLOW_RULE(pipe); unused? */
|
/* ALLOW_RULE(pipe); unused? */
|
||||||
ALLOW_RULE(pipe2);
|
ALLOW_RULE(pipe2); /* used by dbus only - remove this after dbus isolation is fixed */
|
||||||
ALLOW_RULE(poll);
|
ALLOW_RULE(poll);
|
||||||
ALLOW_RULE(pwrite64); /* equals pwrite */
|
|
||||||
ALLOW_RULE(pread64); /* equals pread */
|
|
||||||
/* ALLOW_RULE (prctl); specified below */
|
/* ALLOW_RULE (prctl); specified below */
|
||||||
|
ALLOW_RULE(pread64); /* equals pread */
|
||||||
|
/* ALLOW_RULE(pwrite64); equals pwrite */
|
||||||
ALLOW_RULE(read);
|
ALLOW_RULE(read);
|
||||||
ALLOW_RULE(readlink); /* readlinkat */
|
ALLOW_RULE(readlink); /* readlinkat */
|
||||||
ALLOW_RULE(recvfrom);
|
/* ALLOW_RULE(recvfrom); */
|
||||||
ALLOW_RULE(recvmsg);
|
ALLOW_RULE(recvmsg);
|
||||||
/* ALLOW_RULE(restart_syscall); unused? */
|
/* ALLOW_RULE(restart_syscall); used by the kernel only */
|
||||||
ALLOW_RULE(rseq);
|
ALLOW_RULE(rseq);
|
||||||
ALLOW_RULE(rt_sigaction);
|
ALLOW_RULE(rt_sigaction);
|
||||||
ALLOW_RULE(rt_sigprocmask);
|
ALLOW_RULE(rt_sigprocmask);
|
||||||
ALLOW_RULE(sched_setattr);
|
ALLOW_RULE(rt_sigreturn);
|
||||||
ALLOW_RULE(sched_getattr);
|
/* ALLOW_RULE(sched_setattr); */
|
||||||
ALLOW_RULE(sendmsg); /* ipc, investigate */
|
/* ALLOW_RULE(sched_getattr); */
|
||||||
ALLOW_RULE(sendto); /* ipc, investigate */
|
ALLOW_RULE(sendmsg); /* ipc, used by wayland socket */
|
||||||
ALLOW_RULE(select); /* pselect (equals pselect6), unused? */
|
/* ALLOW_RULE(sendto); ipc, investigate */
|
||||||
|
/* ALLOW_RULE(select); pselect (equals pselect6) */
|
||||||
ALLOW_RULE(set_robust_list);
|
ALLOW_RULE(set_robust_list);
|
||||||
/* ALLOW_RULE(shmat); X11 only */
|
/* ALLOW_RULE(shmat); X11 only */
|
||||||
/* ALLOW_RULE(shmctl); X11 only */
|
/* ALLOW_RULE(shmctl); X11 only */
|
||||||
/* ALLOW_RULE(shmdt); X11 only */
|
/* ALLOW_RULE(shmdt); X11 only */
|
||||||
/* ALLOW_RULE(shmget); X11 only */
|
/* ALLOW_RULE(shmget); X11 only */
|
||||||
ALLOW_RULE(shutdown);
|
/* ALLOW_RULE(shutdown); */
|
||||||
ALLOW_RULE(stat); /* used by older libc */
|
ALLOW_RULE(stat); /* used by older libc - Debian 11 */
|
||||||
ALLOW_RULE(statx);
|
ALLOW_RULE(statx);
|
||||||
ALLOW_RULE(statfs); /* used by filemonitor, fstatfs above */
|
ALLOW_RULE(statfs); /* used by filemonitor, fstatfs above */
|
||||||
ALLOW_RULE(sysinfo);
|
/* ALLOW_RULE(sysinfo); !!! */
|
||||||
|
/* ALLOW_RULE(tgkill); investigate - used when zathura is quickly restarted and dbus socket is closed */
|
||||||
/* ALLOW_RULE(umask); X11 only */
|
/* ALLOW_RULE(umask); X11 only */
|
||||||
/* ALLOW_RULE(uname); X11 only */
|
/* ALLOW_RULE(uname); X11 only */
|
||||||
/* ALLOW_RULE(unlink); unused?, unlinkat */
|
/* ALLOW_RULE(unlink); unused?, unlinkat */
|
||||||
|
@ -245,25 +251,14 @@ seccomp_enable_strict_filter(zathura_t* zathura)
|
||||||
ALLOW_RULE(timer_create);
|
ALLOW_RULE(timer_create);
|
||||||
ALLOW_RULE(timer_delete);
|
ALLOW_RULE(timer_delete);
|
||||||
|
|
||||||
/* Gracefully fail syscalls that may be used by dependencies in the future
|
|
||||||
These rules will still block the syscalls but since there usually is fallback code
|
|
||||||
for new syscalls, it will not shut down zathura and give us more time to
|
|
||||||
analyse the newly required syscall before potentionally allowing it.
|
|
||||||
*/
|
|
||||||
|
|
||||||
ERRNO_RULE(openat2);
|
|
||||||
ERRNO_RULE(faccessat2);
|
|
||||||
ERRNO_RULE(pwritev2);
|
|
||||||
#ifdef __NR_readfile
|
|
||||||
ERRNO_RULE(readfile);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Permit X11 specific syscalls */
|
/* Permit X11 specific syscalls */
|
||||||
#ifdef GDK_WINDOWING_X11
|
#ifdef GDK_WINDOWING_X11
|
||||||
GdkDisplay* display = gtk_widget_get_display(zathura->ui.session->gtk.view);
|
GdkDisplay* display = gtk_widget_get_display(zathura->ui.session->gtk.view);
|
||||||
|
|
||||||
if (GDK_IS_X11_DISPLAY (display)) {
|
if (GDK_IS_X11_DISPLAY (display)) {
|
||||||
girara_debug("On X11, supporting X11 syscalls");
|
girara_debug("On X11, supporting X11 syscalls");
|
||||||
|
girara_warning("Running strict sandbox mode on X11 provides only \
|
||||||
|
incomplete process isolation.");
|
||||||
|
|
||||||
/* permit the socket syscall for local UNIX domain sockets (required by X11) */
|
/* permit the socket syscall for local UNIX domain sockets (required by X11) */
|
||||||
ADD_RULE("allow", SCMP_ACT_ALLOW, socket, 1, SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX));
|
ADD_RULE("allow", SCMP_ACT_ALLOW, socket, 1, SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX));
|
||||||
|
@ -286,6 +281,8 @@ seccomp_enable_strict_filter(zathura_t* zathura)
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* block unsuccessful ipc attempt */
|
||||||
|
ERRNO_RULE(getpeername);
|
||||||
|
|
||||||
/* filter clone arguments */
|
/* filter clone arguments */
|
||||||
ADD_RULE("allow", SCMP_ACT_ALLOW, clone, 1, SCMP_CMP(0, SCMP_CMP_EQ, \
|
ADD_RULE("allow", SCMP_ACT_ALLOW, clone, 1, SCMP_CMP(0, SCMP_CMP_EQ, \
|
||||||
|
@ -333,6 +330,19 @@ seccomp_enable_strict_filter(zathura_t* zathura)
|
||||||
ADD_RULE("errno", SCMP_ACT_ERRNO(EACCES), openat, 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR));
|
ADD_RULE("errno", SCMP_ACT_ERRNO(EACCES), openat, 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR));
|
||||||
|
|
||||||
|
|
||||||
|
/* Gracefully fail syscalls that may be used by dependencies in the future
|
||||||
|
These rules will still block the syscalls but since there usually is fallback code
|
||||||
|
for new syscalls, it will not shut down zathura and give us more time to
|
||||||
|
analyse the newly required syscall before potentionally allowing it.
|
||||||
|
*/
|
||||||
|
|
||||||
|
ERRNO_RULE(openat2);
|
||||||
|
ERRNO_RULE(faccessat2);
|
||||||
|
ERRNO_RULE(pwritev2);
|
||||||
|
#ifdef __NR_readfile
|
||||||
|
ERRNO_RULE(readfile);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/* Sandbox Status Notes:
|
/* Sandbox Status Notes:
|
||||||
|
|
Loading…
Reference in a new issue