From 47c67b53bdd3ace137fb430526fdc9c6bd634c0f Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 8 May 2022 14:29:06 +0200 Subject: [PATCH] update documentation --- doc/man/zathurarc.5.rst | 3 +++ zathura/seccomp-filters.c | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/doc/man/zathurarc.5.rst b/doc/man/zathurarc.5.rst index 1ee368f..3d7f84a 100644 --- a/doc/man/zathurarc.5.rst +++ b/doc/man/zathurarc.5.rst @@ -967,6 +967,9 @@ zathura * printing * bookmarks and history + The strict sandbox mode is still experimental with some libc implementations. + Currently supported and tested libc implementations: glibc + No feature regressions are expected when using normal sandbox mode. When running under WSL, the default is "none" since seccomp is not supported in diff --git a/zathura/seccomp-filters.c b/zathura/seccomp-filters.c index 503e807..1f2b173 100644 --- a/zathura/seccomp-filters.c +++ b/zathura/seccomp-filters.c @@ -106,13 +106,16 @@ seccomp_enable_basic_filter(void) DENY_RULE(uselib); DENY_RULE(vmsplice); - /*TODO + /* * * In case this basic filter is actually triggered, print a clear error message to report this * The syscalls here should never be executed by an unprivileged process * * */ + girara_debug("Using a basic seccomp filter to blacklist privileged system calls! \ + Errors reporting 'bad system call' may be an indicator of compromise"); + /* applying filter... */ if (seccomp_load(ctx) >= 0) { /* free ctx after the filter has been loaded into the kernel */