mirror of
https://git.pwmt.org/pwmt/zathura.git
synced 2024-12-28 04:46:01 +01:00
cleanup and manpage
This commit is contained in:
parent
3f983e7ae2
commit
5a66aa92c0
4 changed files with 35 additions and 10 deletions
|
@ -1044,6 +1044,16 @@ Define the background color of the selected element in index mode.
|
|||
* Value type: String
|
||||
* Default value: #9FBC00
|
||||
|
||||
sandbox
|
||||
^^^^^^^
|
||||
Defines the sandbox mode to use for the seccomp syscall filter. Possible
|
||||
values are "none", "normal" and "strict". If "none" is used, the sandbox
|
||||
will be disabled. The use of "normal" will provide minimal protection and
|
||||
allow normal use of seccomp with support for all features. The "strict" mode
|
||||
is a read only sandbox that is intended for viewing documents only.
|
||||
|
||||
* Value type: String
|
||||
* Default value: normal
|
||||
|
||||
SEE ALSO
|
||||
========
|
||||
|
|
|
@ -19,21 +19,21 @@ int seccomp_enable_basic_filter(void){
|
|||
|
||||
/* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
|
||||
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
|
||||
perror("prctl SET_NO_NEW_PRIVS");
|
||||
exit(EXIT_FAILURE);
|
||||
girara_error("prctl SET_NO_NEW_PRIVS");
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* prevent escape via ptrace */
|
||||
if(prctl (PR_SET_DUMPABLE, 0, 0, 0, 0)){
|
||||
perror("prctl PR_SET_DUMPABLE");
|
||||
exit(EXIT_FAILURE);
|
||||
girara_error("prctl PR_SET_DUMPABLE");
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* initialize the filter */
|
||||
ctx = seccomp_init(SCMP_ACT_ALLOW);
|
||||
if (ctx == NULL){
|
||||
perror("seccomp_init failed");
|
||||
exit(EXIT_FAILURE);
|
||||
girara_error("seccomp_init failed");
|
||||
return -1;
|
||||
}
|
||||
|
||||
DENY_RULE (_sysctl);
|
||||
|
@ -101,7 +101,7 @@ int seccomp_enable_basic_filter(void){
|
|||
out:
|
||||
/* something went wrong */
|
||||
seccomp_release(ctx);
|
||||
return 1;
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
|
@ -370,7 +370,7 @@ int seccomp_enable_strict_filter(void){
|
|||
out:
|
||||
/* something went wrong */
|
||||
seccomp_release(ctx);
|
||||
return 1;
|
||||
return -1;
|
||||
}
|
||||
|
||||
#endif /* WITH_SECCOMP */
|
||||
|
|
|
@ -221,6 +221,7 @@ zathura_link_evaluate(zathura_t* zathura, zathura_link_t* link)
|
|||
default:
|
||||
break;
|
||||
}
|
||||
g_free(sandbox);
|
||||
}
|
||||
|
||||
void
|
||||
|
|
|
@ -302,11 +302,25 @@ main(int argc, char* argv[])
|
|||
girara_debug("Sandbox deactivated.");
|
||||
} else if (g_strcmp0(sandbox, "normal") == 0) {
|
||||
girara_debug("Basic sandbox allowing normal operation.");
|
||||
seccomp_enable_basic_filter();
|
||||
ret = seccomp_enable_basic_filter();
|
||||
if (ret){
|
||||
goto free_and_ret;
|
||||
}
|
||||
} else if (g_strcmp0(sandbox, "strict") == 0) {
|
||||
girara_debug("Strict sandbox preventing write and network access.");
|
||||
seccomp_enable_strict_filter();
|
||||
ret = seccomp_enable_strict_filter();
|
||||
if (ret){
|
||||
goto free_and_ret;
|
||||
}
|
||||
} else {
|
||||
girara_error("Invalid sandbox option");
|
||||
ret = -1;
|
||||
goto free_and_ret;
|
||||
}
|
||||
|
||||
|
||||
|
||||
g_free(sandbox);
|
||||
|
||||
#endif
|
||||
|
||||
|
|
Loading…
Reference in a new issue