cleanup and manpage

This commit is contained in:
valoq 2018-03-11 12:21:13 +01:00
parent 3f983e7ae2
commit 5a66aa92c0
Failed to generate hash of commit
4 changed files with 35 additions and 10 deletions

View file

@ -1044,6 +1044,16 @@ Define the background color of the selected element in index mode.
* Value type: String
* Default value: #9FBC00
sandbox
^^^^^^^
Defines the sandbox mode to use for the seccomp syscall filter. Possible
values are "none", "normal" and "strict". If "none" is used, the sandbox
will be disabled. The use of "normal" will provide minimal protection and
allow normal use of seccomp with support for all features. The "strict" mode
is a read only sandbox that is intended for viewing documents only.
* Value type: String
* Default value: normal
SEE ALSO
========

View file

@ -19,21 +19,21 @@ int seccomp_enable_basic_filter(void){
/* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
perror("prctl SET_NO_NEW_PRIVS");
exit(EXIT_FAILURE);
girara_error("prctl SET_NO_NEW_PRIVS");
return -1;
}
/* prevent escape via ptrace */
if(prctl (PR_SET_DUMPABLE, 0, 0, 0, 0)){
perror("prctl PR_SET_DUMPABLE");
exit(EXIT_FAILURE);
girara_error("prctl PR_SET_DUMPABLE");
return -1;
}
/* initialize the filter */
ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL){
perror("seccomp_init failed");
exit(EXIT_FAILURE);
girara_error("seccomp_init failed");
return -1;
}
DENY_RULE (_sysctl);
@ -101,7 +101,7 @@ int seccomp_enable_basic_filter(void){
out:
/* something went wrong */
seccomp_release(ctx);
return 1;
return -1;
}
@ -370,7 +370,7 @@ int seccomp_enable_strict_filter(void){
out:
/* something went wrong */
seccomp_release(ctx);
return 1;
return -1;
}
#endif /* WITH_SECCOMP */

View file

@ -221,6 +221,7 @@ zathura_link_evaluate(zathura_t* zathura, zathura_link_t* link)
default:
break;
}
g_free(sandbox);
}
void

View file

@ -302,11 +302,25 @@ main(int argc, char* argv[])
girara_debug("Sandbox deactivated.");
} else if (g_strcmp0(sandbox, "normal") == 0) {
girara_debug("Basic sandbox allowing normal operation.");
seccomp_enable_basic_filter();
ret = seccomp_enable_basic_filter();
if (ret){
goto free_and_ret;
}
} else if (g_strcmp0(sandbox, "strict") == 0) {
girara_debug("Strict sandbox preventing write and network access.");
seccomp_enable_strict_filter();
ret = seccomp_enable_strict_filter();
if (ret){
goto free_and_ret;
}
} else {
girara_error("Invalid sandbox option");
ret = -1;
goto free_and_ret;
}
g_free(sandbox);
#endif