mirror of
https://git.pwmt.org/pwmt/zathura.git
synced 2024-11-14 07:33:46 +01:00
cleanup and manpage
This commit is contained in:
parent
3f983e7ae2
commit
5a66aa92c0
@ -1044,6 +1044,16 @@ Define the background color of the selected element in index mode.
|
|||||||
* Value type: String
|
* Value type: String
|
||||||
* Default value: #9FBC00
|
* Default value: #9FBC00
|
||||||
|
|
||||||
|
sandbox
|
||||||
|
^^^^^^^
|
||||||
|
Defines the sandbox mode to use for the seccomp syscall filter. Possible
|
||||||
|
values are "none", "normal" and "strict". If "none" is used, the sandbox
|
||||||
|
will be disabled. The use of "normal" will provide minimal protection and
|
||||||
|
allow normal use of seccomp with support for all features. The "strict" mode
|
||||||
|
is a read only sandbox that is intended for viewing documents only.
|
||||||
|
|
||||||
|
* Value type: String
|
||||||
|
* Default value: normal
|
||||||
|
|
||||||
SEE ALSO
|
SEE ALSO
|
||||||
========
|
========
|
||||||
|
@ -19,21 +19,21 @@ int seccomp_enable_basic_filter(void){
|
|||||||
|
|
||||||
/* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
|
/* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
|
||||||
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
|
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
|
||||||
perror("prctl SET_NO_NEW_PRIVS");
|
girara_error("prctl SET_NO_NEW_PRIVS");
|
||||||
exit(EXIT_FAILURE);
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* prevent escape via ptrace */
|
/* prevent escape via ptrace */
|
||||||
if(prctl (PR_SET_DUMPABLE, 0, 0, 0, 0)){
|
if(prctl (PR_SET_DUMPABLE, 0, 0, 0, 0)){
|
||||||
perror("prctl PR_SET_DUMPABLE");
|
girara_error("prctl PR_SET_DUMPABLE");
|
||||||
exit(EXIT_FAILURE);
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* initialize the filter */
|
/* initialize the filter */
|
||||||
ctx = seccomp_init(SCMP_ACT_ALLOW);
|
ctx = seccomp_init(SCMP_ACT_ALLOW);
|
||||||
if (ctx == NULL){
|
if (ctx == NULL){
|
||||||
perror("seccomp_init failed");
|
girara_error("seccomp_init failed");
|
||||||
exit(EXIT_FAILURE);
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
DENY_RULE (_sysctl);
|
DENY_RULE (_sysctl);
|
||||||
@ -101,7 +101,7 @@ int seccomp_enable_basic_filter(void){
|
|||||||
out:
|
out:
|
||||||
/* something went wrong */
|
/* something went wrong */
|
||||||
seccomp_release(ctx);
|
seccomp_release(ctx);
|
||||||
return 1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -370,7 +370,7 @@ int seccomp_enable_strict_filter(void){
|
|||||||
out:
|
out:
|
||||||
/* something went wrong */
|
/* something went wrong */
|
||||||
seccomp_release(ctx);
|
seccomp_release(ctx);
|
||||||
return 1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif /* WITH_SECCOMP */
|
#endif /* WITH_SECCOMP */
|
||||||
|
@ -221,6 +221,7 @@ zathura_link_evaluate(zathura_t* zathura, zathura_link_t* link)
|
|||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
g_free(sandbox);
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
|
@ -302,11 +302,25 @@ main(int argc, char* argv[])
|
|||||||
girara_debug("Sandbox deactivated.");
|
girara_debug("Sandbox deactivated.");
|
||||||
} else if (g_strcmp0(sandbox, "normal") == 0) {
|
} else if (g_strcmp0(sandbox, "normal") == 0) {
|
||||||
girara_debug("Basic sandbox allowing normal operation.");
|
girara_debug("Basic sandbox allowing normal operation.");
|
||||||
seccomp_enable_basic_filter();
|
ret = seccomp_enable_basic_filter();
|
||||||
|
if (ret){
|
||||||
|
goto free_and_ret;
|
||||||
|
}
|
||||||
} else if (g_strcmp0(sandbox, "strict") == 0) {
|
} else if (g_strcmp0(sandbox, "strict") == 0) {
|
||||||
girara_debug("Strict sandbox preventing write and network access.");
|
girara_debug("Strict sandbox preventing write and network access.");
|
||||||
seccomp_enable_strict_filter();
|
ret = seccomp_enable_strict_filter();
|
||||||
|
if (ret){
|
||||||
|
goto free_and_ret;
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
girara_error("Invalid sandbox option");
|
||||||
|
ret = -1;
|
||||||
|
goto free_and_ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
g_free(sandbox);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user