cleanup and manpage

This commit is contained in:
valoq 2018-03-11 12:21:13 +01:00
parent 3f983e7ae2
commit 5a66aa92c0
No known key found for this signature in database
GPG Key ID: 19F09A0FB865CBD8
4 changed files with 35 additions and 10 deletions

View File

@ -1044,6 +1044,16 @@ Define the background color of the selected element in index mode.
* Value type: String * Value type: String
* Default value: #9FBC00 * Default value: #9FBC00
sandbox
^^^^^^^
Defines the sandbox mode to use for the seccomp syscall filter. Possible
values are "none", "normal" and "strict". If "none" is used, the sandbox
will be disabled. The use of "normal" will provide minimal protection and
allow normal use of seccomp with support for all features. The "strict" mode
is a read only sandbox that is intended for viewing documents only.
* Value type: String
* Default value: normal
SEE ALSO SEE ALSO
======== ========

View File

@ -19,21 +19,21 @@ int seccomp_enable_basic_filter(void){
/* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */ /* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
perror("prctl SET_NO_NEW_PRIVS"); girara_error("prctl SET_NO_NEW_PRIVS");
exit(EXIT_FAILURE); return -1;
} }
/* prevent escape via ptrace */ /* prevent escape via ptrace */
if(prctl (PR_SET_DUMPABLE, 0, 0, 0, 0)){ if(prctl (PR_SET_DUMPABLE, 0, 0, 0, 0)){
perror("prctl PR_SET_DUMPABLE"); girara_error("prctl PR_SET_DUMPABLE");
exit(EXIT_FAILURE); return -1;
} }
/* initialize the filter */ /* initialize the filter */
ctx = seccomp_init(SCMP_ACT_ALLOW); ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL){ if (ctx == NULL){
perror("seccomp_init failed"); girara_error("seccomp_init failed");
exit(EXIT_FAILURE); return -1;
} }
DENY_RULE (_sysctl); DENY_RULE (_sysctl);
@ -101,7 +101,7 @@ int seccomp_enable_basic_filter(void){
out: out:
/* something went wrong */ /* something went wrong */
seccomp_release(ctx); seccomp_release(ctx);
return 1; return -1;
} }
@ -370,7 +370,7 @@ int seccomp_enable_strict_filter(void){
out: out:
/* something went wrong */ /* something went wrong */
seccomp_release(ctx); seccomp_release(ctx);
return 1; return -1;
} }
#endif /* WITH_SECCOMP */ #endif /* WITH_SECCOMP */

View File

@ -221,6 +221,7 @@ zathura_link_evaluate(zathura_t* zathura, zathura_link_t* link)
default: default:
break; break;
} }
g_free(sandbox);
} }
void void

View File

@ -302,11 +302,25 @@ main(int argc, char* argv[])
girara_debug("Sandbox deactivated."); girara_debug("Sandbox deactivated.");
} else if (g_strcmp0(sandbox, "normal") == 0) { } else if (g_strcmp0(sandbox, "normal") == 0) {
girara_debug("Basic sandbox allowing normal operation."); girara_debug("Basic sandbox allowing normal operation.");
seccomp_enable_basic_filter(); ret = seccomp_enable_basic_filter();
if (ret){
goto free_and_ret;
}
} else if (g_strcmp0(sandbox, "strict") == 0) { } else if (g_strcmp0(sandbox, "strict") == 0) {
girara_debug("Strict sandbox preventing write and network access."); girara_debug("Strict sandbox preventing write and network access.");
seccomp_enable_strict_filter(); ret = seccomp_enable_strict_filter();
if (ret){
goto free_and_ret;
} }
} else {
girara_error("Invalid sandbox option");
ret = -1;
goto free_and_ret;
}
g_free(sandbox);
#endif #endif