mirrors/zathura
1
0
Fork 0
mirror of https://git.pwmt.org/pwmt/zathura.git synced 2024-12-29 12:26:01 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'valoq/zathura-master' into develop

Browse source
This commit is contained in:
Sebastian Ramacher 2018-07-26 11:14:17 +02:00
commit 67d2b29a3b
5 changed files with 17 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
README
View file

@ -33,9 +33,11 @@ The use of magic to detect mime types is optional and can be disabled by
configuring the build system with -Denable-magic=false. configuring the build system with -Denable-magic=false.
The use of seccomp to create a sandboxed environment is optional and can be The use of seccomp to create a sandboxed environment is optional and can be
enabled by configure the build system with -Denable-seccomp=true. Note that the disabled by configure the build system with -Denable-seccomp=false.
sandbox is currently only available as experimental preview. Some commands, The sandbox will by default be set to "normal" mode, which should not interfere
shortcuts and other functionality might break. with the normal operation of zathura. For strict sandbox mode set "sandbox strict"
in zathurarc. Strict sandbox mode will reduce the available functionality of zathura
and provide a read only document viewer.
Installation Installation
------------ ------------

6
doc/man/zathurarc.5.rst
View file

@ -1057,6 +1057,12 @@ is a read only sandbox that is intended for viewing documents only.
* Value type: String * Value type: String
* Default value: normal * Default value: normal
Blocked features in strcit sandbox mode:
- saving/writing files
- use of input methods like ibus
- printing
- bookmarks and history
SEE ALSO SEE ALSO
======== ========

2
meson_options.txt
View file

@ -15,6 +15,6 @@ option('enable-magic',
) )
option('enable-seccomp', option('enable-seccomp',
type: 'boolean', type: 'boolean',
value: false, value: true,
description: 'Enable experimental seccomp support if available.' description: 'Enable experimental seccomp support if available.'
) )

6
zathura/seccomp-filters.c
View file

@ -248,17 +248,17 @@ seccomp_enable_strict_filter(void)
/* special restrictions for openat, prevent opening files for writing */ /* special restrictions for openat, prevent opening files for writing */
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1, if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0) { SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0) {
goto out; goto out;
} }
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1, if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0) { SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0) {
goto out; goto out;
} }
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1, if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0) { SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0) {
goto out; goto out;
} }

2
zathura/zathura.c
View file

@ -442,6 +442,8 @@ zathura_init(zathura_t* zathura)
if (seccomp_enable_strict_filter() != 0) { if (seccomp_enable_strict_filter() != 0) {
goto error_free; goto error_free;
} }
/* unset the input method to avoid communication with external services */
unsetenv("GTK_IM_MODULE");
break; break;
} }
#endif #endif