code cleanup

This commit is contained in:
valoq 2018-01-28 15:50:00 +01:00
parent 4bde3d793f
commit 739a18540a
Failed to generate hash of commit
5 changed files with 27 additions and 67 deletions

View file

@ -121,11 +121,12 @@ endif
endif endif
ifneq (${WITH_SECCOMP},0) ifneq (${WITH_SECCOMP},0)
SECCOMP_INC ?= ifeq (${LIBSECCOMP_INC}-${LIBSECCOMP_LIB},-)
SECCOMP_LIB ?= -lseccomp PKG_CONFIG_LIBS += libseccomp
else
INCS += ${SECCOMP_INC} INCS += ${LIBSECCOMP_INC}
LIBS += ${SECCOMP_LIB} LIBS += ${LIBSECCOMP_LIB}
endif
endif endif
ifneq (${PKG_CONFIG_LIBS},) ifneq (${PKG_CONFIG_LIBS},)

View file

@ -13,12 +13,10 @@
#define DENY_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_KILL, SCMP_SYS(call), 0) < 0) goto out; } #define DENY_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_KILL, SCMP_SYS(call), 0) < 0) goto out; }
#define ALLOW_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) < 0) goto out; } #define ALLOW_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) < 0) goto out; }
int seccomp_enable_protected_mode(void){
scmp_filter_ctx ctx; scmp_filter_ctx ctx;
int protectedMode(void){
/* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */ /* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
perror("prctl SET_NO_NEW_PRIVS"); perror("prctl SET_NO_NEW_PRIVS");
@ -38,7 +36,6 @@ int protectedMode(void){
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
DENY_RULE (_sysctl); DENY_RULE (_sysctl);
DENY_RULE (acct); DENY_RULE (acct);
DENY_RULE (add_key); DENY_RULE (add_key);
@ -91,7 +88,6 @@ int protectedMode(void){
DENY_RULE (uselib); DENY_RULE (uselib);
DENY_RULE (vmsplice); DENY_RULE (vmsplice);
/* applying filter... */ /* applying filter... */
if (seccomp_load (ctx) >= 0){ if (seccomp_load (ctx) >= 0){
/* free ctx after the filter has been loaded into the kernel */ /* free ctx after the filter has been loaded into the kernel */
@ -103,11 +99,12 @@ int protectedMode(void){
/* something went wrong */ /* something went wrong */
seccomp_release(ctx); seccomp_release(ctx);
return 1; return 1;
} }
int protectedView(void){ int seccomp_enable_protected_view(void){
scmp_filter_ctx ctx;
/* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */ /* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
@ -128,7 +125,6 @@ int protectedView(void){
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
ALLOW_RULE (access); ALLOW_RULE (access);
ALLOW_RULE (bind); ALLOW_RULE (bind);
ALLOW_RULE (brk); ALLOW_RULE (brk);
@ -210,22 +206,18 @@ int protectedView(void){
ALLOW_RULE (writev); ALLOW_RULE (writev);
ALLOW_RULE (wait4); /* trying to open links should not crash the app */ ALLOW_RULE (wait4); /* trying to open links should not crash the app */
/* allowed for use with container */ /* allowed for use with container */
ALLOW_RULE (chmod); ALLOW_RULE (chmod);
ALLOW_RULE (link); ALLOW_RULE (link);
ALLOW_RULE (rename); ALLOW_RULE (rename);
/* allowed for debugging: */ /* allowed for debugging: */
/* ALLOW_RULE (prctl); */ /* ALLOW_RULE (prctl); */
/* ALLOW_RULE (ioctl); */ /* ALLOW_RULE (ioctl); */
/* incomplete */ /* incomplete */
/* if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 1, */ /* if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 1, */
@ -272,8 +264,6 @@ int protectedView(void){
/* goto out; */ /* goto out; */
/* when zathura is run on wayland, with X11 server available but blocked, unset the DISPLAY variable */ /* when zathura is run on wayland, with X11 server available but blocked, unset the DISPLAY variable */
/* otherwise it will try to connect to X11 using inet socket protocol */ /* otherwise it will try to connect to X11 using inet socket protocol */
@ -288,7 +278,6 @@ int protectedView(void){
goto out; goto out;
/* TODO: avoid the need for the open syscall to be allowed with write permissions */ /* TODO: avoid the need for the open syscall to be allowed with write permissions */
/* zathura needs to open files for writing to save current position */ /* zathura needs to open files for writing to save current position */
@ -307,12 +296,8 @@ int protectedView(void){
/* goto out; */ /* goto out; */
/* ------------ experimental filters --------------- */ /* ------------ experimental filters --------------- */
/* /\* this filter is susceptible to TOCTOU race conditions, providing limited use *\/ */ /* /\* this filter is susceptible to TOCTOU race conditions, providing limited use *\/ */
/* /\* allow opening only specified files identified by their file descriptors*\/ */ /* /\* allow opening only specified files identified by their file descriptors*\/ */
@ -381,12 +366,12 @@ int protectedView(void){
/* something went wrong */ /* something went wrong */
seccomp_release(ctx); seccomp_release(ctx);
return 1; return 1;
} }
int strictFilter(void){ int seccomp_enable_strict_filter(void){
scmp_filter_ctx ctx;
/* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */ /* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
@ -407,7 +392,6 @@ int strictFilter(void){
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
ALLOW_RULE (access); ALLOW_RULE (access);
/* ALLOW_RULE (arch_prctl); */ /* ALLOW_RULE (arch_prctl); */
ALLOW_RULE (bind); ALLOW_RULE (bind);
@ -497,7 +481,6 @@ int strictFilter(void){
goto out; goto out;
/* needed by gtk??? (does not load content without) */ /* needed by gtk??? (does not load content without) */
/* special restrictions for prctl, only allow PR_SET_NAME/PR_SET_PDEATHSIG */ /* special restrictions for prctl, only allow PR_SET_NAME/PR_SET_PDEATHSIG */
@ -510,7 +493,6 @@ int strictFilter(void){
goto out; goto out;
/* allowed for debugging: */ /* allowed for debugging: */
/* ALLOW_RULE (prctl); */ /* ALLOW_RULE (prctl); */
@ -530,25 +512,4 @@ int strictFilter(void){
return 1; return 1;
} }
#else /* WITH_SECCOMP */
int protectedMode(void){
perror("No seccomp support compiled-in\n");
return 1;
}
int protectedView(void){
perror("No seccomp support compiled-in\n");
return 1;
}
int strictFilter(void){
perror("No seccomp support compiled-in\n");
return 1;
}
#endif /* WITH_SECCOMP */ #endif /* WITH_SECCOMP */

View file

@ -4,16 +4,16 @@
/* basic filter */ /* basic filter */
/* this mode allows normal use */ /* this mode allows normal use */
/* only dangerous syscalls are blacklisted */ /* only dangerous syscalls are blacklisted */
int protectedMode(void); int seccomp_enable_protected_mode(void);
/* secure whitelist filter */ /* secure whitelist filter */
/* whitelist minimal syscalls only */ /* whitelist minimal syscalls only */
/* this mode does not allow to open external links or to start applications */ /* this mode does not allow to open external links or to start applications */
/* network connections are prohibited as well */ /* network connections are prohibited as well */
int protectedView(void); int seccomp_enable_protected_view(void);
/* strict filter before document parsing */ /* strict filter before document parsing */
/* this filter is to be enabled after most of the initialisation of zathura has finished */ /* this filter is to be enabled after most of the initialisation of zathura has finished */
int strictFilter(void); int seccomp_enable_strict_filter(void);
#endif #endif

View file

@ -207,8 +207,7 @@ zathura_link_evaluate(zathura_t* zathura, zathura_link_t* link)
if (girara_xdg_open(link->target.value) == false) { if (girara_xdg_open(link->target.value) == false) {
girara_notify(zathura->ui.session, GIRARA_ERROR, _("Failed to run xdg-open.")); girara_notify(zathura->ui.session, GIRARA_ERROR, _("Failed to run xdg-open."));
} }
#endif #else
#ifdef WITH_SECCOMP
girara_notify(zathura->ui.session, GIRARA_ERROR, _("Opening external apps in protectedView Sandbox mode is not permitted")); girara_notify(zathura->ui.session, GIRARA_ERROR, _("Opening external apps in protectedView Sandbox mode is not permitted"));
#endif #endif
break; break;

View file

@ -20,7 +20,6 @@
#endif #endif
#ifdef WITH_SECCOMP #ifdef WITH_SECCOMP
#include <unistd.h>
#include "libsec.h" #include "libsec.h"
#endif #endif
@ -129,7 +128,7 @@ main(int argc, char* argv[])
{ {
#ifdef WITH_SECCOMP #ifdef WITH_SECCOMP
protectedView(); seccomp_enable_protected_view();
#endif #endif
init_locale(); init_locale();
@ -300,7 +299,7 @@ main(int argc, char* argv[])
#ifdef WITH_SECCOMP #ifdef WITH_SECCOMP
/* enforce strict syscall filter before parsing the document */ /* enforce strict syscall filter before parsing the document */
strictFilter(); seccomp_enable_strict_filter();
#endif #endif
/* open document if passed */ /* open document if passed */