mirror of
https://git.pwmt.org/pwmt/zathura.git
synced 2025-01-13 14:45:59 +01:00
CS
This commit is contained in:
parent
3ca6b9c837
commit
921485378d
1 changed files with 4 additions and 10 deletions
|
@ -153,7 +153,7 @@ seccomp_enable_strict_filter(zathura_t* zathura)
|
||||||
* allowing for a potential fallback function to execute
|
* allowing for a potential fallback function to execute
|
||||||
* scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ERRNO(ENOSYS));*/
|
* scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ERRNO(ENOSYS));*/
|
||||||
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL_PROCESS);
|
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL_PROCESS);
|
||||||
if (ctx == NULL){
|
if (ctx == NULL) {
|
||||||
girara_error("seccomp_init failed");
|
girara_error("seccomp_init failed");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
@ -254,7 +254,7 @@ seccomp_enable_strict_filter(zathura_t* zathura)
|
||||||
#ifdef GDK_WINDOWING_X11
|
#ifdef GDK_WINDOWING_X11
|
||||||
GdkDisplay* display = gtk_widget_get_display(zathura->ui.session->gtk.view);
|
GdkDisplay* display = gtk_widget_get_display(zathura->ui.session->gtk.view);
|
||||||
|
|
||||||
if (GDK_IS_X11_DISPLAY (display)) {
|
if (GDK_IS_X11_DISPLAY(display)) {
|
||||||
girara_debug("On X11, supporting X11 syscalls");
|
girara_debug("On X11, supporting X11 syscalls");
|
||||||
girara_warning("Running strict sandbox mode on X11 provides only \
|
girara_warning("Running strict sandbox mode on X11 provides only \
|
||||||
incomplete process isolation.");
|
incomplete process isolation.");
|
||||||
|
@ -269,14 +269,13 @@ seccomp_enable_strict_filter(zathura_t* zathura)
|
||||||
ALLOW_RULE(connect);
|
ALLOW_RULE(connect);
|
||||||
ALLOW_RULE(umask);
|
ALLOW_RULE(umask);
|
||||||
ALLOW_RULE(uname);
|
ALLOW_RULE(uname);
|
||||||
ALLOW_RULE(shmat);
|
ALLOW_RULE(shmat);
|
||||||
ALLOW_RULE(shmctl);
|
ALLOW_RULE(shmctl);
|
||||||
ALLOW_RULE(shmdt);
|
ALLOW_RULE(shmdt);
|
||||||
ALLOW_RULE(shmget);
|
ALLOW_RULE(shmget);
|
||||||
ALLOW_RULE(recvfrom);
|
ALLOW_RULE(recvfrom);
|
||||||
ALLOW_RULE(writev); /* pwritev, pwritev2 */
|
ALLOW_RULE(writev); /* pwritev, pwritev2 */
|
||||||
}
|
} else {
|
||||||
else {
|
|
||||||
girara_debug("On Wayland, blocking X11 syscalls");
|
girara_debug("On Wayland, blocking X11 syscalls");
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
@ -346,9 +345,6 @@ seccomp_enable_strict_filter(zathura_t* zathura)
|
||||||
ERRNO_RULE(fchmodat2);
|
ERRNO_RULE(fchmodat2);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/* Sandbox Status Notes:
|
/* Sandbox Status Notes:
|
||||||
*
|
*
|
||||||
* write: no actual files on the filesystem are opened with write permissions
|
* write: no actual files on the filesystem are opened with write permissions
|
||||||
|
@ -373,11 +369,9 @@ seccomp_enable_strict_filter(zathura_t* zathura)
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|
||||||
/* when zathura is run on wayland, with X11 server available but blocked, unset the DISPLAY variable */
|
/* when zathura is run on wayland, with X11 server available but blocked, unset the DISPLAY variable */
|
||||||
/* otherwise it will try to connect to X11 using inet socket protocol */
|
/* otherwise it will try to connect to X11 using inet socket protocol */
|
||||||
|
|
||||||
|
|
||||||
/* applying filter... */
|
/* applying filter... */
|
||||||
if (seccomp_load(ctx) >= 0) {
|
if (seccomp_load(ctx) >= 0) {
|
||||||
/* free ctx after the filter has been loaded into the kernel */
|
/* free ctx after the filter has been loaded into the kernel */
|
||||||
|
|
Loading…
Reference in a new issue