This commit is contained in:
Sebastian Ramacher 2023-12-09 10:15:55 +01:00
parent 3ca6b9c837
commit 921485378d

View file

@ -153,7 +153,7 @@ seccomp_enable_strict_filter(zathura_t* zathura)
* allowing for a potential fallback function to execute * allowing for a potential fallback function to execute
* scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ERRNO(ENOSYS));*/ * scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ERRNO(ENOSYS));*/
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL_PROCESS); scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL_PROCESS);
if (ctx == NULL){ if (ctx == NULL) {
girara_error("seccomp_init failed"); girara_error("seccomp_init failed");
return -1; return -1;
} }
@ -254,7 +254,7 @@ seccomp_enable_strict_filter(zathura_t* zathura)
#ifdef GDK_WINDOWING_X11 #ifdef GDK_WINDOWING_X11
GdkDisplay* display = gtk_widget_get_display(zathura->ui.session->gtk.view); GdkDisplay* display = gtk_widget_get_display(zathura->ui.session->gtk.view);
if (GDK_IS_X11_DISPLAY (display)) { if (GDK_IS_X11_DISPLAY(display)) {
girara_debug("On X11, supporting X11 syscalls"); girara_debug("On X11, supporting X11 syscalls");
girara_warning("Running strict sandbox mode on X11 provides only \ girara_warning("Running strict sandbox mode on X11 provides only \
incomplete process isolation."); incomplete process isolation.");
@ -269,14 +269,13 @@ seccomp_enable_strict_filter(zathura_t* zathura)
ALLOW_RULE(connect); ALLOW_RULE(connect);
ALLOW_RULE(umask); ALLOW_RULE(umask);
ALLOW_RULE(uname); ALLOW_RULE(uname);
ALLOW_RULE(shmat); ALLOW_RULE(shmat);
ALLOW_RULE(shmctl); ALLOW_RULE(shmctl);
ALLOW_RULE(shmdt); ALLOW_RULE(shmdt);
ALLOW_RULE(shmget); ALLOW_RULE(shmget);
ALLOW_RULE(recvfrom); ALLOW_RULE(recvfrom);
ALLOW_RULE(writev); /* pwritev, pwritev2 */ ALLOW_RULE(writev); /* pwritev, pwritev2 */
} } else {
else {
girara_debug("On Wayland, blocking X11 syscalls"); girara_debug("On Wayland, blocking X11 syscalls");
} }
#endif #endif
@ -346,9 +345,6 @@ seccomp_enable_strict_filter(zathura_t* zathura)
ERRNO_RULE(fchmodat2); ERRNO_RULE(fchmodat2);
#endif #endif
/* Sandbox Status Notes: /* Sandbox Status Notes:
* *
* write: no actual files on the filesystem are opened with write permissions * write: no actual files on the filesystem are opened with write permissions
@ -373,11 +369,9 @@ seccomp_enable_strict_filter(zathura_t* zathura)
* *
*/ */
/* when zathura is run on wayland, with X11 server available but blocked, unset the DISPLAY variable */ /* when zathura is run on wayland, with X11 server available but blocked, unset the DISPLAY variable */
/* otherwise it will try to connect to X11 using inet socket protocol */ /* otherwise it will try to connect to X11 using inet socket protocol */
/* applying filter... */ /* applying filter... */
if (seccomp_load(ctx) >= 0) { if (seccomp_load(ctx) >= 0) {
/* free ctx after the filter has been loaded into the kernel */ /* free ctx after the filter has been loaded into the kernel */