remove normal sandbox mode

This commit is contained in:
valoq 2024-03-10 18:41:04 +01:00
parent 3450c68d43
commit 9f602c2e57
Failed to generate hash of commit
5 changed files with 1 additions and 116 deletions

View file

@ -159,8 +159,6 @@ cb_sandbox_changed(girara_session_t* session, const char* name,
const char* sandbox = value; const char* sandbox = value;
if (g_strcmp0(sandbox, "none") == 0) { if (g_strcmp0(sandbox, "none") == 0) {
zathura->global.sandbox = ZATHURA_SANDBOX_NONE; zathura->global.sandbox = ZATHURA_SANDBOX_NONE;
} else if (g_strcmp0(sandbox, "normal") == 0) {
zathura->global.sandbox = ZATHURA_SANDBOX_NORMAL;
} else if (g_strcmp0(sandbox, "strict") == 0) { } else if (g_strcmp0(sandbox, "strict") == 0) {
zathura->global.sandbox = ZATHURA_SANDBOX_STRICT; zathura->global.sandbox = ZATHURA_SANDBOX_STRICT;
} else { } else {

View file

@ -33,106 +33,6 @@
#define ALLOW_RULE(call) ADD_RULE("allow", SCMP_ACT_ALLOW, call, 0) #define ALLOW_RULE(call) ADD_RULE("allow", SCMP_ACT_ALLOW, call, 0)
#define ERRNO_RULE(call) ADD_RULE("errno", SCMP_ACT_ERRNO(ENOSYS), call, 0) #define ERRNO_RULE(call) ADD_RULE("errno", SCMP_ACT_ERRNO(ENOSYS), call, 0)
int
seccomp_enable_basic_filter(void)
{
/* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
girara_error("prctl SET_NO_NEW_PRIVS");
return -1;
}
/* prevent escape via ptrace */
if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0)) {
girara_error("prctl PR_SET_DUMPABLE");
return -1;
}
/* initialize the filter */
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL) {
girara_error("seccomp_init failed");
return -1;
}
DENY_RULE(_sysctl);
DENY_RULE(acct);
DENY_RULE(add_key);
DENY_RULE(adjtimex);
/* DENY_RULE(chroot); used by firefox */
DENY_RULE(clock_adjtime);
DENY_RULE(create_module);
DENY_RULE(delete_module);
DENY_RULE(fanotify_init);
DENY_RULE(finit_module);
DENY_RULE(get_kernel_syms);
DENY_RULE(get_mempolicy);
DENY_RULE(init_module);
DENY_RULE(io_cancel);
DENY_RULE(io_destroy);
DENY_RULE(io_getevents);
DENY_RULE(io_setup);
DENY_RULE(io_submit);
DENY_RULE(ioperm);
DENY_RULE(iopl);
DENY_RULE(ioprio_set);
DENY_RULE(kcmp);
DENY_RULE(kexec_file_load);
DENY_RULE(kexec_load);
DENY_RULE(keyctl);
DENY_RULE(lookup_dcookie);
DENY_RULE(mbind);
DENY_RULE(nfsservctl);
DENY_RULE(migrate_pages);
DENY_RULE(modify_ldt);
DENY_RULE(mount);
#if defined(__NR_mount_setattr) && defined(__SNR_mount_setattr)
DENY_RULE(mount_setattr);
#endif
DENY_RULE(move_pages);
DENY_RULE(name_to_handle_at);
DENY_RULE(open_by_handle_at);
DENY_RULE(perf_event_open);
DENY_RULE(pivot_root);
DENY_RULE(process_vm_readv);
DENY_RULE(process_vm_writev);
DENY_RULE(ptrace);
DENY_RULE(reboot);
DENY_RULE(remap_file_pages);
DENY_RULE(request_key);
DENY_RULE(set_mempolicy);
DENY_RULE(swapoff);
DENY_RULE(swapon);
DENY_RULE(sysfs);
DENY_RULE(syslog);
DENY_RULE(tuxcall);
DENY_RULE(umount);
DENY_RULE(umount2);
DENY_RULE(uselib);
/*
*
* In case this basic filter is actually triggered, print a clear error message to report this
* The syscalls here should never be executed by an unprivileged process
*
* */
girara_debug("Using a basic seccomp filter to blacklist privileged system calls! \
Errors reporting 'bad system call' may be an indicator of compromise");
/* applying filter... */
if (seccomp_load(ctx) >= 0) {
/* free ctx after the filter has been loaded into the kernel */
seccomp_release(ctx);
return 0;
}
out:
/* something went wrong */
seccomp_release(ctx);
return -1;
}
int int
seccomp_enable_strict_filter(zathura_t* zathura) seccomp_enable_strict_filter(zathura_t* zathura)
{ {

View file

@ -5,11 +5,6 @@
#include "zathura.h" #include "zathura.h"
/* basic filter */
/* this mode allows normal use */
/* only dangerous syscalls are blacklisted */
int seccomp_enable_basic_filter(void);
/* strict filter before document parsing */ /* strict filter before document parsing */
/* this filter is to be enabled after most of the initialisation of zathura has finished */ /* this filter is to be enabled after most of the initialisation of zathura has finished */
int seccomp_enable_strict_filter(zathura_t* zathura); int seccomp_enable_strict_filter(zathura_t* zathura);

View file

@ -93,7 +93,7 @@ zathura_create(void)
zathura->global.search_direction = FORWARD; zathura->global.search_direction = FORWARD;
zathura->global.synctex_edit_modmask = GDK_CONTROL_MASK; zathura->global.synctex_edit_modmask = GDK_CONTROL_MASK;
zathura->global.highlighter_modmask = GDK_SHIFT_MASK; zathura->global.highlighter_modmask = GDK_SHIFT_MASK;
zathura->global.sandbox = ZATHURA_SANDBOX_NORMAL; zathura->global.sandbox = ZATHURA_SANDBOX_NONE;
zathura->global.double_click_follow = true; zathura->global.double_click_follow = true;
/* plugins */ /* plugins */
@ -446,13 +446,6 @@ zathura_init(zathura_t* zathura)
case ZATHURA_SANDBOX_NONE: case ZATHURA_SANDBOX_NONE:
girara_debug("Sandbox deactivated."); girara_debug("Sandbox deactivated.");
break; break;
case ZATHURA_SANDBOX_NORMAL:
girara_debug("Basic sandbox allowing normal operation.");
if (seccomp_enable_basic_filter() != 0) {
girara_error("Failed to initialize basic seccomp filter.");
goto error_free;
}
break;
case ZATHURA_SANDBOX_STRICT: case ZATHURA_SANDBOX_STRICT:
girara_debug("Strict sandbox preventing write and network access."); girara_debug("Strict sandbox preventing write and network access.");
if (seccomp_enable_strict_filter(zathura) != 0) { if (seccomp_enable_strict_filter(zathura) != 0) {

View file

@ -84,7 +84,6 @@ enum {
typedef enum { typedef enum {
ZATHURA_SANDBOX_NONE, ZATHURA_SANDBOX_NONE,
ZATHURA_SANDBOX_NORMAL,
ZATHURA_SANDBOX_STRICT ZATHURA_SANDBOX_STRICT
} zathura_sandbox_t; } zathura_sandbox_t;