mirror of
https://git.pwmt.org/pwmt/zathura.git
synced 2025-01-27 19:47:53 +01:00
remove normal sandbox mode
This commit is contained in:
parent
3450c68d43
commit
9f602c2e57
5 changed files with 1 additions and 116 deletions
|
@ -159,8 +159,6 @@ cb_sandbox_changed(girara_session_t* session, const char* name,
|
|||
const char* sandbox = value;
|
||||
if (g_strcmp0(sandbox, "none") == 0) {
|
||||
zathura->global.sandbox = ZATHURA_SANDBOX_NONE;
|
||||
} else if (g_strcmp0(sandbox, "normal") == 0) {
|
||||
zathura->global.sandbox = ZATHURA_SANDBOX_NORMAL;
|
||||
} else if (g_strcmp0(sandbox, "strict") == 0) {
|
||||
zathura->global.sandbox = ZATHURA_SANDBOX_STRICT;
|
||||
} else {
|
||||
|
|
|
@ -33,106 +33,6 @@
|
|||
#define ALLOW_RULE(call) ADD_RULE("allow", SCMP_ACT_ALLOW, call, 0)
|
||||
#define ERRNO_RULE(call) ADD_RULE("errno", SCMP_ACT_ERRNO(ENOSYS), call, 0)
|
||||
|
||||
int
|
||||
seccomp_enable_basic_filter(void)
|
||||
{
|
||||
/* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
|
||||
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
|
||||
girara_error("prctl SET_NO_NEW_PRIVS");
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* prevent escape via ptrace */
|
||||
if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0)) {
|
||||
girara_error("prctl PR_SET_DUMPABLE");
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* initialize the filter */
|
||||
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
|
||||
if (ctx == NULL) {
|
||||
girara_error("seccomp_init failed");
|
||||
return -1;
|
||||
}
|
||||
|
||||
DENY_RULE(_sysctl);
|
||||
DENY_RULE(acct);
|
||||
DENY_RULE(add_key);
|
||||
DENY_RULE(adjtimex);
|
||||
/* DENY_RULE(chroot); used by firefox */
|
||||
DENY_RULE(clock_adjtime);
|
||||
DENY_RULE(create_module);
|
||||
DENY_RULE(delete_module);
|
||||
DENY_RULE(fanotify_init);
|
||||
DENY_RULE(finit_module);
|
||||
DENY_RULE(get_kernel_syms);
|
||||
DENY_RULE(get_mempolicy);
|
||||
DENY_RULE(init_module);
|
||||
DENY_RULE(io_cancel);
|
||||
DENY_RULE(io_destroy);
|
||||
DENY_RULE(io_getevents);
|
||||
DENY_RULE(io_setup);
|
||||
DENY_RULE(io_submit);
|
||||
DENY_RULE(ioperm);
|
||||
DENY_RULE(iopl);
|
||||
DENY_RULE(ioprio_set);
|
||||
DENY_RULE(kcmp);
|
||||
DENY_RULE(kexec_file_load);
|
||||
DENY_RULE(kexec_load);
|
||||
DENY_RULE(keyctl);
|
||||
DENY_RULE(lookup_dcookie);
|
||||
DENY_RULE(mbind);
|
||||
DENY_RULE(nfsservctl);
|
||||
DENY_RULE(migrate_pages);
|
||||
DENY_RULE(modify_ldt);
|
||||
DENY_RULE(mount);
|
||||
#if defined(__NR_mount_setattr) && defined(__SNR_mount_setattr)
|
||||
DENY_RULE(mount_setattr);
|
||||
#endif
|
||||
DENY_RULE(move_pages);
|
||||
DENY_RULE(name_to_handle_at);
|
||||
DENY_RULE(open_by_handle_at);
|
||||
DENY_RULE(perf_event_open);
|
||||
DENY_RULE(pivot_root);
|
||||
DENY_RULE(process_vm_readv);
|
||||
DENY_RULE(process_vm_writev);
|
||||
DENY_RULE(ptrace);
|
||||
DENY_RULE(reboot);
|
||||
DENY_RULE(remap_file_pages);
|
||||
DENY_RULE(request_key);
|
||||
DENY_RULE(set_mempolicy);
|
||||
DENY_RULE(swapoff);
|
||||
DENY_RULE(swapon);
|
||||
DENY_RULE(sysfs);
|
||||
DENY_RULE(syslog);
|
||||
DENY_RULE(tuxcall);
|
||||
DENY_RULE(umount);
|
||||
DENY_RULE(umount2);
|
||||
DENY_RULE(uselib);
|
||||
|
||||
/*
|
||||
*
|
||||
* In case this basic filter is actually triggered, print a clear error message to report this
|
||||
* The syscalls here should never be executed by an unprivileged process
|
||||
*
|
||||
* */
|
||||
|
||||
girara_debug("Using a basic seccomp filter to blacklist privileged system calls! \
|
||||
Errors reporting 'bad system call' may be an indicator of compromise");
|
||||
|
||||
/* applying filter... */
|
||||
if (seccomp_load(ctx) >= 0) {
|
||||
/* free ctx after the filter has been loaded into the kernel */
|
||||
seccomp_release(ctx);
|
||||
return 0;
|
||||
}
|
||||
|
||||
out:
|
||||
/* something went wrong */
|
||||
seccomp_release(ctx);
|
||||
return -1;
|
||||
}
|
||||
|
||||
int
|
||||
seccomp_enable_strict_filter(zathura_t* zathura)
|
||||
{
|
||||
|
|
|
@ -5,11 +5,6 @@
|
|||
|
||||
#include "zathura.h"
|
||||
|
||||
/* basic filter */
|
||||
/* this mode allows normal use */
|
||||
/* only dangerous syscalls are blacklisted */
|
||||
int seccomp_enable_basic_filter(void);
|
||||
|
||||
/* strict filter before document parsing */
|
||||
/* this filter is to be enabled after most of the initialisation of zathura has finished */
|
||||
int seccomp_enable_strict_filter(zathura_t* zathura);
|
||||
|
|
|
@ -93,7 +93,7 @@ zathura_create(void)
|
|||
zathura->global.search_direction = FORWARD;
|
||||
zathura->global.synctex_edit_modmask = GDK_CONTROL_MASK;
|
||||
zathura->global.highlighter_modmask = GDK_SHIFT_MASK;
|
||||
zathura->global.sandbox = ZATHURA_SANDBOX_NORMAL;
|
||||
zathura->global.sandbox = ZATHURA_SANDBOX_NONE;
|
||||
zathura->global.double_click_follow = true;
|
||||
|
||||
/* plugins */
|
||||
|
@ -446,13 +446,6 @@ zathura_init(zathura_t* zathura)
|
|||
case ZATHURA_SANDBOX_NONE:
|
||||
girara_debug("Sandbox deactivated.");
|
||||
break;
|
||||
case ZATHURA_SANDBOX_NORMAL:
|
||||
girara_debug("Basic sandbox allowing normal operation.");
|
||||
if (seccomp_enable_basic_filter() != 0) {
|
||||
girara_error("Failed to initialize basic seccomp filter.");
|
||||
goto error_free;
|
||||
}
|
||||
break;
|
||||
case ZATHURA_SANDBOX_STRICT:
|
||||
girara_debug("Strict sandbox preventing write and network access.");
|
||||
if (seccomp_enable_strict_filter(zathura) != 0) {
|
||||
|
|
|
@ -84,7 +84,6 @@ enum {
|
|||
|
||||
typedef enum {
|
||||
ZATHURA_SANDBOX_NONE,
|
||||
ZATHURA_SANDBOX_NORMAL,
|
||||
ZATHURA_SANDBOX_STRICT
|
||||
} zathura_sandbox_t;
|
||||
|
||||
|
|
Loading…
Reference in a new issue