mirrors/zathura
1
0
Fork 0
mirror of https://git.pwmt.org/pwmt/zathura.git synced 2024-11-10 18:13:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

simplify sandbox test

Browse Source
This commit is contained in:
valoq 2020-06-01 19:32:21 +02:00
parent 5547374334
commit aa2bc80f51
No known key found for this signature in database
GPG Key ID: 19F09A0FB865CBD8
5 changed files with 8 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
tests/test_sandbox.c
View File

@ -7,7 +7,7 @@
START_TEST(test_create) {
zathura_t* zathura = zathura_create();
zathura->global.sandbox = ZATHURA_SANDBOX_TEST;
zathura->global.sandbox = ZATHURA_SANDBOX_STRICT;
fail_unless(zathura != NULL, "Could not create strictly sandboxed session", NULL);
fail_unless(zathura_init(zathura) == true, "Could not initialize strictly sandboxed session", NULL);
zathura_free(zathura);

11
zathura/seccomp-filters.c
View File

@ -117,7 +117,7 @@ out:
}
int
seccomp_enable_strict_filter(bool test)
seccomp_enable_strict_filter(void)
{
/* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
@ -224,11 +224,10 @@ seccomp_enable_strict_filter(bool test)
ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), sched_setattr, 0);
ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), sched_getattr, 0);
/* check test flag, allow additional syscalls for test mode */
if (test) {
ALLOW_RULE(timer_create);
ALLOW_RULE(timer_delete);
}
/* required for testing only */
ALLOW_RULE(timer_create);
ALLOW_RULE(timer_delete);
/* Special requirements for ioctl, allowed on stdout/stderr */
ADD_RULE("allow", SCMP_ACT_ALLOW, ioctl, 1, SCMP_CMP(0, SCMP_CMP_EQ, 1));

4
zathura/seccomp-filters.h
View File

@ -3,8 +3,6 @@
#ifndef ZATHURA_SECCOMP_FILTERS_H
#define ZATHURA_SECCOMP_FILTERS_H
#include <stdbool.h>
/* basic filter */
/* this mode allows normal use */
/* only dangerous syscalls are blacklisted */
@ -12,6 +10,6 @@ int seccomp_enable_basic_filter(void);
/* strict filter before document parsing */
/* this filter is to be enabled after most of the initialisation of zathura has finished */
int seccomp_enable_strict_filter(bool test);
int seccomp_enable_strict_filter(void);
#endif

11
zathura/zathura.c
View File

@ -448,22 +448,13 @@ zathura_init(zathura_t* zathura)
break;
case ZATHURA_SANDBOX_STRICT:
girara_debug("Strict sandbox preventing write and network access.");
if (seccomp_enable_strict_filter(false) != 0) {
if (seccomp_enable_strict_filter() != 0) {
girara_error("Failed to initialize strict seccomp filter.");
goto error_free;
}
/* unset the input method to avoid communication with external services */
unsetenv("GTK_IM_MODULE");
break;
case ZATHURA_SANDBOX_TEST:
girara_debug("Strict sandbox preventing write and network access, testmode.");
if (seccomp_enable_strict_filter(true) != 0) {
girara_error("Failed to initialize test seccomp filter.");
goto error_free;
}
/* unset the input method to avoid communication with external services */
unsetenv("GTK_IM_MODULE");
break;
}
#endif

1
zathura/zathura.h
View File

@ -86,7 +86,6 @@ typedef enum {
ZATHURA_SANDBOX_NONE,
ZATHURA_SANDBOX_NORMAL,
ZATHURA_SANDBOX_STRICT,
ZATHURA_SANDBOX_TEST
} zathura_sandbox_t;
/* forward declaration for types from database.h */