mirror of
https://git.pwmt.org/pwmt/zathura.git
synced 2024-12-27 13:36:00 +01:00
simplify sandbox test
This commit is contained in:
parent
5547374334
commit
aa2bc80f51
5 changed files with 8 additions and 21 deletions
|
@ -7,7 +7,7 @@
|
|||
|
||||
START_TEST(test_create) {
|
||||
zathura_t* zathura = zathura_create();
|
||||
zathura->global.sandbox = ZATHURA_SANDBOX_TEST;
|
||||
zathura->global.sandbox = ZATHURA_SANDBOX_STRICT;
|
||||
fail_unless(zathura != NULL, "Could not create strictly sandboxed session", NULL);
|
||||
fail_unless(zathura_init(zathura) == true, "Could not initialize strictly sandboxed session", NULL);
|
||||
zathura_free(zathura);
|
||||
|
|
|
@ -117,7 +117,7 @@ out:
|
|||
}
|
||||
|
||||
int
|
||||
seccomp_enable_strict_filter(bool test)
|
||||
seccomp_enable_strict_filter(void)
|
||||
{
|
||||
/* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
|
||||
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
|
||||
|
@ -224,11 +224,10 @@ seccomp_enable_strict_filter(bool test)
|
|||
ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), sched_setattr, 0);
|
||||
ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), sched_getattr, 0);
|
||||
|
||||
/* check test flag, allow additional syscalls for test mode */
|
||||
if (test) {
|
||||
ALLOW_RULE(timer_create);
|
||||
ALLOW_RULE(timer_delete);
|
||||
}
|
||||
/* required for testing only */
|
||||
ALLOW_RULE(timer_create);
|
||||
ALLOW_RULE(timer_delete);
|
||||
|
||||
|
||||
/* Special requirements for ioctl, allowed on stdout/stderr */
|
||||
ADD_RULE("allow", SCMP_ACT_ALLOW, ioctl, 1, SCMP_CMP(0, SCMP_CMP_EQ, 1));
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
#ifndef ZATHURA_SECCOMP_FILTERS_H
|
||||
#define ZATHURA_SECCOMP_FILTERS_H
|
||||
|
||||
#include <stdbool.h>
|
||||
|
||||
/* basic filter */
|
||||
/* this mode allows normal use */
|
||||
/* only dangerous syscalls are blacklisted */
|
||||
|
@ -12,6 +10,6 @@ int seccomp_enable_basic_filter(void);
|
|||
|
||||
/* strict filter before document parsing */
|
||||
/* this filter is to be enabled after most of the initialisation of zathura has finished */
|
||||
int seccomp_enable_strict_filter(bool test);
|
||||
int seccomp_enable_strict_filter(void);
|
||||
|
||||
#endif
|
||||
|
|
|
@ -448,22 +448,13 @@ zathura_init(zathura_t* zathura)
|
|||
break;
|
||||
case ZATHURA_SANDBOX_STRICT:
|
||||
girara_debug("Strict sandbox preventing write and network access.");
|
||||
if (seccomp_enable_strict_filter(false) != 0) {
|
||||
if (seccomp_enable_strict_filter() != 0) {
|
||||
girara_error("Failed to initialize strict seccomp filter.");
|
||||
goto error_free;
|
||||
}
|
||||
/* unset the input method to avoid communication with external services */
|
||||
unsetenv("GTK_IM_MODULE");
|
||||
break;
|
||||
case ZATHURA_SANDBOX_TEST:
|
||||
girara_debug("Strict sandbox preventing write and network access, testmode.");
|
||||
if (seccomp_enable_strict_filter(true) != 0) {
|
||||
girara_error("Failed to initialize test seccomp filter.");
|
||||
goto error_free;
|
||||
}
|
||||
/* unset the input method to avoid communication with external services */
|
||||
unsetenv("GTK_IM_MODULE");
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
|
||||
|
|
|
@ -86,7 +86,6 @@ typedef enum {
|
|||
ZATHURA_SANDBOX_NONE,
|
||||
ZATHURA_SANDBOX_NORMAL,
|
||||
ZATHURA_SANDBOX_STRICT,
|
||||
ZATHURA_SANDBOX_TEST
|
||||
} zathura_sandbox_t;
|
||||
|
||||
/* forward declaration for types from database.h */
|
||||
|
|
Loading…
Reference in a new issue