simplify sandbox test

This commit is contained in:
valoq 2020-06-01 19:32:21 +02:00
parent 5547374334
commit aa2bc80f51
Failed to generate hash of commit
5 changed files with 8 additions and 21 deletions

View file

@ -7,7 +7,7 @@
START_TEST(test_create) { START_TEST(test_create) {
zathura_t* zathura = zathura_create(); zathura_t* zathura = zathura_create();
zathura->global.sandbox = ZATHURA_SANDBOX_TEST; zathura->global.sandbox = ZATHURA_SANDBOX_STRICT;
fail_unless(zathura != NULL, "Could not create strictly sandboxed session", NULL); fail_unless(zathura != NULL, "Could not create strictly sandboxed session", NULL);
fail_unless(zathura_init(zathura) == true, "Could not initialize strictly sandboxed session", NULL); fail_unless(zathura_init(zathura) == true, "Could not initialize strictly sandboxed session", NULL);
zathura_free(zathura); zathura_free(zathura);

View file

@ -117,7 +117,7 @@ out:
} }
int int
seccomp_enable_strict_filter(bool test) seccomp_enable_strict_filter(void)
{ {
/* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */ /* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
@ -224,11 +224,10 @@ seccomp_enable_strict_filter(bool test)
ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), sched_setattr, 0); ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), sched_setattr, 0);
ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), sched_getattr, 0); ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), sched_getattr, 0);
/* check test flag, allow additional syscalls for test mode */ /* required for testing only */
if (test) { ALLOW_RULE(timer_create);
ALLOW_RULE(timer_create); ALLOW_RULE(timer_delete);
ALLOW_RULE(timer_delete);
}
/* Special requirements for ioctl, allowed on stdout/stderr */ /* Special requirements for ioctl, allowed on stdout/stderr */
ADD_RULE("allow", SCMP_ACT_ALLOW, ioctl, 1, SCMP_CMP(0, SCMP_CMP_EQ, 1)); ADD_RULE("allow", SCMP_ACT_ALLOW, ioctl, 1, SCMP_CMP(0, SCMP_CMP_EQ, 1));

View file

@ -3,8 +3,6 @@
#ifndef ZATHURA_SECCOMP_FILTERS_H #ifndef ZATHURA_SECCOMP_FILTERS_H
#define ZATHURA_SECCOMP_FILTERS_H #define ZATHURA_SECCOMP_FILTERS_H
#include <stdbool.h>
/* basic filter */ /* basic filter */
/* this mode allows normal use */ /* this mode allows normal use */
/* only dangerous syscalls are blacklisted */ /* only dangerous syscalls are blacklisted */
@ -12,6 +10,6 @@ int seccomp_enable_basic_filter(void);
/* strict filter before document parsing */ /* strict filter before document parsing */
/* this filter is to be enabled after most of the initialisation of zathura has finished */ /* this filter is to be enabled after most of the initialisation of zathura has finished */
int seccomp_enable_strict_filter(bool test); int seccomp_enable_strict_filter(void);
#endif #endif

View file

@ -448,22 +448,13 @@ zathura_init(zathura_t* zathura)
break; break;
case ZATHURA_SANDBOX_STRICT: case ZATHURA_SANDBOX_STRICT:
girara_debug("Strict sandbox preventing write and network access."); girara_debug("Strict sandbox preventing write and network access.");
if (seccomp_enable_strict_filter(false) != 0) { if (seccomp_enable_strict_filter() != 0) {
girara_error("Failed to initialize strict seccomp filter."); girara_error("Failed to initialize strict seccomp filter.");
goto error_free; goto error_free;
} }
/* unset the input method to avoid communication with external services */ /* unset the input method to avoid communication with external services */
unsetenv("GTK_IM_MODULE"); unsetenv("GTK_IM_MODULE");
break; break;
case ZATHURA_SANDBOX_TEST:
girara_debug("Strict sandbox preventing write and network access, testmode.");
if (seccomp_enable_strict_filter(true) != 0) {
girara_error("Failed to initialize test seccomp filter.");
goto error_free;
}
/* unset the input method to avoid communication with external services */
unsetenv("GTK_IM_MODULE");
break;
} }
#endif #endif

View file

@ -86,7 +86,6 @@ typedef enum {
ZATHURA_SANDBOX_NONE, ZATHURA_SANDBOX_NONE,
ZATHURA_SANDBOX_NORMAL, ZATHURA_SANDBOX_NORMAL,
ZATHURA_SANDBOX_STRICT, ZATHURA_SANDBOX_STRICT,
ZATHURA_SANDBOX_TEST
} zathura_sandbox_t; } zathura_sandbox_t;
/* forward declaration for types from database.h */ /* forward declaration for types from database.h */