mirrors/zathura
1
0
Fork 0
mirror of https://git.pwmt.org/pwmt/zathura.git synced 2024-11-13 06:33:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow restricted socket syscall for X11 support

Browse Source
This commit is contained in:
valoq 2022-04-13 10:22:59 +02:00
parent 99c831ab82
commit b25637a8be
No known key found for this signature in database
GPG Key ID: 19F09A0FB865CBD8
1 changed files with 6 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
zathura/seccomp-filters.c
View File

@ -224,23 +224,21 @@ seccomp_enable_strict_filter(void)
ALLOW_RULE(statx);
ALLOW_RULE(statfs);
ALLOW_RULE(sysinfo);
ALLOW_RULE(umask); /* required by X11 */
ALLOW_RULE(uname);
ALLOW_RULE(unlink);
ALLOW_RULE(write);
ALLOW_RULE(writev);
ALLOW_RULE(wait4);
/* required by some X11 setups */
/* X11 no longer supported in strict sandbox mode */
/* ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), umask, 0); */
/* ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), socket, 0); */
/* required for testing only */
ALLOW_RULE(timer_create);
ALLOW_RULE(timer_delete);
/* permit the socket syscall for local UNIX domain sockets (required by X11) */
ADD_RULE("allow", SCMP_ACT_ALLOW, socket, 1, SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX));
/* filter clone arguments */
ADD_RULE("allow", SCMP_ACT_ALLOW, clone, 1, SCMP_CMP(0, SCMP_CMP_EQ, \
@ -255,7 +253,6 @@ seccomp_enable_strict_filter(void)
CLONE_CHILD_CLEARTID));
/* fcntl filter - not yet working */
/*ADD_RULE("allow", SCMP_ACT_ALLOW, fcntl, 1, SCMP_CMP(0, SCMP_CMP_EQ, \
F_GETFL | \
@ -303,6 +300,7 @@ seccomp_enable_strict_filter(void)
*
* TODO: prevent dbus socket connection before sandbox init - by checking the sandbox settings in zathurarc
*
* TODO: check requirement of pipe/pipe2 syscalls when dbus is disabled
*/