mirror of
https://git.pwmt.org/pwmt/zathura.git
synced 2024-12-27 15:06:00 +01:00
Allow restricted socket syscall for X11 support
This commit is contained in:
parent
99c831ab82
commit
b25637a8be
1 changed files with 6 additions and 8 deletions
|
@ -224,24 +224,22 @@ seccomp_enable_strict_filter(void)
|
||||||
ALLOW_RULE(statx);
|
ALLOW_RULE(statx);
|
||||||
ALLOW_RULE(statfs);
|
ALLOW_RULE(statfs);
|
||||||
ALLOW_RULE(sysinfo);
|
ALLOW_RULE(sysinfo);
|
||||||
|
ALLOW_RULE(umask); /* required by X11 */
|
||||||
ALLOW_RULE(uname);
|
ALLOW_RULE(uname);
|
||||||
ALLOW_RULE(unlink);
|
ALLOW_RULE(unlink);
|
||||||
ALLOW_RULE(write);
|
ALLOW_RULE(write);
|
||||||
ALLOW_RULE(writev);
|
ALLOW_RULE(writev);
|
||||||
ALLOW_RULE(wait4);
|
ALLOW_RULE(wait4);
|
||||||
|
|
||||||
|
|
||||||
/* required by some X11 setups */
|
|
||||||
/* X11 no longer supported in strict sandbox mode */
|
|
||||||
/* ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), umask, 0); */
|
|
||||||
/* ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), socket, 0); */
|
|
||||||
|
|
||||||
|
|
||||||
/* required for testing only */
|
/* required for testing only */
|
||||||
ALLOW_RULE(timer_create);
|
ALLOW_RULE(timer_create);
|
||||||
ALLOW_RULE(timer_delete);
|
ALLOW_RULE(timer_delete);
|
||||||
|
|
||||||
|
|
||||||
|
/* permit the socket syscall for local UNIX domain sockets (required by X11) */
|
||||||
|
ADD_RULE("allow", SCMP_ACT_ALLOW, socket, 1, SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX));
|
||||||
|
|
||||||
|
|
||||||
/* filter clone arguments */
|
/* filter clone arguments */
|
||||||
ADD_RULE("allow", SCMP_ACT_ALLOW, clone, 1, SCMP_CMP(0, SCMP_CMP_EQ, \
|
ADD_RULE("allow", SCMP_ACT_ALLOW, clone, 1, SCMP_CMP(0, SCMP_CMP_EQ, \
|
||||||
CLONE_VM | \
|
CLONE_VM | \
|
||||||
|
@ -255,7 +253,6 @@ seccomp_enable_strict_filter(void)
|
||||||
CLONE_CHILD_CLEARTID));
|
CLONE_CHILD_CLEARTID));
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/* fcntl filter - not yet working */
|
/* fcntl filter - not yet working */
|
||||||
/*ADD_RULE("allow", SCMP_ACT_ALLOW, fcntl, 1, SCMP_CMP(0, SCMP_CMP_EQ, \
|
/*ADD_RULE("allow", SCMP_ACT_ALLOW, fcntl, 1, SCMP_CMP(0, SCMP_CMP_EQ, \
|
||||||
F_GETFL | \
|
F_GETFL | \
|
||||||
|
@ -303,6 +300,7 @@ seccomp_enable_strict_filter(void)
|
||||||
*
|
*
|
||||||
* TODO: prevent dbus socket connection before sandbox init - by checking the sandbox settings in zathurarc
|
* TODO: prevent dbus socket connection before sandbox init - by checking the sandbox settings in zathurarc
|
||||||
*
|
*
|
||||||
|
* TODO: check requirement of pipe/pipe2 syscalls when dbus is disabled
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue