From 9f602c2e5706c15da49d0691c3bc84c3e5ca6e48 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 10 Mar 2024 18:41:04 +0100 Subject: [PATCH] remove normal sandbox mode --- zathura/config.c | 2 - zathura/seccomp-filters.c | 100 -------------------------------------- zathura/seccomp-filters.h | 5 -- zathura/zathura.c | 9 +--- zathura/zathura.h | 1 - 5 files changed, 1 insertion(+), 116 deletions(-) diff --git a/zathura/config.c b/zathura/config.c index 8e645ae..545bc44 100644 --- a/zathura/config.c +++ b/zathura/config.c @@ -159,8 +159,6 @@ cb_sandbox_changed(girara_session_t* session, const char* name, const char* sandbox = value; if (g_strcmp0(sandbox, "none") == 0) { zathura->global.sandbox = ZATHURA_SANDBOX_NONE; - } else if (g_strcmp0(sandbox, "normal") == 0) { - zathura->global.sandbox = ZATHURA_SANDBOX_NORMAL; } else if (g_strcmp0(sandbox, "strict") == 0) { zathura->global.sandbox = ZATHURA_SANDBOX_STRICT; } else { diff --git a/zathura/seccomp-filters.c b/zathura/seccomp-filters.c index fa88450..c3645eb 100644 --- a/zathura/seccomp-filters.c +++ b/zathura/seccomp-filters.c @@ -33,106 +33,6 @@ #define ALLOW_RULE(call) ADD_RULE("allow", SCMP_ACT_ALLOW, call, 0) #define ERRNO_RULE(call) ADD_RULE("errno", SCMP_ACT_ERRNO(ENOSYS), call, 0) -int -seccomp_enable_basic_filter(void) -{ - /* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */ - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { - girara_error("prctl SET_NO_NEW_PRIVS"); - return -1; - } - - /* prevent escape via ptrace */ - if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0)) { - girara_error("prctl PR_SET_DUMPABLE"); - return -1; - } - - /* initialize the filter */ - scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW); - if (ctx == NULL) { - girara_error("seccomp_init failed"); - return -1; - } - - DENY_RULE(_sysctl); - DENY_RULE(acct); - DENY_RULE(add_key); - DENY_RULE(adjtimex); - /* DENY_RULE(chroot); used by firefox */ - DENY_RULE(clock_adjtime); - DENY_RULE(create_module); - DENY_RULE(delete_module); - DENY_RULE(fanotify_init); - DENY_RULE(finit_module); - DENY_RULE(get_kernel_syms); - DENY_RULE(get_mempolicy); - DENY_RULE(init_module); - DENY_RULE(io_cancel); - DENY_RULE(io_destroy); - DENY_RULE(io_getevents); - DENY_RULE(io_setup); - DENY_RULE(io_submit); - DENY_RULE(ioperm); - DENY_RULE(iopl); - DENY_RULE(ioprio_set); - DENY_RULE(kcmp); - DENY_RULE(kexec_file_load); - DENY_RULE(kexec_load); - DENY_RULE(keyctl); - DENY_RULE(lookup_dcookie); - DENY_RULE(mbind); - DENY_RULE(nfsservctl); - DENY_RULE(migrate_pages); - DENY_RULE(modify_ldt); - DENY_RULE(mount); -#if defined(__NR_mount_setattr) && defined(__SNR_mount_setattr) - DENY_RULE(mount_setattr); -#endif - DENY_RULE(move_pages); - DENY_RULE(name_to_handle_at); - DENY_RULE(open_by_handle_at); - DENY_RULE(perf_event_open); - DENY_RULE(pivot_root); - DENY_RULE(process_vm_readv); - DENY_RULE(process_vm_writev); - DENY_RULE(ptrace); - DENY_RULE(reboot); - DENY_RULE(remap_file_pages); - DENY_RULE(request_key); - DENY_RULE(set_mempolicy); - DENY_RULE(swapoff); - DENY_RULE(swapon); - DENY_RULE(sysfs); - DENY_RULE(syslog); - DENY_RULE(tuxcall); - DENY_RULE(umount); - DENY_RULE(umount2); - DENY_RULE(uselib); - - /* - * - * In case this basic filter is actually triggered, print a clear error message to report this - * The syscalls here should never be executed by an unprivileged process - * - * */ - - girara_debug("Using a basic seccomp filter to blacklist privileged system calls! \ - Errors reporting 'bad system call' may be an indicator of compromise"); - - /* applying filter... */ - if (seccomp_load(ctx) >= 0) { - /* free ctx after the filter has been loaded into the kernel */ - seccomp_release(ctx); - return 0; - } - -out: - /* something went wrong */ - seccomp_release(ctx); - return -1; -} - int seccomp_enable_strict_filter(zathura_t* zathura) { diff --git a/zathura/seccomp-filters.h b/zathura/seccomp-filters.h index b934da5..da51afa 100644 --- a/zathura/seccomp-filters.h +++ b/zathura/seccomp-filters.h @@ -5,11 +5,6 @@ #include "zathura.h" -/* basic filter */ -/* this mode allows normal use */ -/* only dangerous syscalls are blacklisted */ -int seccomp_enable_basic_filter(void); - /* strict filter before document parsing */ /* this filter is to be enabled after most of the initialisation of zathura has finished */ int seccomp_enable_strict_filter(zathura_t* zathura); diff --git a/zathura/zathura.c b/zathura/zathura.c index 905230c..850a7d4 100644 --- a/zathura/zathura.c +++ b/zathura/zathura.c @@ -93,7 +93,7 @@ zathura_create(void) zathura->global.search_direction = FORWARD; zathura->global.synctex_edit_modmask = GDK_CONTROL_MASK; zathura->global.highlighter_modmask = GDK_SHIFT_MASK; - zathura->global.sandbox = ZATHURA_SANDBOX_NORMAL; + zathura->global.sandbox = ZATHURA_SANDBOX_NONE; zathura->global.double_click_follow = true; /* plugins */ @@ -446,13 +446,6 @@ zathura_init(zathura_t* zathura) case ZATHURA_SANDBOX_NONE: girara_debug("Sandbox deactivated."); break; - case ZATHURA_SANDBOX_NORMAL: - girara_debug("Basic sandbox allowing normal operation."); - if (seccomp_enable_basic_filter() != 0) { - girara_error("Failed to initialize basic seccomp filter."); - goto error_free; - } - break; case ZATHURA_SANDBOX_STRICT: girara_debug("Strict sandbox preventing write and network access."); if (seccomp_enable_strict_filter(zathura) != 0) { diff --git a/zathura/zathura.h b/zathura/zathura.h index f28df54..741820a 100644 --- a/zathura/zathura.h +++ b/zathura/zathura.h @@ -84,7 +84,6 @@ enum { typedef enum { ZATHURA_SANDBOX_NONE, - ZATHURA_SANDBOX_NORMAL, ZATHURA_SANDBOX_STRICT } zathura_sandbox_t;