mirrors/zathura
1
0
Fork 0
mirror of https://git.pwmt.org/pwmt/zathura.git synced 2024-12-26 21:46:02 +01:00
Code Issues Projects Releases Packages Wiki Activity

Permit some syscalls on X11 only

Browse source
This commit is contained in:
valoq 2022-04-17 18:28:34 +02:00
parent b25637a8be
commit de0d881f9c
Failed to generate hash of commit
3 changed files with 27 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
zathura/seccomp-filters.c
View file

@ -13,6 +13,9 @@
#include <girara/utils.h> #include <girara/utils.h>
#include <linux/sched.h> /* for clone filter */ #include <linux/sched.h> /* for clone filter */
#ifdef GDK_WINDOWING_X11
#include <gtk/gtkx.h>
#endif
#define ADD_RULE(str_action, action, call, ...) \ #define ADD_RULE(str_action, action, call, ...) \
@ -124,7 +127,7 @@ out:
} }
int int
seccomp_enable_strict_filter(void) seccomp_enable_strict_filter(zathura_t* zathura)
{ {
/* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */ /* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
@ -235,9 +238,26 @@ seccomp_enable_strict_filter(void)
ALLOW_RULE(timer_create); ALLOW_RULE(timer_create);
ALLOW_RULE(timer_delete); ALLOW_RULE(timer_delete);
/* Permit X11 specific syscalls */
#ifdef GDK_WINDOWING_X11
GdkDisplay* display = gtk_widget_get_display(zathura->ui.session->gtk.view);
if (GDK_IS_X11_DISPLAY (display)) {
/* permit the socket syscall for local UNIX domain sockets (required by X11) */ girara_debug("On X11, supporting X11 syscalls");
ADD_RULE("allow", SCMP_ACT_ALLOW, socket, 1, SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX));
/* permit the socket syscall for local UNIX domain sockets (required by X11) */
ADD_RULE("allow", SCMP_ACT_ALLOW, socket, 1, SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX));
ALLOW_RULE(mkdir);
ALLOW_RULE(setsockopt);
ALLOW_RULE(connect);
}
else {
girara_debug("On Wayland, blocking X11 syscalls");
}
#endif
/* filter clone arguments */ /* filter clone arguments */

4
zathura/seccomp-filters.h
View file

@ -3,6 +3,8 @@
#ifndef ZATHURA_SECCOMP_FILTERS_H #ifndef ZATHURA_SECCOMP_FILTERS_H
#define ZATHURA_SECCOMP_FILTERS_H #define ZATHURA_SECCOMP_FILTERS_H
#include "zathura.h"
/* basic filter */ /* basic filter */
/* this mode allows normal use */ /* this mode allows normal use */
/* only dangerous syscalls are blacklisted */ /* only dangerous syscalls are blacklisted */
@ -10,6 +12,6 @@ int seccomp_enable_basic_filter(void);
/* strict filter before document parsing */ /* strict filter before document parsing */
/* this filter is to be enabled after most of the initialisation of zathura has finished */ /* this filter is to be enabled after most of the initialisation of zathura has finished */
int seccomp_enable_strict_filter(void); int seccomp_enable_strict_filter(zathura_t* zathura);
#endif #endif

2
zathura/zathura.c
View file

@ -451,7 +451,7 @@ zathura_init(zathura_t* zathura)
break; break;
case ZATHURA_SANDBOX_STRICT: case ZATHURA_SANDBOX_STRICT:
girara_debug("Strict sandbox preventing write and network access."); girara_debug("Strict sandbox preventing write and network access.");
if (seccomp_enable_strict_filter() != 0) { if (seccomp_enable_strict_filter(zathura) != 0) {
girara_error("Failed to initialize strict seccomp filter."); girara_error("Failed to initialize strict seccomp filter.");
goto error_free; goto error_free;
} }