mirrors/zathura
1
0
Fork 0
mirror of https://git.pwmt.org/pwmt/zathura.git synced 2024-12-27 13:16:02 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' into 'develop'

Browse source 
Minor improvements

See merge request pwmt/zathura!54
This commit is contained in:
Sebastian Ramacher 2022-05-08 15:15:06 +02:00
commit f5e0f2401e
2 changed files with 9 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
doc/man/zathurarc.5.rst
View file

@ -967,6 +967,9 @@ zathura
* printing
* bookmarks and history
The strict sandbox mode is still experimental with some libc implementations.
Currently supported and tested libc implementations: glibc
No feature regressions are expected when using normal sandbox mode.
When running under WSL, the default is "none" since seccomp is not supported in

10
zathura/seccomp-filters.c
View file

@ -106,13 +106,16 @@ seccomp_enable_basic_filter(void)
DENY_RULE(uselib);
DENY_RULE(vmsplice);
/*TODO
/*
*
* In case this basic filter is actually triggered, print a clear error message to report this
* The syscalls here should never be executed by an unprivileged process
*
* */
girara_debug("Using a basic seccomp filter to blacklist privileged system calls! \
Errors reporting 'bad system call' may be an indicator of compromise");
/* applying filter... */
if (seccomp_load(ctx) >= 0) {
/* free ctx after the filter has been loaded into the kernel */
@ -227,7 +230,7 @@ seccomp_enable_strict_filter(zathura_t* zathura)
ALLOW_RULE(statx);
ALLOW_RULE(statfs);
ALLOW_RULE(sysinfo);
ALLOW_RULE(umask); /* required by X11 */
/* ALLOW_RULE(umask); allowed for X11 only below */
ALLOW_RULE(uname);
ALLOW_RULE(unlink);
ALLOW_RULE(write);
@ -253,6 +256,7 @@ seccomp_enable_strict_filter(zathura_t* zathura)
ALLOW_RULE(mkdir);
ALLOW_RULE(setsockopt);
ALLOW_RULE(connect);
ALLOW_RULE(umask);
}
else {
girara_debug("On Wayland, blocking X11 syscalls");
@ -315,8 +319,6 @@ seccomp_enable_strict_filter(zathura_t* zathura)
* mkdir: needed for first run only to create /run/user/UID/dconf (before seccomp init)
* wait4: required to attempt opening links (which is then blocked)
*
* X11 environments require umask and socket syscalls after sandbox setup
* no longer supported since X11 cannot be easily secured anyway
*
* TODO: prevent dbus socket connection before sandbox init - by checking the sandbox settings in zathurarc
*