diff --git a/doc/man/zathurarc.5.rst b/doc/man/zathurarc.5.rst index 1ee368f..3d7f84a 100644 --- a/doc/man/zathurarc.5.rst +++ b/doc/man/zathurarc.5.rst @@ -967,6 +967,9 @@ zathura * printing * bookmarks and history + The strict sandbox mode is still experimental with some libc implementations. + Currently supported and tested libc implementations: glibc + No feature regressions are expected when using normal sandbox mode. When running under WSL, the default is "none" since seccomp is not supported in diff --git a/zathura/seccomp-filters.c b/zathura/seccomp-filters.c index 6ac2a0e..1f2b173 100644 --- a/zathura/seccomp-filters.c +++ b/zathura/seccomp-filters.c @@ -106,13 +106,16 @@ seccomp_enable_basic_filter(void) DENY_RULE(uselib); DENY_RULE(vmsplice); - /*TODO + /* * * In case this basic filter is actually triggered, print a clear error message to report this * The syscalls here should never be executed by an unprivileged process * * */ + girara_debug("Using a basic seccomp filter to blacklist privileged system calls! \ + Errors reporting 'bad system call' may be an indicator of compromise"); + /* applying filter... */ if (seccomp_load(ctx) >= 0) { /* free ctx after the filter has been loaded into the kernel */ @@ -227,7 +230,7 @@ seccomp_enable_strict_filter(zathura_t* zathura) ALLOW_RULE(statx); ALLOW_RULE(statfs); ALLOW_RULE(sysinfo); - ALLOW_RULE(umask); /* required by X11 */ + /* ALLOW_RULE(umask); allowed for X11 only below */ ALLOW_RULE(uname); ALLOW_RULE(unlink); ALLOW_RULE(write); @@ -253,6 +256,7 @@ seccomp_enable_strict_filter(zathura_t* zathura) ALLOW_RULE(mkdir); ALLOW_RULE(setsockopt); ALLOW_RULE(connect); + ALLOW_RULE(umask); } else { girara_debug("On Wayland, blocking X11 syscalls"); @@ -315,8 +319,6 @@ seccomp_enable_strict_filter(zathura_t* zathura) * mkdir: needed for first run only to create /run/user/UID/dconf (before seccomp init) * wait4: required to attempt opening links (which is then blocked) * - * X11 environments require umask and socket syscalls after sandbox setup - * no longer supported since X11 cannot be easily secured anyway * * TODO: prevent dbus socket connection before sandbox init - by checking the sandbox settings in zathurarc *