From 076cec96b508ff2c0abda7e825d68691d1c534d8 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 8 May 2022 13:43:56 +0200 Subject: [PATCH 1/2] sandbox improvements --- zathura/seccomp-filters.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/zathura/seccomp-filters.c b/zathura/seccomp-filters.c index 6ac2a0e..503e807 100644 --- a/zathura/seccomp-filters.c +++ b/zathura/seccomp-filters.c @@ -227,7 +227,7 @@ seccomp_enable_strict_filter(zathura_t* zathura) ALLOW_RULE(statx); ALLOW_RULE(statfs); ALLOW_RULE(sysinfo); - ALLOW_RULE(umask); /* required by X11 */ + /* ALLOW_RULE(umask); allowed for X11 only below */ ALLOW_RULE(uname); ALLOW_RULE(unlink); ALLOW_RULE(write); @@ -253,6 +253,7 @@ seccomp_enable_strict_filter(zathura_t* zathura) ALLOW_RULE(mkdir); ALLOW_RULE(setsockopt); ALLOW_RULE(connect); + ALLOW_RULE(umask); } else { girara_debug("On Wayland, blocking X11 syscalls"); @@ -315,8 +316,6 @@ seccomp_enable_strict_filter(zathura_t* zathura) * mkdir: needed for first run only to create /run/user/UID/dconf (before seccomp init) * wait4: required to attempt opening links (which is then blocked) * - * X11 environments require umask and socket syscalls after sandbox setup - * no longer supported since X11 cannot be easily secured anyway * * TODO: prevent dbus socket connection before sandbox init - by checking the sandbox settings in zathurarc * From 47c67b53bdd3ace137fb430526fdc9c6bd634c0f Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 8 May 2022 14:29:06 +0200 Subject: [PATCH 2/2] update documentation --- doc/man/zathurarc.5.rst | 3 +++ zathura/seccomp-filters.c | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/doc/man/zathurarc.5.rst b/doc/man/zathurarc.5.rst index 1ee368f..3d7f84a 100644 --- a/doc/man/zathurarc.5.rst +++ b/doc/man/zathurarc.5.rst @@ -967,6 +967,9 @@ zathura * printing * bookmarks and history + The strict sandbox mode is still experimental with some libc implementations. + Currently supported and tested libc implementations: glibc + No feature regressions are expected when using normal sandbox mode. When running under WSL, the default is "none" since seccomp is not supported in diff --git a/zathura/seccomp-filters.c b/zathura/seccomp-filters.c index 503e807..1f2b173 100644 --- a/zathura/seccomp-filters.c +++ b/zathura/seccomp-filters.c @@ -106,13 +106,16 @@ seccomp_enable_basic_filter(void) DENY_RULE(uselib); DENY_RULE(vmsplice); - /*TODO + /* * * In case this basic filter is actually triggered, print a clear error message to report this * The syscalls here should never be executed by an unprivileged process * * */ + girara_debug("Using a basic seccomp filter to blacklist privileged system calls! \ + Errors reporting 'bad system call' may be an indicator of compromise"); + /* applying filter... */ if (seccomp_load(ctx) >= 0) { /* free ctx after the filter has been loaded into the kernel */