From 193bfd3081276984ba6bc8f58b80b16149cf5040 Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 6 Jan 2023 23:58:56 +0100 Subject: [PATCH 1/2] improve seccomp filter --- zathura/seccomp-filters.c | 88 ++++++++++++++++++++++----------------- 1 file changed, 49 insertions(+), 39 deletions(-) diff --git a/zathura/seccomp-filters.c b/zathura/seccomp-filters.c index 56b42b0..e2e8d0d 100644 --- a/zathura/seccomp-filters.c +++ b/zathura/seccomp-filters.c @@ -59,7 +59,7 @@ seccomp_enable_basic_filter(void) DENY_RULE(acct); DENY_RULE(add_key); DENY_RULE(adjtimex); - DENY_RULE(chroot); + /* DENY_RULE(chroot); used by firefox */ DENY_RULE(clock_adjtime); DENY_RULE(create_module); DENY_RULE(delete_module); @@ -86,6 +86,9 @@ seccomp_enable_basic_filter(void) DENY_RULE(migrate_pages); DENY_RULE(modify_ldt); DENY_RULE(mount); +#ifdef __NR_mount_setattr + DENY_RULE(mount_setattr); +#endif DENY_RULE(move_pages); DENY_RULE(name_to_handle_at); DENY_RULE(open_by_handle_at); @@ -103,6 +106,7 @@ seccomp_enable_basic_filter(void) DENY_RULE(sysfs); DENY_RULE(syslog); DENY_RULE(tuxcall); + DENY_RULE(umount); DENY_RULE(umount2); DENY_RULE(uselib); DENY_RULE(vmsplice); @@ -160,36 +164,36 @@ seccomp_enable_strict_filter(zathura_t* zathura) ALLOW_RULE(brk); /* ALLOW_RULE(clock_getres); unused? */ /* ALLOW_RULE(clone); specified below, clone3 see comment below */ - ALLOW_RULE(clock_gettime); + ALLOW_RULE(clock_gettime); /* used when vDSO function is unavailable */ ALLOW_RULE(close); + ALLOW_RULE(epoll_create1); + ALLOW_RULE(epoll_ctl); ALLOW_RULE(eventfd2); ALLOW_RULE(exit); ALLOW_RULE(exit_group); /* ALLOW_RULE(epoll_create); outdated, to be removed */ - ALLOW_RULE(epoll_create1); - ALLOW_RULE(epoll_ctl); - ALLOW_RULE(fadvise64); + /* ALLOW_RULE(fadvise64); */ ALLOW_RULE(fallocate); ALLOW_RULE(fcntl); /* TODO: build detailed filter */ ALLOW_RULE(fstat); /* used by older libc, stat (below), lstat(below), fstatat, newfstatat(below) */ ALLOW_RULE(fstatfs); /* statfs (below) */ ALLOW_RULE(ftruncate); ALLOW_RULE(futex); - /* ALLOW_RULE(getdents); unused? */ + /* ALLOW_RULE(getdents); 32 bit only */ ALLOW_RULE(getdents64); ALLOW_RULE(getegid); ALLOW_RULE(geteuid); ALLOW_RULE(getgid); - ALLOW_RULE(getuid); ALLOW_RULE(getpid); ALLOW_RULE(getppid); /* required inside containers */ ALLOW_RULE(gettid); - ALLOW_RULE(gettimeofday); - ALLOW_RULE(getrandom); - ALLOW_RULE(getresgid); - ALLOW_RULE(getresuid); + ALLOW_RULE(gettimeofday); /* used when vDSO function is unavailable */ + ALLOW_RULE(getuid); + ALLOW_RULE(getrandom); /* occasionally required */ + /* ALLOW_RULE(getresgid); */ + /* ALLOW_RULE(getresuid); */ /* ALLOW_RULE(getrlimit); unused? */ - ALLOW_RULE(getpeername); + /* ALLOW_RULE(getpeername); not required if database is initializes properly */ ALLOW_RULE(inotify_add_watch); /* required by filemonitor feature */ ALLOW_RULE(inotify_init1); /* used by filemonitor, inotify_init (glib<2.9) */ ALLOW_RULE(inotify_rm_watch); /* used by filemonitor */ @@ -200,40 +204,42 @@ seccomp_enable_strict_filter(zathura_t* zathura) ALLOW_RULE(memfd_create); ALLOW_RULE(mmap); ALLOW_RULE(mprotect); - ALLOW_RULE(mremap); + /* ALLOW_RULE(mremap); */ ALLOW_RULE(munmap); ALLOW_RULE(newfstatat); /* ALLOW_RULE (open); specified below */ /* ALLOW_RULE (openat); specified below */ /* ALLOW_RULE(pipe); unused? */ - ALLOW_RULE(pipe2); + ALLOW_RULE(pipe2); /* used by dbus only - remove this after dbus isolation is fixed */ ALLOW_RULE(poll); - ALLOW_RULE(pwrite64); /* equals pwrite */ - ALLOW_RULE(pread64); /* equals pread */ /* ALLOW_RULE (prctl); specified below */ + ALLOW_RULE(pread64); /* equals pread */ + /* ALLOW_RULE(pwrite64); equals pwrite */ ALLOW_RULE(read); ALLOW_RULE(readlink); /* readlinkat */ - ALLOW_RULE(recvfrom); + /* ALLOW_RULE(recvfrom); */ ALLOW_RULE(recvmsg); - /* ALLOW_RULE(restart_syscall); unused? */ + /* ALLOW_RULE(restart_syscall); used by the kernel only */ ALLOW_RULE(rseq); ALLOW_RULE(rt_sigaction); ALLOW_RULE(rt_sigprocmask); - ALLOW_RULE(sched_setattr); - ALLOW_RULE(sched_getattr); - ALLOW_RULE(sendmsg); /* ipc, investigate */ - ALLOW_RULE(sendto); /* ipc, investigate */ - ALLOW_RULE(select); /* pselect (equals pselect6), unused? */ + ALLOW_RULE(rt_sigreturn); + /* ALLOW_RULE(sched_setattr); */ + /* ALLOW_RULE(sched_getattr); */ + ALLOW_RULE(sendmsg); /* ipc, used by wayland socket */ + /* ALLOW_RULE(sendto); ipc, investigate */ + /* ALLOW_RULE(select); pselect (equals pselect6) */ ALLOW_RULE(set_robust_list); /* ALLOW_RULE(shmat); X11 only */ /* ALLOW_RULE(shmctl); X11 only */ /* ALLOW_RULE(shmdt); X11 only */ /* ALLOW_RULE(shmget); X11 only */ - ALLOW_RULE(shutdown); - ALLOW_RULE(stat); /* used by older libc */ + /* ALLOW_RULE(shutdown); */ + ALLOW_RULE(stat); /* used by older libc - Debian 11 */ ALLOW_RULE(statx); ALLOW_RULE(statfs); /* used by filemonitor, fstatfs above */ - ALLOW_RULE(sysinfo); + /* ALLOW_RULE(sysinfo); !!! */ + /* ALLOW_RULE(tgkill); investigate - used when zathura is quickly restarted and dbus socket is closed */ /* ALLOW_RULE(umask); X11 only */ /* ALLOW_RULE(uname); X11 only */ /* ALLOW_RULE(unlink); unused?, unlinkat */ @@ -245,25 +251,14 @@ seccomp_enable_strict_filter(zathura_t* zathura) ALLOW_RULE(timer_create); ALLOW_RULE(timer_delete); - /* Gracefully fail syscalls that may be used by dependencies in the future - These rules will still block the syscalls but since there usually is fallback code - for new syscalls, it will not shut down zathura and give us more time to - analyse the newly required syscall before potentionally allowing it. - */ - - ERRNO_RULE(openat2); - ERRNO_RULE(faccessat2); - ERRNO_RULE(pwritev2); -#ifdef __NR_readfile - ERRNO_RULE(readfile); -#endif - /* Permit X11 specific syscalls */ #ifdef GDK_WINDOWING_X11 GdkDisplay* display = gtk_widget_get_display(zathura->ui.session->gtk.view); if (GDK_IS_X11_DISPLAY (display)) { girara_debug("On X11, supporting X11 syscalls"); + girara_warning("Running strict sandbox mode on X11 provides only \ + incomplete process isolation."); /* permit the socket syscall for local UNIX domain sockets (required by X11) */ ADD_RULE("allow", SCMP_ACT_ALLOW, socket, 1, SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)); @@ -286,6 +281,8 @@ seccomp_enable_strict_filter(zathura_t* zathura) } #endif + /* block unsuccessful ipc attempt */ + ERRNO_RULE(getpeername); /* filter clone arguments */ ADD_RULE("allow", SCMP_ACT_ALLOW, clone, 1, SCMP_CMP(0, SCMP_CMP_EQ, \ @@ -333,6 +330,19 @@ seccomp_enable_strict_filter(zathura_t* zathura) ADD_RULE("errno", SCMP_ACT_ERRNO(EACCES), openat, 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)); + /* Gracefully fail syscalls that may be used by dependencies in the future + These rules will still block the syscalls but since there usually is fallback code + for new syscalls, it will not shut down zathura and give us more time to + analyse the newly required syscall before potentionally allowing it. + */ + + ERRNO_RULE(openat2); + ERRNO_RULE(faccessat2); + ERRNO_RULE(pwritev2); +#ifdef __NR_readfile + ERRNO_RULE(readfile); +#endif + /* Sandbox Status Notes: From 0fb627916b8db5ed241ffd18951dca9e99cdec62 Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 20 Jan 2023 12:30:22 +0100 Subject: [PATCH 2/2] move syscall to X11 only --- zathura/seccomp-filters.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/zathura/seccomp-filters.c b/zathura/seccomp-filters.c index e2e8d0d..0451347 100644 --- a/zathura/seccomp-filters.c +++ b/zathura/seccomp-filters.c @@ -217,7 +217,7 @@ seccomp_enable_strict_filter(zathura_t* zathura) /* ALLOW_RULE(pwrite64); equals pwrite */ ALLOW_RULE(read); ALLOW_RULE(readlink); /* readlinkat */ - /* ALLOW_RULE(recvfrom); */ + /* ALLOW_RULE(recvfrom); X11 only */ ALLOW_RULE(recvmsg); /* ALLOW_RULE(restart_syscall); used by the kernel only */ ALLOW_RULE(rseq); @@ -274,6 +274,7 @@ seccomp_enable_strict_filter(zathura_t* zathura) ALLOW_RULE(shmctl); ALLOW_RULE(shmdt); ALLOW_RULE(shmget); + ALLOW_RULE(recvfrom); ALLOW_RULE(writev); /* pwritev, pwritev2 */ } else {