mirrors/zathura
1
0
Fork 0
mirror of https://git.pwmt.org/pwmt/zathura.git synced 2024-12-28 06:16:00 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'develop' into 'develop'

Browse source 
improve seccomp filter

See merge request pwmt/zathura!68
This commit is contained in:
Sebastian Ramacher 2023-03-05 18:47:29 +01:00
commit f7d9c39e91
1 changed files with 50 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

89
zathura/seccomp-filters.c
View file

@ -59,7 +59,7 @@ seccomp_enable_basic_filter(void)
DENY_RULE(acct); DENY_RULE(acct);
DENY_RULE(add_key); DENY_RULE(add_key);
DENY_RULE(adjtimex); DENY_RULE(adjtimex);
DENY_RULE(chroot); /* DENY_RULE(chroot); used by firefox */
DENY_RULE(clock_adjtime); DENY_RULE(clock_adjtime);
DENY_RULE(create_module); DENY_RULE(create_module);
DENY_RULE(delete_module); DENY_RULE(delete_module);
@ -86,6 +86,9 @@ seccomp_enable_basic_filter(void)
DENY_RULE(migrate_pages); DENY_RULE(migrate_pages);
DENY_RULE(modify_ldt); DENY_RULE(modify_ldt);
DENY_RULE(mount); DENY_RULE(mount);
#ifdef __NR_mount_setattr
DENY_RULE(mount_setattr);
#endif
DENY_RULE(move_pages); DENY_RULE(move_pages);
DENY_RULE(name_to_handle_at); DENY_RULE(name_to_handle_at);
DENY_RULE(open_by_handle_at); DENY_RULE(open_by_handle_at);
@ -103,6 +106,7 @@ seccomp_enable_basic_filter(void)
DENY_RULE(sysfs); DENY_RULE(sysfs);
DENY_RULE(syslog); DENY_RULE(syslog);
DENY_RULE(tuxcall); DENY_RULE(tuxcall);
DENY_RULE(umount);
DENY_RULE(umount2); DENY_RULE(umount2);
DENY_RULE(uselib); DENY_RULE(uselib);
DENY_RULE(vmsplice); DENY_RULE(vmsplice);
@ -160,36 +164,36 @@ seccomp_enable_strict_filter(zathura_t* zathura)
ALLOW_RULE(brk); ALLOW_RULE(brk);
/* ALLOW_RULE(clock_getres); unused? */ /* ALLOW_RULE(clock_getres); unused? */
/* ALLOW_RULE(clone); specified below, clone3 see comment below */ /* ALLOW_RULE(clone); specified below, clone3 see comment below */
ALLOW_RULE(clock_gettime); ALLOW_RULE(clock_gettime); /* used when vDSO function is unavailable */
ALLOW_RULE(close); ALLOW_RULE(close);
ALLOW_RULE(epoll_create1);
ALLOW_RULE(epoll_ctl);
ALLOW_RULE(eventfd2); ALLOW_RULE(eventfd2);
ALLOW_RULE(exit); ALLOW_RULE(exit);
ALLOW_RULE(exit_group); ALLOW_RULE(exit_group);
/* ALLOW_RULE(epoll_create); outdated, to be removed */ /* ALLOW_RULE(epoll_create); outdated, to be removed */
ALLOW_RULE(epoll_create1); /* ALLOW_RULE(fadvise64); */
ALLOW_RULE(epoll_ctl);
ALLOW_RULE(fadvise64);
ALLOW_RULE(fallocate); ALLOW_RULE(fallocate);
ALLOW_RULE(fcntl); /* TODO: build detailed filter */ ALLOW_RULE(fcntl); /* TODO: build detailed filter */
ALLOW_RULE(fstat); /* used by older libc, stat (below), lstat(below), fstatat, newfstatat(below) */ ALLOW_RULE(fstat); /* used by older libc, stat (below), lstat(below), fstatat, newfstatat(below) */
ALLOW_RULE(fstatfs); /* statfs (below) */ ALLOW_RULE(fstatfs); /* statfs (below) */
ALLOW_RULE(ftruncate); ALLOW_RULE(ftruncate);
ALLOW_RULE(futex); ALLOW_RULE(futex);
/* ALLOW_RULE(getdents); unused? */ /* ALLOW_RULE(getdents); 32 bit only */
ALLOW_RULE(getdents64); ALLOW_RULE(getdents64);
ALLOW_RULE(getegid); ALLOW_RULE(getegid);
ALLOW_RULE(geteuid); ALLOW_RULE(geteuid);
ALLOW_RULE(getgid); ALLOW_RULE(getgid);
ALLOW_RULE(getuid);
ALLOW_RULE(getpid); ALLOW_RULE(getpid);
ALLOW_RULE(getppid); /* required inside containers */ ALLOW_RULE(getppid); /* required inside containers */
ALLOW_RULE(gettid); ALLOW_RULE(gettid);
ALLOW_RULE(gettimeofday); ALLOW_RULE(gettimeofday); /* used when vDSO function is unavailable */
ALLOW_RULE(getrandom); ALLOW_RULE(getuid);
ALLOW_RULE(getresgid); ALLOW_RULE(getrandom); /* occasionally required */
ALLOW_RULE(getresuid); /* ALLOW_RULE(getresgid); */
/* ALLOW_RULE(getresuid); */
/* ALLOW_RULE(getrlimit); unused? */ /* ALLOW_RULE(getrlimit); unused? */
ALLOW_RULE(getpeername); /* ALLOW_RULE(getpeername); not required if database is initializes properly */
ALLOW_RULE(inotify_add_watch); /* required by filemonitor feature */ ALLOW_RULE(inotify_add_watch); /* required by filemonitor feature */
ALLOW_RULE(inotify_init1); /* used by filemonitor, inotify_init (glib<2.9) */ ALLOW_RULE(inotify_init1); /* used by filemonitor, inotify_init (glib<2.9) */
ALLOW_RULE(inotify_rm_watch); /* used by filemonitor */ ALLOW_RULE(inotify_rm_watch); /* used by filemonitor */
@ -200,40 +204,42 @@ seccomp_enable_strict_filter(zathura_t* zathura)
ALLOW_RULE(memfd_create); ALLOW_RULE(memfd_create);
ALLOW_RULE(mmap); ALLOW_RULE(mmap);
ALLOW_RULE(mprotect); ALLOW_RULE(mprotect);
ALLOW_RULE(mremap); /* ALLOW_RULE(mremap); */
ALLOW_RULE(munmap); ALLOW_RULE(munmap);
ALLOW_RULE(newfstatat); ALLOW_RULE(newfstatat);
/* ALLOW_RULE (open); specified below */ /* ALLOW_RULE (open); specified below */
/* ALLOW_RULE (openat); specified below */ /* ALLOW_RULE (openat); specified below */
/* ALLOW_RULE(pipe); unused? */ /* ALLOW_RULE(pipe); unused? */
ALLOW_RULE(pipe2); ALLOW_RULE(pipe2); /* used by dbus only - remove this after dbus isolation is fixed */
ALLOW_RULE(poll); ALLOW_RULE(poll);
ALLOW_RULE(pwrite64); /* equals pwrite */
ALLOW_RULE(pread64); /* equals pread */
/* ALLOW_RULE (prctl); specified below */ /* ALLOW_RULE (prctl); specified below */
ALLOW_RULE(pread64); /* equals pread */
/* ALLOW_RULE(pwrite64); equals pwrite */
ALLOW_RULE(read); ALLOW_RULE(read);
ALLOW_RULE(readlink); /* readlinkat */ ALLOW_RULE(readlink); /* readlinkat */
ALLOW_RULE(recvfrom); /* ALLOW_RULE(recvfrom); X11 only */
ALLOW_RULE(recvmsg); ALLOW_RULE(recvmsg);
/* ALLOW_RULE(restart_syscall); unused? */ /* ALLOW_RULE(restart_syscall); used by the kernel only */
ALLOW_RULE(rseq); ALLOW_RULE(rseq);
ALLOW_RULE(rt_sigaction); ALLOW_RULE(rt_sigaction);
ALLOW_RULE(rt_sigprocmask); ALLOW_RULE(rt_sigprocmask);
ALLOW_RULE(sched_setattr); ALLOW_RULE(rt_sigreturn);
ALLOW_RULE(sched_getattr); /* ALLOW_RULE(sched_setattr); */
ALLOW_RULE(sendmsg); /* ipc, investigate */ /* ALLOW_RULE(sched_getattr); */
ALLOW_RULE(sendto); /* ipc, investigate */ ALLOW_RULE(sendmsg); /* ipc, used by wayland socket */
ALLOW_RULE(select); /* pselect (equals pselect6), unused? */ /* ALLOW_RULE(sendto); ipc, investigate */
/* ALLOW_RULE(select); pselect (equals pselect6) */
ALLOW_RULE(set_robust_list); ALLOW_RULE(set_robust_list);
/* ALLOW_RULE(shmat); X11 only */ /* ALLOW_RULE(shmat); X11 only */
/* ALLOW_RULE(shmctl); X11 only */ /* ALLOW_RULE(shmctl); X11 only */
/* ALLOW_RULE(shmdt); X11 only */ /* ALLOW_RULE(shmdt); X11 only */
/* ALLOW_RULE(shmget); X11 only */ /* ALLOW_RULE(shmget); X11 only */
ALLOW_RULE(shutdown); /* ALLOW_RULE(shutdown); */
ALLOW_RULE(stat); /* used by older libc */ ALLOW_RULE(stat); /* used by older libc - Debian 11 */
ALLOW_RULE(statx); ALLOW_RULE(statx);
ALLOW_RULE(statfs); /* used by filemonitor, fstatfs above */ ALLOW_RULE(statfs); /* used by filemonitor, fstatfs above */
ALLOW_RULE(sysinfo); /* ALLOW_RULE(sysinfo); !!! */
/* ALLOW_RULE(tgkill); investigate - used when zathura is quickly restarted and dbus socket is closed */
/* ALLOW_RULE(umask); X11 only */ /* ALLOW_RULE(umask); X11 only */
/* ALLOW_RULE(uname); X11 only */ /* ALLOW_RULE(uname); X11 only */
/* ALLOW_RULE(unlink); unused?, unlinkat */ /* ALLOW_RULE(unlink); unused?, unlinkat */
@ -245,25 +251,14 @@ seccomp_enable_strict_filter(zathura_t* zathura)
ALLOW_RULE(timer_create); ALLOW_RULE(timer_create);
ALLOW_RULE(timer_delete); ALLOW_RULE(timer_delete);
/* Gracefully fail syscalls that may be used by dependencies in the future
These rules will still block the syscalls but since there usually is fallback code
for new syscalls, it will not shut down zathura and give us more time to
analyse the newly required syscall before potentionally allowing it.
*/
ERRNO_RULE(openat2);
ERRNO_RULE(faccessat2);
ERRNO_RULE(pwritev2);
#ifdef __NR_readfile
ERRNO_RULE(readfile);
#endif
/* Permit X11 specific syscalls */ /* Permit X11 specific syscalls */
#ifdef GDK_WINDOWING_X11 #ifdef GDK_WINDOWING_X11
GdkDisplay* display = gtk_widget_get_display(zathura->ui.session->gtk.view); GdkDisplay* display = gtk_widget_get_display(zathura->ui.session->gtk.view);
if (GDK_IS_X11_DISPLAY (display)) { if (GDK_IS_X11_DISPLAY (display)) {
girara_debug("On X11, supporting X11 syscalls"); girara_debug("On X11, supporting X11 syscalls");
girara_warning("Running strict sandbox mode on X11 provides only \
incomplete process isolation.");
/* permit the socket syscall for local UNIX domain sockets (required by X11) */ /* permit the socket syscall for local UNIX domain sockets (required by X11) */
ADD_RULE("allow", SCMP_ACT_ALLOW, socket, 1, SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)); ADD_RULE("allow", SCMP_ACT_ALLOW, socket, 1, SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX));
@ -279,6 +274,7 @@ seccomp_enable_strict_filter(zathura_t* zathura)
ALLOW_RULE(shmctl); ALLOW_RULE(shmctl);
ALLOW_RULE(shmdt); ALLOW_RULE(shmdt);
ALLOW_RULE(shmget); ALLOW_RULE(shmget);
ALLOW_RULE(recvfrom);
ALLOW_RULE(writev); /* pwritev, pwritev2 */ ALLOW_RULE(writev); /* pwritev, pwritev2 */
} }
else { else {
@ -286,6 +282,8 @@ seccomp_enable_strict_filter(zathura_t* zathura)
} }
#endif #endif
/* block unsuccessful ipc attempt */
ERRNO_RULE(getpeername);
/* filter clone arguments */ /* filter clone arguments */
ADD_RULE("allow", SCMP_ACT_ALLOW, clone, 1, SCMP_CMP(0, SCMP_CMP_EQ, \ ADD_RULE("allow", SCMP_ACT_ALLOW, clone, 1, SCMP_CMP(0, SCMP_CMP_EQ, \
@ -333,6 +331,19 @@ seccomp_enable_strict_filter(zathura_t* zathura)
ADD_RULE("errno", SCMP_ACT_ERRNO(EACCES), openat, 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)); ADD_RULE("errno", SCMP_ACT_ERRNO(EACCES), openat, 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR));
/* Gracefully fail syscalls that may be used by dependencies in the future
These rules will still block the syscalls but since there usually is fallback code
for new syscalls, it will not shut down zathura and give us more time to
analyse the newly required syscall before potentionally allowing it.
*/
ERRNO_RULE(openat2);
ERRNO_RULE(faccessat2);
ERRNO_RULE(pwritev2);
#ifdef __NR_readfile
ERRNO_RULE(readfile);
#endif
/* Sandbox Status Notes: /* Sandbox Status Notes: