Verified Commit 739a1854 authored by valoq's avatar valoq

code cleanup

parent 4bde3d79
......@@ -121,11 +121,12 @@ endif
endif
ifneq (${WITH_SECCOMP},0)
SECCOMP_INC ?=
SECCOMP_LIB ?= -lseccomp
INCS += ${SECCOMP_INC}
LIBS += ${SECCOMP_LIB}
ifeq (${LIBSECCOMP_INC}-${LIBSECCOMP_LIB},-)
PKG_CONFIG_LIBS += libseccomp
else
INCS += ${LIBSECCOMP_INC}
LIBS += ${LIBSECCOMP_LIB}
endif
endif
ifneq (${PKG_CONFIG_LIBS},)
......
......@@ -13,12 +13,10 @@
#define DENY_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_KILL, SCMP_SYS(call), 0) < 0) goto out; }
#define ALLOW_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) < 0) goto out; }
scmp_filter_ctx ctx;
int protectedMode(void){
int seccomp_enable_protected_mode(void){
scmp_filter_ctx ctx;
/* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
perror("prctl SET_NO_NEW_PRIVS");
......@@ -37,7 +35,6 @@ int protectedMode(void){
perror("seccomp_init failed");
exit(EXIT_FAILURE);
}
DENY_RULE (_sysctl);
DENY_RULE (acct);
......@@ -91,7 +88,6 @@ int protectedMode(void){
DENY_RULE (uselib);
DENY_RULE (vmsplice);
/* applying filter... */
if (seccomp_load (ctx) >= 0){
/* free ctx after the filter has been loaded into the kernel */
......@@ -103,12 +99,13 @@ int protectedMode(void){
/* something went wrong */
seccomp_release(ctx);
return 1;
}
int protectedView(void){
int seccomp_enable_protected_view(void){
scmp_filter_ctx ctx;
/* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
perror("prctl SET_NO_NEW_PRIVS");
......@@ -127,7 +124,6 @@ int protectedView(void){
perror("seccomp_init failed");
exit(EXIT_FAILURE);
}
ALLOW_RULE (access);
ALLOW_RULE (bind);
......@@ -210,22 +206,18 @@ int protectedView(void){
ALLOW_RULE (writev);
ALLOW_RULE (wait4); /* trying to open links should not crash the app */
/* allowed for use with container */
ALLOW_RULE (chmod);
ALLOW_RULE (link);
ALLOW_RULE (rename);
ALLOW_RULE (rename);
/* allowed for debugging: */
/* ALLOW_RULE (prctl); */
/* ALLOW_RULE (ioctl); */
/* incomplete */
/* if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 1, */
......@@ -271,8 +263,6 @@ int protectedView(void){
/* SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_PDEATHSIG)) < 0) */
/* goto out; */
/* when zathura is run on wayland, with X11 server available but blocked, unset the DISPLAY variable */
/* otherwise it will try to connect to X11 using inet socket protocol */
......@@ -288,7 +278,6 @@ int protectedView(void){
goto out;
/* TODO: avoid the need for the open syscall to be allowed with write permissions */
/* zathura needs to open files for writing to save current position */
......@@ -307,11 +296,7 @@ int protectedView(void){
/* goto out; */
/* ------------ experimental filters --------------- */
/* /\* this filter is susceptible to TOCTOU race conditions, providing limited use *\/ */
/* /\* allow opening only specified files identified by their file descriptors*\/ */
......@@ -381,12 +366,12 @@ int protectedView(void){
/* something went wrong */
seccomp_release(ctx);
return 1;
}
int strictFilter(void){
int seccomp_enable_strict_filter(void){
scmp_filter_ctx ctx;
/* prevent child processes from getting more priv e.g. via setuid, capabilities, ... */
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
......@@ -407,7 +392,6 @@ int strictFilter(void){
exit(EXIT_FAILURE);
}
ALLOW_RULE (access);
/* ALLOW_RULE (arch_prctl); */
ALLOW_RULE (bind);
......@@ -487,7 +471,7 @@ int strictFilter(void){
ALLOW_RULE (writev);
ALLOW_RULE (wait4); /* trying to open links should not crash the app */
/* Special requirements for ioctl, allowed on stdout/stderr */
if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
SCMP_CMP(0, SCMP_CMP_EQ, 1)) < 0)
......@@ -496,8 +480,7 @@ int strictFilter(void){
SCMP_CMP(0, SCMP_CMP_EQ, 2)) < 0)
goto out;
/* needed by gtk??? (does not load content without) */
/* special restrictions for prctl, only allow PR_SET_NAME/PR_SET_PDEATHSIG */
......@@ -509,7 +492,6 @@ int strictFilter(void){
SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_PDEATHSIG)) < 0)
goto out;
/* allowed for debugging: */
......@@ -530,25 +512,4 @@ int strictFilter(void){
return 1;
}
#else /* WITH_SECCOMP */
int protectedMode(void){
perror("No seccomp support compiled-in\n");
return 1;
}
int protectedView(void){
perror("No seccomp support compiled-in\n");
return 1;
}
int strictFilter(void){
perror("No seccomp support compiled-in\n");
return 1;
}
#endif /* WITH_SECCOMP */
......@@ -4,16 +4,16 @@
/* basic filter */
/* this mode allows normal use */
/* only dangerous syscalls are blacklisted */
int protectedMode(void);
int seccomp_enable_protected_mode(void);
/* secure whitelist filter */
/* whitelist minimal syscalls only */
/* this mode does not allow to open external links or to start applications */
/* network connections are prohibited as well */
int protectedView(void);
int seccomp_enable_protected_view(void);
/* strict filter before document parsing */
/* this filter is to be enabled after most of the initialisation of zathura has finished */
int strictFilter(void);
int seccomp_enable_strict_filter(void);
#endif
......@@ -207,9 +207,8 @@ zathura_link_evaluate(zathura_t* zathura, zathura_link_t* link)
if (girara_xdg_open(link->target.value) == false) {
girara_notify(zathura->ui.session, GIRARA_ERROR, _("Failed to run xdg-open."));
}
#endif
#ifdef WITH_SECCOMP
girara_notify(zathura->ui.session, GIRARA_ERROR, _("Opening external apps in protectedView Sandbox mode is not permitted"));
#else
girara_notify(zathura->ui.session, GIRARA_ERROR, _("Opening external apps in protectedView Sandbox mode is not permitted"));
#endif
break;
case ZATHURA_LINK_LAUNCH:
......
......@@ -20,7 +20,6 @@
#endif
#ifdef WITH_SECCOMP
#include <unistd.h>
#include "libsec.h"
#endif
......@@ -129,7 +128,7 @@ main(int argc, char* argv[])
{
#ifdef WITH_SECCOMP
protectedView();
seccomp_enable_protected_view();
#endif
init_locale();
......@@ -300,7 +299,7 @@ main(int argc, char* argv[])
#ifdef WITH_SECCOMP
/* enforce strict syscall filter before parsing the document */
strictFilter();
seccomp_enable_strict_filter();
#endif
/* open document if passed */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment