Verified Commit b25637a8 authored by valoq's avatar valoq
Browse files

Allow restricted socket syscall for X11 support

parent 99c831ab
......@@ -224,23 +224,21 @@ seccomp_enable_strict_filter(void)
ALLOW_RULE(statx);
ALLOW_RULE(statfs);
ALLOW_RULE(sysinfo);
ALLOW_RULE(umask); /* required by X11 */
ALLOW_RULE(uname);
ALLOW_RULE(unlink);
ALLOW_RULE(write);
ALLOW_RULE(writev);
ALLOW_RULE(wait4);
/* required by some X11 setups */
/* X11 no longer supported in strict sandbox mode */
/* ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), umask, 0); */
/* ADD_RULE("errno", SCMP_ACT_ERRNO(EPERM), socket, 0); */
/* required for testing only */
ALLOW_RULE(timer_create);
ALLOW_RULE(timer_delete);
/* permit the socket syscall for local UNIX domain sockets (required by X11) */
ADD_RULE("allow", SCMP_ACT_ALLOW, socket, 1, SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX));
/* filter clone arguments */
ADD_RULE("allow", SCMP_ACT_ALLOW, clone, 1, SCMP_CMP(0, SCMP_CMP_EQ, \
......@@ -255,7 +253,6 @@ seccomp_enable_strict_filter(void)
CLONE_CHILD_CLEARTID));
/* fcntl filter - not yet working */
/*ADD_RULE("allow", SCMP_ACT_ALLOW, fcntl, 1, SCMP_CMP(0, SCMP_CMP_EQ, \
F_GETFL | \
......@@ -303,6 +300,7 @@ seccomp_enable_strict_filter(void)
*
* TODO: prevent dbus socket connection before sandbox init - by checking the sandbox settings in zathurarc
*
* TODO: check requirement of pipe/pipe2 syscalls when dbus is disabled
*/
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment