Merge branch 'master' into 'develop'

Minor improvements See merge request !54

Merge branch 'master' into 'develop'
Minor improvements See merge request !54
f5e0f240 · Sebastian Ramacher · 53503f61 · 47c67b53 · f5e0f240 · f5e0f240
Commit f5e0f240 authored May 08, 2022 by Sebastian Ramacher
--- a/doc/man/zathurarc.5.rst
+++ b/doc/man/zathurarc.5.rst
@@ -967,6 +967,9 @@ zathura
  * printing
  * bookmarks and history

+  The strict sandbox mode is still experimental with some libc implementations.
+  Currently supported and tested libc implementations: glibc
+
  No feature regressions are expected when using normal sandbox mode.

  When running under WSL, the default is "none" since seccomp is not supported in

--- a/zathura/seccomp-filters.c
+++ b/zathura/seccomp-filters.c
@@ -106,13 +106,16 @@ seccomp_enable_basic_filter(void)
  DENY_RULE(uselib);
  DENY_RULE(vmsplice);

-  /*TODO
+  /*
   *
   * In case this basic filter is actually triggered, print a clear error message to report this
   *   The syscalls here should never be executed by an unprivileged process
   *
   * */

+  girara_debug("Using a basic seccomp filter to blacklist privileged system calls! \
+          Errors reporting 'bad system call' may be an indicator of compromise");
+
  /* applying filter... */
  if (seccomp_load(ctx) >= 0) {
    /* free ctx after the filter has been loaded into the kernel */
@@ -227,7 +230,7 @@ seccomp_enable_strict_filter(zathura_t* zathura)
  ALLOW_RULE(statx);
  ALLOW_RULE(statfs);
  ALLOW_RULE(sysinfo);
-  ALLOW_RULE(umask); /* required by X11 */
+  /* ALLOW_RULE(umask); allowed for X11 only below */ 
  ALLOW_RULE(uname);
  ALLOW_RULE(unlink);
  ALLOW_RULE(write);  
@@ -253,6 +256,7 @@ seccomp_enable_strict_filter(zathura_t* zathura)
    ALLOW_RULE(mkdir);
    ALLOW_RULE(setsockopt);
    ALLOW_RULE(connect);
+    ALLOW_RULE(umask);
  }
  else {
    girara_debug("On Wayland, blocking X11 syscalls");
@@ -315,8 +319,6 @@ seccomp_enable_strict_filter(zathura_t* zathura)
   * mkdir: needed for first run only to create /run/user/UID/dconf (before seccomp init)
   * wait4: required to attempt opening links (which is then blocked)
   *
-   * X11 environments require umask and socket syscalls after sandbox setup 
-   *   no longer supported since X11 cannot be easily secured anyway
   *
   * TODO: prevent dbus socket connection before sandbox init - by checking the sandbox settings in zathurarc 
   *