newfstatat syscall blocked when running zathura from shell with strict sandbox
While launching Zathura from my terminal and having set the sandbox to strict the software does not run as expected.
The execution does not seems to terminate but nothing appear on screen.
set sandbox strict
$ uname -a
5.12.7-hardened1-1-hardened #1 SMP PREEMPT Wed, 26 May 2021 20:05:34 +0000 x86_64 GNU/Linux
Name : zathura
Version : 0.4.7-1
Package built with this options.
Under the above conditions, running zathu in debug mode give me this:
(zathura:267599): dbind-WARNING **: 21:58:05.230: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-DLlGVA67lI: No such file or directory
debug: ../girara/template.c:311: base_changed(): Variable 'session' not set.
debug: ../zathura/plugin.c:278: register_plugin(): plugin: filetype mapping added: application/pdf
debug: ../zathura/plugin.c:278: register_plugin(): plugin: filetype mapping added: application/oxps
debug: ../zathura/plugin.c:278: register_plugin(): plugin: filetype mapping added: application/epub+zip
debug: ../zathura/plugin.c:278: register_plugin(): plugin: filetype mapping added: application/x-fictionbook+xml
debug: ../zathura/plugin.c:278: register_plugin(): plugin: filetype mapping added: application/xml
debug: ../zathura/plugin.c:173: load_plugin(): Successfully loaded plugin from '/usr/lib/zathura/libpdf-mupdf.so'.
debug: ../zathura/plugin.c:174: load_plugin(): plugin pdf-mupdf: version 0.3.6
debug: ../girara/config.c:420: girara_config_parse(): reading configuration file '/etc/xdg/zathurarc'
debug: ../girara/config.c:327: config_parse(): failed to open config file '/etc/xdg/zathurarc'
debug: ../girara/config.c:420: girara_config_parse(): reading configuration file '/etc/zathurarc'
debug: ../girara/config.c:420: girara_config_parse(): reading configuration file '/home/user/.config/zathura/zathurarc'
debug: ../girara/config.c:327: config_parse(): failed to open config file '/home/user/.config/zathura/zathurarc'
debug: ../zathura/zathura.c:451: zathura_init(): Strict sandbox preventing write and network access.
debug: ../zathura/seccomp-filters.c:141: seccomp_enable_strict_filter(): adding rule allow to access
debug: ../zathura/seccomp-filters.c:143: seccomp_enable_strict_filter(): adding rule allow to bind
debug: ../zathura/seccomp-filters.c:144: seccomp_enable_strict_filter(): adding rule allow to brk
debug: ../zathura/seccomp-filters.c:145: seccomp_enable_strict_filter(): adding rule allow to clock_getres
debug: ../zathura/seccomp-filters.c:146: seccomp_enable_strict_filter(): adding rule allow to clone
debug: ../zathura/seccomp-filters.c:147: seccomp_enable_strict_filter(): adding rule allow to close
debug: ../zathura/seccomp-filters.c:149: seccomp_enable_strict_filter(): adding rule allow to eventfd2
debug: ../zathura/seccomp-filters.c:150: seccomp_enable_strict_filter(): adding rule allow to exit
debug: ../zathura/seccomp-filters.c:151: seccomp_enable_strict_filter(): adding rule allow to exit_group
debug: ../zathura/seccomp-filters.c:152: seccomp_enable_strict_filter(): adding rule allow to fadvise64
debug: ../zathura/seccomp-filters.c:153: seccomp_enable_strict_filter(): adding rule allow to fallocate
debug: ../zathura/seccomp-filters.c:154: seccomp_enable_strict_filter(): adding rule allow to fcntl
debug: ../zathura/seccomp-filters.c:155: seccomp_enable_strict_filter(): adding rule allow to fstat
debug: ../zathura/seccomp-filters.c:156: seccomp_enable_strict_filter(): adding rule allow to fstatfs
debug: ../zathura/seccomp-filters.c:157: seccomp_enable_strict_filter(): adding rule allow to ftruncate
debug: ../zathura/seccomp-filters.c:158: seccomp_enable_strict_filter(): adding rule allow to futex
debug: ../zathura/seccomp-filters.c:159: seccomp_enable_strict_filter(): adding rule allow to getdents
debug: ../zathura/seccomp-filters.c:160: seccomp_enable_strict_filter(): adding rule allow to getdents64
debug: ../zathura/seccomp-filters.c:161: seccomp_enable_strict_filter(): adding rule allow to getegid
debug: ../zathura/seccomp-filters.c:162: seccomp_enable_strict_filter(): adding rule allow to geteuid
debug: ../zathura/seccomp-filters.c:163: seccomp_enable_strict_filter(): adding rule allow to getgid
debug: ../zathura/seccomp-filters.c:164: seccomp_enable_strict_filter(): adding rule allow to getuid
debug: ../zathura/seccomp-filters.c:165: seccomp_enable_strict_filter(): adding rule allow to getpid
debug: ../zathura/seccomp-filters.c:166: seccomp_enable_strict_filter(): adding rule allow to getppid
debug: ../zathura/seccomp-filters.c:167: seccomp_enable_strict_filter(): adding rule allow to gettid
debug: ../zathura/seccomp-filters.c:169: seccomp_enable_strict_filter(): adding rule allow to getrandom
debug: ../zathura/seccomp-filters.c:170: seccomp_enable_strict_filter(): adding rule allow to getresgid
debug: ../zathura/seccomp-filters.c:171: seccomp_enable_strict_filter(): adding rule allow to getresuid
debug: ../zathura/seccomp-filters.c:172: seccomp_enable_strict_filter(): adding rule allow to getrlimit
debug: ../zathura/seccomp-filters.c:173: seccomp_enable_strict_filter(): adding rule allow to getpeername
debug: ../zathura/seccomp-filters.c:176: seccomp_enable_strict_filter(): adding rule allow to inotify_add_watch
debug: ../zathura/seccomp-filters.c:177: seccomp_enable_strict_filter(): adding rule allow to inotify_init1
debug: ../zathura/seccomp-filters.c:178: seccomp_enable_strict_filter(): adding rule allow to inotify_rm_watch
debug: ../zathura/seccomp-filters.c:180: seccomp_enable_strict_filter(): adding rule allow to lseek
debug: ../zathura/seccomp-filters.c:181: seccomp_enable_strict_filter(): adding rule allow to lstat
debug: ../zathura/seccomp-filters.c:182: seccomp_enable_strict_filter(): adding rule allow to madvise
debug: ../zathura/seccomp-filters.c:183: seccomp_enable_strict_filter(): adding rule allow to memfd_create
debug: ../zathura/seccomp-filters.c:184: seccomp_enable_strict_filter(): adding rule allow to mkdir
debug: ../zathura/seccomp-filters.c:185: seccomp_enable_strict_filter(): adding rule allow to mmap
debug: ../zathura/seccomp-filters.c:186: seccomp_enable_strict_filter(): adding rule allow to mprotect
debug: ../zathura/seccomp-filters.c:187: seccomp_enable_strict_filter(): adding rule allow to mremap
debug: ../zathura/seccomp-filters.c:188: seccomp_enable_strict_filter(): adding rule allow to munmap
debug: ../zathura/seccomp-filters.c:191: seccomp_enable_strict_filter(): adding rule allow to pipe
debug: ../zathura/seccomp-filters.c:192: seccomp_enable_strict_filter(): adding rule allow to pipe2
debug: ../zathura/seccomp-filters.c:193: seccomp_enable_strict_filter(): adding rule allow to poll
debug: ../zathura/seccomp-filters.c:194: seccomp_enable_strict_filter(): adding rule allow to pwrite64
debug: ../zathura/seccomp-filters.c:195: seccomp_enable_strict_filter(): adding rule allow to pread64
debug: ../zathura/seccomp-filters.c:198: seccomp_enable_strict_filter(): adding rule allow to read
debug: ../zathura/seccomp-filters.c:199: seccomp_enable_strict_filter(): adding rule allow to readlink
debug: ../zathura/seccomp-filters.c:200: seccomp_enable_strict_filter(): adding rule allow to recvfrom
debug: ../zathura/seccomp-filters.c:201: seccomp_enable_strict_filter(): adding rule allow to recvmsg
debug: ../zathura/seccomp-filters.c:202: seccomp_enable_strict_filter(): adding rule allow to restart_syscall
debug: ../zathura/seccomp-filters.c:203: seccomp_enable_strict_filter(): adding rule allow to rt_sigaction
debug: ../zathura/seccomp-filters.c:204: seccomp_enable_strict_filter(): adding rule allow to rt_sigprocmask
debug: ../zathura/seccomp-filters.c:205: seccomp_enable_strict_filter(): adding rule allow to sendmsg
debug: ../zathura/seccomp-filters.c:206: seccomp_enable_strict_filter(): adding rule allow to sendto
debug: ../zathura/seccomp-filters.c:207: seccomp_enable_strict_filter(): adding rule allow to select
debug: ../zathura/seccomp-filters.c:208: seccomp_enable_strict_filter(): adding rule allow to set_robust_list
debug: ../zathura/seccomp-filters.c:211: seccomp_enable_strict_filter(): adding rule allow to shmat
debug: ../zathura/seccomp-filters.c:212: seccomp_enable_strict_filter(): adding rule allow to shmctl
debug: ../zathura/seccomp-filters.c:213: seccomp_enable_strict_filter(): adding rule allow to shmdt
debug: ../zathura/seccomp-filters.c:214: seccomp_enable_strict_filter(): adding rule allow to shmget
debug: ../zathura/seccomp-filters.c:215: seccomp_enable_strict_filter(): adding rule allow to shutdown
debug: ../zathura/seccomp-filters.c:216: seccomp_enable_strict_filter(): adding rule allow to stat
debug: ../zathura/seccomp-filters.c:217: seccomp_enable_strict_filter(): adding rule allow to statfs
debug: ../zathura/seccomp-filters.c:219: seccomp_enable_strict_filter(): adding rule allow to sysinfo
debug: ../zathura/seccomp-filters.c:220: seccomp_enable_strict_filter(): adding rule allow to uname
debug: ../zathura/seccomp-filters.c:221: seccomp_enable_strict_filter(): adding rule allow to unlink
debug: ../zathura/seccomp-filters.c:222: seccomp_enable_strict_filter(): adding rule allow to write
debug: ../zathura/seccomp-filters.c:223: seccomp_enable_strict_filter(): adding rule allow to writev
debug: ../zathura/seccomp-filters.c:224: seccomp_enable_strict_filter(): adding rule allow to wait4
debug: ../zathura/seccomp-filters.c:226: seccomp_enable_strict_filter(): adding rule errno to sched_setattr
debug: ../zathura/seccomp-filters.c:227: seccomp_enable_strict_filter(): adding rule errno to sched_getattr
debug: ../zathura/seccomp-filters.c:230: seccomp_enable_strict_filter(): adding rule allow to timer_create
debug: ../zathura/seccomp-filters.c:231: seccomp_enable_strict_filter(): adding rule allow to timer_delete
debug: ../zathura/seccomp-filters.c:234: seccomp_enable_strict_filter(): adding rule allow to ioctl
debug: ../zathura/seccomp-filters.c:235: seccomp_enable_strict_filter(): adding rule allow to ioctl
debug: ../zathura/seccomp-filters.c:240: seccomp_enable_strict_filter(): adding rule allow to prctl
debug: ../zathura/seccomp-filters.c:241: seccomp_enable_strict_filter(): adding rule allow to prctl
debug: ../zathura/seccomp-filters.c:244: seccomp_enable_strict_filter(): adding rule allow to open
debug: ../zathura/seccomp-filters.c:245: seccomp_enable_strict_filter(): adding rule errno to open
debug: ../zathura/seccomp-filters.c:246: seccomp_enable_strict_filter(): adding rule errno to open
debug: ../zathura/seccomp-filters.c:249: seccomp_enable_strict_filter(): adding rule allow to openat
debug: ../zathura/seccomp-filters.c:250: seccomp_enable_strict_filter(): adding rule errno to openat
debug: ../zathura/seccomp-filters.c:251: seccomp_enable_strict_filter(): adding rule errno to openat
It does not termine but kinda hang.
In the other hand, with the same configuration I can open a pdf from chromium with no issue.
If I downgrade the sandobx to none or normal everything works even from the terminal.
I can get the following from kernel logs:
audit: type=1326 audit(1623016814.743:1059): auid=1000 uid=1000 gid=1000 ses=1 subj==unconfined pid=268143 comm="zathura" exe="/usr/bin/zathura" sig=31 arch=c000003e syscall=262 compat=0 ip=0x62bbaf310d8e code=0x0
I believe in this case, newfstatat is needed?
From my understanding it allowed here but I cannot see this rule from above logs.
Happy to provide more info if needed.