Commit 6f14dfb9 authored by Sebastian Ramacher's avatar Sebastian Ramacher

Merge remote-tracking branch 'valoq/feature/seccomp' into HEAD

parents b138553e f101efe9
......@@ -16,6 +16,7 @@ check (optional, for tests)
intltool
libmagic from file(1) (optional, for mime-type detection)
libsynctex from TeXLive (optional, for SyncTeX support)
libseccomp (optional, for sandbox support)
Sphinx (optional, for manpages and HTML documentation)
doxygen (optional, for HTML documentation)
breathe (optional, for HTML documentation)
......@@ -31,6 +32,9 @@ enable-sqlite=off and sqlite support won't be available.
The use of magic to detect mime types is optional and can be disabled by setting
enable-magic=off.
The use of seccomp to create a sandboxed environment is optional and can be
enabled by setting enable-seccomp=on.
Installation
------------
......
......@@ -1044,6 +1044,16 @@ Define the background color of the selected element in index mode.
* Value type: String
* Default value: #9FBC00
sandbox
^^^^^^^
Defines the sandbox mode to use for the seccomp syscall filter. Possible
values are "none", "normal" and "strict". If "none" is used, the sandbox
will be disabled. The use of "normal" will provide minimal protection and
allow normal use of seccomp with support for all features. The "strict" mode
is a read only sandbox that is intended for viewing documents only.
* Value type: String
* Default value: normal
SEE ALSO
========
......
......@@ -70,11 +70,12 @@ additional_sources = []
sqlite = dependency('sqlite3', version: '>=3.5.9', required: false)
synctex = dependency('synctex', required: false)
magic = cc.find_library('magic', required: false)
seccomp = dependency('libseccomp', required: false)
if get_option('enable-sqlite') and sqlite.found()
build_dependencies += sqlite
defines += '-DWITH_SQLITE'
additional_sources = files('zathura/database-sqlite.c')
additional_sources += files('zathura/database-sqlite.c')
endif
if get_option('enable-synctex') and synctex.found()
......@@ -87,6 +88,12 @@ if get_option('enable-magic') and magic.found()
defines += '-DWITH_MAGIC'
endif
if get_option('enable-seccomp') and seccomp.found()
build_dependencies += seccomp
defines += '-DWITH_SECCOMP'
additional_sources += files('zathura/libsec.c')
endif
# generate version header file
version_header = configure_file(
input: 'zathura/version.h.in',
......
......@@ -13,3 +13,8 @@ option('enable-magic',
value: true,
description: 'Enable magic support if available.'
)
option('enable-seccomp',
type: 'boolean',
value: true,
description: 'Enable seccomp support if available.'
)
......@@ -280,6 +280,15 @@ cmd_print(girara_session_t* session, girara_list_t* UNUSED(argument_list))
return false;
}
char* sandbox = NULL;
girara_setting_get(zathura->ui.session, "sandbox", &sandbox);
if (g_strcmp0(sandbox, "strict") == 0) {
girara_notify(zathura->ui.session, GIRARA_ERROR, _("Printing is not permitted in strict sandbox mode"));
g_free(sandbox);
return false;
}
print(zathura);
return true;
......
......@@ -185,6 +185,8 @@ config_load_default(zathura_t* zathura)
girara_setting_add(gsession, "index-active-fg", "#232323", STRING, true, _("Index mode foreground color (active element)"), NULL, NULL);
girara_setting_add(gsession, "index-active-bg", "#9FBC00", STRING, true, _("Index mode background color (active element)"), NULL, NULL);
girara_setting_add(gsession, "sandbox", "normal", STRING, true, _("Sandbox level"), NULL, NULL);
bool_value = false;
girara_setting_add(gsession, "recolor", &bool_value, BOOLEAN, false, _("Recolor pages"), cb_setting_recolor_change, NULL);
bool_value = false;
......
This diff is collapsed.
#ifndef SECCOMP_H
#define SECCOMP_H
/* basic filter */
/* this mode allows normal use */
/* only dangerous syscalls are blacklisted */
int seccomp_enable_basic_filter(void);
/* strict filter before document parsing */
/* this filter is to be enabled after most of the initialisation of zathura has finished */
int seccomp_enable_strict_filter(void);
#endif
......@@ -14,6 +14,10 @@
#include "page.h"
#include "render.h"
#ifdef WITH_SECCOMP
#include "libsec.h"
#endif
struct zathura_link_s {
zathura_rectangle_t position; /**< Position of the link */
zathura_link_type_t type; /**< Link type */
......@@ -131,6 +135,10 @@ zathura_link_evaluate(zathura_t* zathura, zathura_link_t* link)
bool link_zoom = true;
girara_setting_get(zathura->ui.session, "link-zoom", &link_zoom);
/* required below to prevent opening hyperlinks in strict sandbox mode */
char* sandbox = NULL;
girara_setting_get(zathura->ui.session, "sandbox", &sandbox);
switch (link->type) {
case ZATHURA_LINK_GOTO_DEST:
if (link->target.destination_type != ZATHURA_LINK_DESTINATION_UNKNOWN) {
......@@ -199,8 +207,12 @@ zathura_link_evaluate(zathura_t* zathura, zathura_link_t* link)
link_remote(zathura, link->target.value);
break;
case ZATHURA_LINK_URI:
if (girara_xdg_open(link->target.value) == false) {
girara_notify(zathura->ui.session, GIRARA_ERROR, _("Failed to run xdg-open."));
if (g_strcmp0(sandbox, "strict") == 0) {
girara_notify(zathura->ui.session, GIRARA_ERROR, _("Opening external applications in strict sandbox mode is not permitted"));
} else {
if (girara_xdg_open(link->target.value) == false) {
girara_notify(zathura->ui.session, GIRARA_ERROR, _("Failed to run xdg-open."));
}
}
break;
case ZATHURA_LINK_LAUNCH:
......@@ -209,6 +221,7 @@ zathura_link_evaluate(zathura_t* zathura, zathura_link_t* link)
default:
break;
}
g_free(sandbox);
}
void
......
......@@ -19,6 +19,10 @@
#include "synctex.h"
#endif
#ifdef WITH_SECCOMP
#include "libsec.h"
#endif
/* Init locale */
static void
init_locale(void)
......@@ -122,6 +126,7 @@ init_zathura(const char* config_dir, const char* data_dir,
GIRARA_VISIBLE int
main(int argc, char* argv[])
{
init_locale();
/* parse command line arguments */
......@@ -288,6 +293,31 @@ main(int argc, char* argv[])
goto free_and_ret;
}
#ifdef WITH_SECCOMP
char* sandbox = NULL;
girara_setting_get(zathura->ui.session, "sandbox", &sandbox);
if (g_strcmp0(sandbox, "none") == 0) {
girara_debug("Sandbox deactivated.");
} else if (g_strcmp0(sandbox, "normal") == 0) {
girara_debug("Basic sandbox allowing normal operation.");
ret = seccomp_enable_basic_filter();
} else if (g_strcmp0(sandbox, "strict") == 0) {
girara_debug("Strict sandbox preventing write and network access.");
ret = seccomp_enable_strict_filter();
} else {
girara_error("Invalid sandbox option");
ret = -1;
}
g_free(sandbox);
if (ret){
goto free_and_ret;
}
#endif
/* open document if passed */
if (file_idx != 0) {
if (page_number > 0) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment