Hey Valoq, thank you for working on this. Actually I was waiting on the sandboxing project from flatpak to be more complete before trying to do a sandbox for evince. As far s I know, flatpak is using bubblewrap among its technologies for sandboxing. Also, there are Gtk portals that let you do very fine grained restricted access to the filesystem inside a flatpak environment. It would be great if we could have only one interface for sandboxing... Like you want evince to be sandboxed even if it's installed in a normal way, not the flatpak way. Anyway, these are just some thoughts
Cheers José On Thu, Mar 9, 2017 at 8:45 PM, valoq <[email protected]> wrote: > Hello everyone, > > a short while ago I completed a project about sandbox technologies on > linux and evince was one of the target applications for which I > implemented a basic Sandbox. Now that I have finished my work I would > like to ask if you are interested in using the results and integrate > sandbox suppport for evince. > > There are still a few things that need work, like gui support as well > as some adjustments of the makefiles. > > The sandbox uses (lib)seccomp to restrict the application using two > different modes. A invisible sandbox mode that does not affect the > normal functionality at all and that will not be noticed by the user > (this can be used as the default), as well as a read only mode that > allows only the systemcalls used by evince to read local files (network > access disabled). There are still a few weakpoint that need to be > considered like access to dbus (and sockets in general), which can be > disabled by seccomp as well but needs some adjustments of the internal > workings of evince. Another issue is the x-server but this can simply > be resolved by using wayland (still works on X11 but does not isolate). > What still needs to be done is to prevent launching a browser to open > external links. At the moment this causes the application to crash > (since seccomp blocks this) but this can befixed easily, I just have > not found the correct line yet that handles this. > > The seccomp sandbox code can be found here: > https://github.com/LinuxSandboxingProject/evince > > I also build additional sandbox isolation by using linux namespaces but > there is actually already pretty nice (and better) code that does that > (bubblewrap) and while I am not sure you want to include that by > default, here is a helper script that further isolates evince using > namespaces (isolating the filesystem, process and user environment as > well as the network interfaces) > https://github.com/valoq/bwscripts/tree/master/profiles > > Seccomp alone already does some nice hardening and can be easily > integrated (some more tests are advised). Combined with namespaces the > resulting sandbox is even more solid. > > If you are interested in using this code in the official evince project > I would be happy to help with any resulting issues regarding the sandbox > support. > > _______________________________________________ > evince-list mailing list > [email protected] > https://mail.gnome.org/mailman/listinfo/evince-list > >
_______________________________________________ evince-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/evince-list
