Hello everyone, a short while ago I completed a project about sandbox technologies on linux and evince was one of the target applications for which I implemented a basic Sandbox. Now that I have finished my work I would like to ask if you are interested in using the results and integrate sandbox suppport for evince. There are still a few things that need work, like gui support as well as some adjustments of the makefiles. The sandbox uses (lib)seccomp to restrict the application using two different modes. A invisible sandbox mode that does not affect the normal functionality at all and that will not be noticed by the user (this can be used as the default), as well as a read only mode that allows only the systemcalls used by evince to read local files (network access disabled). There are still a few weakpoint that need to be considered like access to dbus (and sockets in general), which can be disabled by seccomp as well but needs some adjustments of the internal workings of evince. Another issue is the x-server but this can simply be resolved by using wayland (still works on X11 but does not isolate). What still needs to be done is to prevent launching a browser to open external links. At the moment this causes the application to crash (since seccomp blocks this) but this can befixed easily, I just have not found the correct line yet that handles this. The seccomp sandbox code can be found here: https://github.com/LinuxSandboxingProject/evince I also build additional sandbox isolation by using linux namespaces but there is actually already pretty nice (and better) code that does that (bubblewrap) and while I am not sure you want to include that by default, here is a helper script that further isolates evince using namespaces (isolating the filesystem, process and user environment as well as the network interfaces) https://github.com/valoq/bwscripts/tree/master/profiles Seccomp alone already does some nice hardening and can be easily integrated (some more tests are advised). Combined with namespaces the resulting sandbox is even more solid. If you are interested in using this code in the official evince project I would be happy to help with any resulting issues regarding the sandbox support.
Attachment:
pgpS6A94KCfG6.pgp
Description: OpenPGP digital signature