[evince] Evince Sandbox



Hello everyone,

a short while ago I completed a project about sandbox technologies on
linux and evince was one of the target applications for which I
implemented a basic Sandbox. Now that I have finished my work I would
like to ask if you are interested in using the results and integrate
sandbox suppport for evince.

There are still a few things that need work, like gui support as well
as some adjustments of the makefiles.

The sandbox uses (lib)seccomp to restrict the application using two
different modes. A invisible sandbox mode that does not affect the
normal functionality at all and that will not be noticed by the user
(this can be used as the default), as well as a read only mode that
allows only the systemcalls used by evince to read local files (network
access disabled). There are still a few weakpoint that need to be
considered like access to dbus (and sockets in general), which can be
disabled by seccomp as well but needs some adjustments of the internal
workings of evince. Another issue is the x-server but this can simply
be resolved by using wayland (still works on X11 but does not isolate).
What still needs to be done is to prevent launching a browser to open
external links. At the moment this causes the application to crash
(since seccomp blocks this) but this can befixed easily, I just have
not found the correct line yet that handles this.

The seccomp sandbox code can be found here:
https://github.com/LinuxSandboxingProject/evince

I also build additional sandbox isolation by using linux namespaces but
there is actually already pretty nice (and better) code that does that
(bubblewrap) and while I am not sure you want to include that by
default, here is a helper script that further isolates evince using
namespaces (isolating the filesystem, process and user environment as
well as the network interfaces)
https://github.com/valoq/bwscripts/tree/master/profiles

Seccomp alone already does some nice hardening and can be easily
integrated (some more tests are advised). Combined with namespaces the
resulting sandbox is even more solid.

If you are interested in using this code in the official evince project
I would be happy to help with any resulting issues regarding the sandbox
support.

Attachment: pgpS6A94KCfG6.pgp
Description: OpenPGP digital signature



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]