diff options
| author | valoq | 2017-08-24 16:52:22 +0200 |
|---|---|---|
| committer | valoq | 2017-08-24 16:52:22 +0200 |
| commit | b3fb02e017b7d3d578b0324598f75a41590afd0a (patch) | |
| tree | 185240f2b1000372745be834e574acbe0354112e | |
| download | aur-b3fb02e017b7d3d578b0324598f75a41590afd0a.tar.gz | |
initial commit
| -rw-r--r-- | .SRCINFO | 46 | ||||
| -rw-r--r-- | 0001-mupdf-openjpeg.patch | 35 | ||||
| -rw-r--r-- | PKGBUILD | 130 | ||||
| -rw-r--r-- | mupdf.desktop | 15 | ||||
| -rw-r--r-- | mupdf.xpm | 497 | ||||
| -rw-r--r-- | seccomp.patch | 813 |
6 files changed, 1536 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..721123b39e32 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,46 @@ +pkgbase = mupdf-seccomp + pkgdesc = Mupdf with seccomp filter + pkgver = 1.11 + pkgrel = 1 + url = http://mupdf.com + arch = i686 + arch = x86_64 + license = AGPL3 + makedepends = curl + makedepends = desktop-file-utils + makedepends = freetype2 + makedepends = glfw + makedepends = harfbuzz + makedepends = jbig2dec + makedepends = libjpeg + makedepends = mesa-libgl + makedepends = openjpeg2 + makedepends = openssl + makedepends = libxext + conflicts = libmupdf + conflicts = mupdf + source = https://mupdf.com/downloads/mupdf-1.11-source.tar.gz + source = 0001-mupdf-openjpeg.patch + source = mupdf.desktop + source = mupdf.xpm + source = seccomp.patch + sha256sums = 209474a80c56a035ce3f4958a63373a96fad75c927c7b1acdc553fc85855f00a + sha256sums = 01ad0365bc7be670a7a11603cb48ef89d85d804029dcf5420aa70846fe5dce4a + sha256sums = 70f632e22902ad4224b1d88696702b3ba4eb3c28eb7acf735f06d16e6884a078 + sha256sums = a435f44425f5432c074dee745d8fbaeb879038ec1f1ec64f037c74662f09aca8 + sha256sums = 7b2936c31fea61b9623eb9a40d81818d1d1dd12f029222d2722b9002e723e5b4 + +pkgname = libmupdf-seccomp + pkgdesc = Library for Lightweight PDF viewer + +pkgname = mupdf-seccomp + pkgdesc = Lightweight PDF viewer with seccomp filter + depends = curl + depends = desktop-file-utils + depends = freetype2 + depends = harfbuzz + depends = jbig2dec + depends = libjpeg + depends = openjpeg2 + depends = openssl + diff --git a/0001-mupdf-openjpeg.patch b/0001-mupdf-openjpeg.patch new file mode 100644 index 000000000000..39b2e3c5a10f --- /dev/null +++ b/0001-mupdf-openjpeg.patch @@ -0,0 +1,35 @@ +diff --git a/source/fitz/load-jpx.c b/source/fitz/load-jpx.c +index d01de58..6ca3838 100644 +--- a/source/fitz/load-jpx.c ++++ b/source/fitz/load-jpx.c +@@ -444,14 +444,18 @@ fz_load_jpx_info(fz_context *ctx, unsigned char *data, size_t size, int *wp, int + + #else /* HAVE_LURATECH */ + ++#ifdef __cplusplus ++extern "C" ++{ + #define OPJ_STATIC + #define OPJ_HAVE_INTTYPES_H + #if !defined(_WIN32) && !defined(_WIN64) + #define OPJ_HAVE_STDINT_H + #endif ++#endif + #define USE_JPIP + +-#include <openjpeg.h> ++#include <openjpeg-2.2/openjpeg.h> + + struct fz_jpxd_s + { +@@ -919,6 +923,10 @@ fz_load_jpx_info(fz_context *ctx, unsigned char *data, size_t size, int *wp, int + *yresp = state.yres; + } + ++#ifdef __cplusplus ++} ++#endif ++ + #endif /* HAVE_LURATECH */ + + #else /* FZ_ENABLE_JPX */ diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..5d693d5fd452 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,130 @@ +# Maintainer: valoq <valoq@mailbox.org> + +_pkgbase=mupdf +pkgbase=${_pkgbase}-seccomp +pkgname=(libmupdf-seccomp mupdf-seccomp) +pkgver=1.11 +_pkgver=1.11 +pkgrel=1 +pkgdesc='Mupdf with seccomp filter' +arch=('i686' 'x86_64') +url='http://mupdf.com' +license=('AGPL3') +conflicts=(libmupdf mupdf) +makedepends=('curl' 'desktop-file-utils' 'freetype2' 'glfw' 'harfbuzz' + 'jbig2dec' 'libjpeg' 'mesa-libgl' 'openjpeg2' 'openssl' 'libxext') +source=("https://mupdf.com/downloads/mupdf-${pkgver/_/}-source.tar.gz" + '0001-mupdf-openjpeg.patch' + 'mupdf.desktop' + 'mupdf.xpm' + 'seccomp.patch') + +sha256sums=('209474a80c56a035ce3f4958a63373a96fad75c927c7b1acdc553fc85855f00a' + '01ad0365bc7be670a7a11603cb48ef89d85d804029dcf5420aa70846fe5dce4a' + '70f632e22902ad4224b1d88696702b3ba4eb3c28eb7acf735f06d16e6884a078' + 'a435f44425f5432c074dee745d8fbaeb879038ec1f1ec64f037c74662f09aca8' + '7b2936c31fea61b9623eb9a40d81818d1d1dd12f029222d2722b9002e723e5b4') + + +prepare() { + cd ${_pkgbase}-${_pkgver/_/}-source + + # remove bundled packages, we want our system libraries + rm -rf thirdparty/{curl,freetype,glfw,harfbuzz,jbig2dec,jpeg,openjpeg,mujs,zlib} + + # fix function for openjpeg 2.2.x + patch -Np1 < "${srcdir}/0001-mupdf-openjpeg.patch" + + # fix includes for jbig2dec + sed '/^JBIG2DEC_CFLAGS :=/s|$| -I./include/mupdf|' -i Makethird + + # apply seccomp patch + patch -Np1 < "${srcdir}/seccomp.patch" + + # embedding CJK fonts into binaries is madness... + sed '/* #define TOFU_CJK /c #define TOFU_CJK 1' -i include/mupdf/fitz/config.h + sed '/* #define TOFU /c #define TOFU 1' -i include/mupdf/fitz/config.h + sed '/* #define TOFU_CJK_EXT /c #define TOFU_CJK_EXT 1' -i include/mupdf/fitz/config.h + sed '/* #define TOFU_EMOJI /c #define TOFU_EMOJI 1' -i include/mupdf/fitz/config.h + sed '/* #define TOFU_HISTORIC /c #define TOFU_HISTORIC 1' -i include/mupdf/fitz/config.h + sed '/* #define TOFU_SYMBOL /c #define TOFU_SYMBOL 1' -i include/mupdf/fitz/config.h + sed '/* #define TOFU_SIL /c #define TOFU_SIL 1' -i include/mupdf/fitz/config.h + + # disable XPS + sed '/* #define FZ_ENABLE_XPS /c #define FZ_ENABLE_XPS 0' -i include/mupdf/fitz/config.h + + # disable SVG + sed '/* #define FZ_ENABLE_SVG /c #define FZ_ENABLE_SVG 0' -i include/mupdf/fitz/config.h + + # disable CBZ + sed '/* #define FZ_ENABLE_CBZ /c #define FZ_ENABLE_CBZ 0' -i include/mupdf/fitz/config.h + + # disable IMG + sed '/* #define FZ_ENABLE_IMG /c #define FZ_ENABLE_IMG 0' -i include/mupdf/fitz/config.h + + # disable TIFF + sed '/* #define FZ_ENABLE_TIFF /c #define FZ_ENABLE_TIFF 0' -i include/mupdf/fitz/config.h + + # disable HTML + sed '/* #define FZ_ENABLE_HTML /c #define FZ_ENABLE_HTML 0' -i include/mupdf/fitz/config.h + + # disable EPUB + sed '/* #define FZ_ENABLE_EPUB /c #define FZ_ENABLE_EPUB 0' -i include/mupdf/fitz/config.h + + # disable GPRF + sed '/* #define FZ_ENABLE_GPRF /c #define FZ_ENABLE_GPRF 0' -i include/mupdf/fitz/config.h + + # disable JS + sed '/* #define FZ_ENABLE_JS /c #define FZ_ENABLE_JS 0' -i include/mupdf/fitz/config.h +} + +build() { + CFLAGS+=' -fPIC -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2' + CXXFLAGS+=' -fPIC -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2' + LDFLAGS+=' -pie' + export CFLAGS CXXFLAGS LDFLAGS + +# CFLAGS+=' -fPIC' +# CXXFLAGS+=' -fPIC' +# export CFLAGS CXXFLAGS + +# HAVE_GLFW='yes' +# SYS_GLFW_CFLAGS="$(pkg-config --cflags glfw3)" +# SYS_GLFW_LIBS="$(pkg-config --libs glfw3) -lGL" +# export HAVE_GLFW SYS_GLFW_CFLAGS SYS_GLFW_LIBS + + cd ${_pkgbase}-${_pkgver/_/}-source + make build=release +} + +#the libmupdf package does not contain any seccomp functionalty. Seccomp is process based. +package_libmupdf-seccomp() { +pkgdesc='Library for Lightweight PDF viewer' + + cd ${_pkgbase}-${_pkgver/_/}-source + + make build=release prefix="$pkgdir"/usr install + + rm -rf "$pkgdir"/usr/{bin,share/man} + mv "$pkgdir"/usr/share/doc/mupdf "$pkgdir"/usr/share/doc/libmupdf + + find "$pkgdir"/usr/include "$pkgdir"/usr/share "$pkgdir"/usr/lib \ + -type f -exec chmod 0644 {} + +} + +package_mupdf-seccomp() { + pkgdesc='Lightweight PDF viewer with seccomp filter' + depends=('curl' 'desktop-file-utils' 'freetype2' 'harfbuzz' 'jbig2dec' + 'libjpeg' 'openjpeg2' 'openssl') + + cd ${_pkgbase}-${_pkgver/_/}-source + + install -D -m0755 build/release/mupdf-x11 "$pkgdir"/usr/bin/mupdf + install -D -m0644 docs/man/mupdf.1 "$pkgdir"/usr/share/man/man1/mupdf.1 + install -d "$pkgdir"/usr/share/doc/mupdf + install -m0644 README COPYING CHANGES "$pkgdir"/usr/share/doc/mupdf + install -D -m0644 ../mupdf.desktop "$pkgdir"/usr/share/applications/mupdf.desktop + install -D -m0644 ../mupdf.xpm "$pkgdir"/usr/share/pixmaps/mupdf.xpm +} + + diff --git a/mupdf.desktop b/mupdf.desktop new file mode 100644 index 000000000000..1773247729b3 --- /dev/null +++ b/mupdf.desktop @@ -0,0 +1,15 @@ +[Desktop Entry] +Name=MuPDF +GenericName=PDF file viewer +Exec=mupdf %f +TryExec=mupdf +Icon=mupdf +Terminal=false +Type=Application +MimeType=application/pdf;application/x-pdf;application/x-cbz;application/oxps;application/vnd.ms-xpsdocument;image/jpeg;image/pjpeg;image/png;image/tiff;image/x-tiff +Categories=Viewer;Graphics; +Actions=View +NoDisplay=true +[Desktop Action View] +Name=View with mupdf +Exec=mupdf %f diff --git a/mupdf.xpm b/mupdf.xpm new file mode 100644 index 000000000000..2c042f4ea8e2 --- /dev/null +++ b/mupdf.xpm @@ -0,0 +1,497 @@ +/* XPM */ +static char *mupdf[] = { +/* width height ncolors chars_per_pixel */ +"48 48 442 2", +/* colors */ +" c #000000", +" . c #2E4558", +" X c #252121", +" o c #AFAFAF", +" O c #28313B", +" + c #231F1F", +" @ c #686666", +" # c #98BDD7", +" $ c #201B1C", +" % c #7CABCC", +" & c #4487B6", +" * c #DFDEDE", +" = c #4285B4", +" - c #615E5F", +" ; c #605E5E", +" : c #23262C", +" > c #D9D8D8", +" , c #F7FAFC", +" < c #D7D6D6", +" 1 c #BFD6E6", +" 2 c #6BA0C5", +" 3 c #232122", +" 4 c #555253", +" 5 c #CDCCCC", +" 6 c #E7EFF6", +" 7 c #4786B2", +" 8 c #CADDEA", +" 9 c #4085B5", +" 0 c #AECBDF", +" q c #CBCACA", +" w c #92B9D4", +" e c #365F7D", +" r c #5A95BE", +" t c #3E83B3", +" y c #304B60", +" u c #C7C6C6", +" i c #4D8EBB", +" p c #F1F6F9", +" a c #C1C0C0", +" s c #454243", +" d c #669CC3", +" f c #81AECD", +" g c #7A7777", +" h c #434041", +" j c #3E779F", +" k c #272E36", +" l c #413E3F", +" z c #3F3C3D", +" x c #5895BF", +" c c #3D3A3B", +" v c #C6DBE9", +" b c #B8B6B7", +" n c #4282B0", +" m c #FDFDFE", +" M c #B7B6B6", +" N c #8DB5D2", +" B c #242529", +" V c #B3B2B2", +" C c #222327", +" Z c #B0AEAF", +" A c #EDF4F8", +" S c #686565", +" D c #488AB9", +" F c #9ABED8", +" G c #7EACCD", +" H c #ECF2F7", +" J c #211C1C", +" K c #666363", +" L c #F1F1F2", +" P c #ABAAAA", +" I c #4588B6", +" U c #A9A8A8", +" Y c #2D2A2B", +" T c #A7A6A6", +" R c #615D5E", +" E c #2B2829", +" W c #8DB7D5", +" Q c #F9FBFD", +" ! c #DDE9F2", +" ~ c #F8FBFC", +" ^ c #DCE9F1", +" / c #A5C5DC", +" ( c #89B3D1", +" ) c #5C5959", +" _ c #A4C5DB", +" ` c #335A76", +" ' c #518FBB", +" ] c #E6E7E7", +" [ c #5A5757", +" { c #232021", +" } c #33536C", +" | c #98BED9", +". c #E0E1E1", +".. c #7CACCE", +".X c #4488B8", +".o c #2D3F4F", +".O c #999898", +".+ c #4388B7", +".@ c #5E98C1", +".# c #CDCDCB", +".$ c #524F4F", +".% c #B0CCE0", +".& c #979696", +".* c #78A8CA", +".= c #5C96BF", +".- c #969495", +".; c #4084B4", +".: c #252930", +".> c #949293", +"., c #929091", +".< c #417FAB", +".1 c #4F8FBC", +".2 c #F3F7FA", +".3 c #D3D3D4", +".4 c #D7E5EF", +".5 c #222023", +".6 c #9FC1D9", +".7 c #679DC3", +".8 c #37678A", +".9 c #4B8BB8", +".0 c #3E769E", +".q c #3C749C", +".w c #403D3D", +".e c #92BAD6", +".r c #C8DCEA", +".t c #FEFEFE", +".y c #3D393A", +".u c #3B3738", +".i c #355974", +".p c #353132", +".a c #7A7879", +".s c #498BB9", +".d c #9BBFD8", +".f c #4E8AB4", +".g c #787677", +".h c #F2F2F2", +".j c #F0F0F0", +".k c #2F2B2C", +".l c #EEEEEE", +".z c #727071", +".x c #26282D", +".c c #ECECEC", +".v c #2B2728", +".b c #FAFCFD", +".n c #EAEAEA", +".m c #DEEAF2", +".M c #E9EAE9", +".N c #C2D8E7", +".B c #6E6C6D", +".V c #5390BC", +".C c #E8E8E8", +".Z c #6EA2C6", +".A c #272324", +".S c #E7E6E7", +".D c #E6E6E6", +".F c #252122", +".G c #29333D", +".H c #E4E4E4", +".J c #3F7AA5", +".K c #231F20", +".L c #E2E2E2", +".P c #211D1E", +".I c #E0E0E0", +".U c #EAF1F7", +".Y c #6099C2", +".T c #1F1B1C", +".R c #E9F1F6", +".E c #CDDFEB", +".W c #4387B6", +".Q c #96BBD6", +".! c #B1CDE0", +".~ c #DEDEDE", +".^ c #79A9CA", +"./ c #4285B5", +".( c #272A31", +".) c #5D97BF", +"._ c #4185B4", +".` c #DCDCDC", +".' c #959393", +".] c #DADADA", +".[ c #314B5F", +".{ c #D8D8D8", +".} c #D7D8D7", +".| c #D6D6D6", +"X c #F5F8FB", +"X. c #D4D4D4", +"XX c #6AA0C5", +"Xo c #BDD4E5", +"XO c #3A6A8C", +"X+ c #232123", +"X@ c #D3D4D3", +"X# c #D2D2D2", +"X$ c #D0D0D0", +"X% c #CECECE", +"X& c #CCCCCC", +"X* c #CADDEB", +"X= c #37617F", +"X- c #242A31", +"X; c #CACACA", +"X: c #C8DBE9", +"X> c #90B7D3", +"X, c #817F7F", +"X< c #3F7EAB", +"X1 c #548FB9", +"X2 c #355873", +"X3 c #7D7B7B", +"X4 c #C2C2C2", +"X5 c #4B8CBA", +"X6 c #C0C0C0", +"X7 c #D4E4EE", +"X8 c #81AECE", +"X9 c #659CC3", +"X0 c #787576", +"Xq c #4788B6", +"Xw c #252C35", +"Xe c #757373", +"Xr c #BABABA", +"Xt c #FCFDFE", +"Xy c #B6B6B6", +"Xu c #C4D9E8", +"Xi c #706D6E", +"Xp c #8CB5D2", +"Xa c #70A3C7", +"Xs c #8BB5D1", +"Xd c #5491BC", +"Xf c #5391BB", +"Xg c #282424", +"Xh c #272223", +"Xj c #6C696A", +"Xk c #2F4659", +"Xl c #6B6969", +"Xz c #407BA5", +"Xx c #6A6768", +"Xc c #E4E3E3", +"Xv c #3E79A3", +"Xb c #231E1F", +"Xn c #221E1E", +"Xm c #E2E1E1", +"XM c #211C1D", +"XN c #EBF2F7", +"XB c #201C1C", +"XV c #CFE0EC", +"XC c #4588B7", +"XZ c #B3CEE1", +"XA c #366384", +"XS c #5F98C0", +"XD c #4386B5", +"XF c #DEDDDD", +"XG c #2B3D4B", +"XH c #615F5F", +"XJ c #5F5D5D", +"XK c #5E5B5C", +"XL c #DCE9F2", +"XP c #407DA8", +"XI c #86B1CF", +"XU c #D4D3D3", +"XY c #3A698B", +"XT c #3E7BA6", +"XR c #232022", +"XE c #545152", +"XW c #999899", +"XQ c #79AACC", +"X! c #524F50", +"X~ c #CCCDCB", +"X^ c #3D749B", +"X/ c #93BAD5", +"X( c #77A8CA", +"X) c #37607E", +"X_ c #5B96BF", +"X` c #3F84B4", +"X' c #CAC9C9", +"X] c #C6C5C5", +"X[ c #3F7DAA", +"X{ c #F2F7FA", +"X} c #C2C1C1", +"X| c #212023", +"o c #9EC1D9", +"o. c #444142", +"oX c #3F78A0", +"oo c #90B8D5", +"oO c #FEFEFF", +"o+ c #E2ECF4", +"o@ c #2B3A47", +"o# c #25262A", +"o$ c #B1AFB0", +"o% c #28313A", +"o& c #221D1D", +"o* c #262F38", +"o= c #629BC2", +"o- c #302D2E", +"o; c #6199C1", +"o: c #201B1B", +"o> c #4587B6", +"o, c #F0F0F1", +"o< c #2D3E4C", +"o1 c #2E2B2C", +"o2 c #4385B4", +"o3 c #A8A7A7", +"o4 c #A7A5A6", +"o5 c #3D7197", +"o6 c #4183B2", +"o7 c #4083B1", +"o8 c #A5A3A4", +"o9 c #3B6F95", +"o0 c #5290BC", +"oq c #A4C4DB", +"ow c #E9F1F7", +"oe c #4387B7", +"or c #E7EFF5", +"ot c #CBDDEA", +"oy c #4185B5", +"ou c #5B95BE", +"oi c #3F83B3", +"op c #939192", +"oa c #929191", +"os c #2B3743", +"od c #4C4849", +"of c #2A3742", +"og c #F4F8FB", +"oh c #D8E6F0", +"oj c #4C8CB9", +"ok c #211F22", +"ol c #CFD0D0", +"oz c #444041", +"ox c #262C34", +"oc c #413E3E", +"ov c #403C3D", +"ob c #3B739B", +"on c #858384", +"om c #FFFFFF", +"oM c #E3EDF4", +"oN c #5995BF", +"oB c #3E3A3B", +"oV c #C7DBE9", +"oC c #2F4B61", +"oZ c #5793BD", +"oA c #3C3839", +"oS c #2A3945", +"oD c #7E7D7D", +"oF c #345873", +"oG c #363233", +"oH c #7B797A", +"oJ c #EFF4F9", +"oK c #EEF4F8", +"oL c #F3F3F3", +"oP c #9ABED7", +"oI c #4788B7", +"oU c #629AC1", +"oY c #ACAAAA", +"oT c #F1F1F1", +"oR c #EFEFEF", +"oE c #737172", +"oW c #EDEDED", +"oQ c #A9C9DF", +"o! c #FBFDFE", +"o~ c #EBEBEB", +"o^ c #DFEBF3", +"o/ c #4581AB", +"o( c #6F6D6E", +"o) c #EAE9EA", +"o_ c #E9E9E9", +"o` c #C1D7E6", +"o' c #E7E7E7", +"o] c #E6E7E6", +"o[ c #E5E5E5", +"o{ c #3F7BA5", +"o} c #242021", +"o| c #E3E3E3", +"O c #3E79A4", +"O. c #221E1F", +"OX c #26303A", +"Oo c #9C9A9A", +"OO c #E1E1E1", +"O+ c #201C1D", +"O@ c #4488B7", +"O# c #DFDFDF", +"O$ c #7BAACC", +"O% c #356384", +"O& c #1E1A1B", +"O* c #4386B6", +"O= c #4286B5", +"O- c #95BAD5", +"O; c #DDDDDD", +"O: c #1C1819", +"O> c #DBDBDB", +"O, c #D9D9D9", +"O< c #D7D7D7", +"O1 c #417FAA", +"O2 c #DAE7F1", +"O3 c #F5F9FB", +"O4 c #D5D5D5", +"O5 c #242224", +"O6 c #D4D3D4", +"O7 c #85B1CF", +"O8 c #D3D3D3", +"O9 c #699FC4", +"O0 c #4D8DB9", +"Oq c #222022", +"Ow c #34556F", +"Oe c #D1D1D1", +"Or c #D0CFD0", +"Ot c #8A8888", +"Oy c #CFCFCF", +"Ou c #CDCDCD", +"Oi c #CCCDCC", +"Op c #CADEEB", +"Oa c #E5EEF5", +"Os c #C9DCEA", +"Od c #ADCADF", +"Of c #C8DCE9", +"Og c #91B8D4", +"Oh c #5994BE", +"Oj c #3D82B3", +"Ok c #5894BD", +"Ol c #3C82B2", +"Oz c #4181AD", +"Ox c #3B3737", +"Oc c #C5C5C5", +"Ov c #293643", +"Ob c #3E7DAA", +"On c #C1C1C1", +"Om c #353131", +"OM c #D4E3EE", +"ON c #B8D1E3", +"OB c #BFBFBF", +"OV c #9CBFD8", +"OC c #80ADCD", +"OZ c #649BC2", +"OA c #4889B7", +"OS c #BDBDBD", +"OD c #2E292A", +"OF c #4283B1", +"OG c #B7B7B7", +"OH c #4183B0", +"OJ c #5794BF", +"OK c #A7C6DC", +"OL c #365B77", +"OP c #8BB4D1", +"OI c #282324", +"OU c #272323", +"OY c #6C6A6A", +"OT c None", +/* pixels */ +" oToToToT L.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h LoToToToT ", +"o,.joToToToToToToToToToToToToToToToToToToToT.h.h.h.hoToToToToToToToToToToToToToToToToToToToT.j.j", +".j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.joToLoLoR.D.~ > >.~.DoRoLoLoT.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j", +"oRoRoRoRoRoRoRoRoRoRoRoRoRoRoRoT.hXcOBoaXjX!oz c cozX!XjoaOBXc.hoToRoRoRoRoRoRoRoRoRoRoRoRoRoRoR", +".l.l.l.l.l.l.l.l.l.l.l.l.loR.j <.'X! Y.P.To: $ J J $o:.T.P YX!.' <.joR.l.l.l.l.l.l.l.l.l.l.l.l.l", +".l.l.l.l.l.l.l.l.l.l.l.l.jXm.&oz + $o& 3.x OoSXGXGoS O.x 3o& $ +oz.&Xm.j.l.l.l.l.l.l.l.l.l.l.l.l", +"oWoWoWoWoWoWoWoWoWoWoWoR uXK X $XRo% yXA.qo/.fX1X1.fo/.qXA yo%XR $ XXK uoRoWoWoWoWoWoWoWoWoWoWoW", +".c.c.c.c.c.c.c.c.c.coW Z z $ {os eXTo0..oQX*XLoMoMXLOpoQ..o0XT eos { $ z ZoW.c.c.c.c.c.c.c.c.c.c", +"o~o~o~o~o~o~o~o~o~.co3.p $.(X2X[OJ FOM !Of 0.d wOg.d 0Os.mOM FOJObX2.( $.po3.co~o~o~o~o~o~o~o~o~", +".n.n.n.n.n.n.n.noW VoGXMoso9XC G.N.!.^XfXD tOjOlOlOj tXDXd.^.% 1O$O@o9osXMoG VoW.n.n.n.n.n.n.n.n", +".n.n.n.n.n.n.n.c qo.XBo<XvX5 No oUO0 fOPXpXpXpXpXpXpXpXpOP ( NOdo^OV.sXvo<XBo. q.c.n.n.n.n.n.n.n", +"o_o_o_o_o_o_.M.L @ $o@o{.s.^.Z & t.* ~omomomomomomomomomomomom.toO.b _ D.Jo@ $ @.Lo)o_o_o_o_o_o_", +".C.C.C.C.C.Co~o8Xg kX^oeoZXf._XDXD 0omomomomomomomomomomomomomomomom.b #XCX^ kXgo8o~.C.C.C.C.C.C", +"o'o'o'o'o'.CO>.$okX=oeXDo>O=XD./Xd.momomomomomomomomomomomomomom pX7.NOK 'oeX=ok.$O>.Co'o'o'o'o'", +" ]o'o'o'.So_ TXh.o nXDXDXDXDXD.; %.bomomomomomomomomomomomomoOo`O9ojo>XDXDXD n.oXh To_ ]o'o'o'.S", +".D.D.D.D.Do| SX|XY.+XDXDXDXDXDXDXZomomomomomomomomomomomomom.4Xd.;O=XDXDXDXD.+XYX| So|.D.D.D.D.D", +"o[o[o[o[.D 5OxOvOzO*XDXDXDXD =oZo+omomomomomomomomomomomomomoP.;XDXDXDXDXDXDO*OzOvOx 5o]o[o[o[o[", +".H.H.H.Ho' POU }oeXDXDXDXDXD.;X8o!omomomomomomomomomomomom.bX(.;XDXDXDXDXDXDXDoe }OU Po'.H.H.H.H", +"o|o|o|o|.DOt.5XO.+XDXDXDXDXD &ONomomomomomomomomomomomomom.2.7._XDXDXDXDXDXDXD.+XO.5Ot.Do|o|o|o|", +"o|o|o|o|o|Xi : j.WXDXDXDXD = rOaomomomomomomomomomomomomom AXS._XDXDXDXDXDXDXD.W j :Xio|o|o|o|o|", +".L.L.L.L.I RXwXP.WXDXDXDXD.;XI momomomomomomomomomomomomomXN.=._XDXDXDXDXDXDXD.WXPXw R.I.L.L.L.L", +"OOOOOOOOO; [OX.<O*XDXDXDXD IXoomomomomomomomomomomomomomom.UX_._XDXDXDXDXDXDXDO*.<OX [O;OOOOOOOO", +".I.I.I.IO; )o*O1O*XDXDXD._.).Romomomomomog ~omomomomomomom.UX_._XDXDXDXDXDXDXDO*O1o* )O;.I.I.I.I", +"O#O#O#O#O# KX-Xz.WXDXDXD.;XsoOomomomomom vowomomomomomomom.UX_._XDXDXDXDXDXDXD.WXzX- KO#O#O#O#O#", +"O#O#O#O#. g Co5oeXDXDXDXq.Nomomomomom ,X>oromomomomomomom.UX_._XDXDXDXDXDXDXDoeo5 C gOOO#O#O#O#", +".~.~.~.~OO.- {X).XXDXD._o; HomomomomomohO9.Romomomomomomom.UX_._XDXDXDXDXDXDXD.XX) {.-OO.~.~.~.~", +"O;O;O;O;O#XyOD .o2XDXD.;Ogomomomomomom / r.Uomomomomomomom.UX_._XDXDXDXDXDXDXDo2 .ODXyO#O;O;O;O;", +".`.`.`.`O;Oeod.:oX.WXDOAoVomomomomomO3XaOk.Uomomomomomomom.UX_._XDXDXDXDXDXD.WoX.:odOeO;.`.`.`.`", +"O>O>O>O>O>O;X,.POw.W._ doJomomomomomOMoj r.Uomomomomomomom.UX_._XDXDXDXDXDXD.WOw.PX,O;O>O>O>O>O>", +"O>O>O>O>O>O;XrOmox.0 9X8Xtomomomomom.6X`ou.Uomomomomomomom.UX_._XDXDXDXDXDoe.0oxOmXrO;O>O>O>O>O>", +".].].].].].]O,.z JXkOH.VotomomomomX{ 2oiou.Uomomomomomomom.UX_._XDO= &O0 &OFXk J.zO,.].].].].].]", +"O,O,O,O,O,O,O>OS.yOq.i._OZ ^omomom.E.9._ou.Uomomomomomomom.UX_._._.9.ZXdO=.iOq.yOSO>O,O,O,O,O,O,", +".{.{.{.{.{.{.{.].,.A BX)oyXXO2omom.Q.;._ou.Uomomomomomomom.UOh._ dO-X9O=X) BOI.,.].{.{.{.{.{.{.{", +"O<O<O<O<O<O<O<.{O8o(Xno#OLo7.YXuX O7oIoiOk.Romomomomomomom HOCoqOdo=o6OLo#Xno(O8.{O<O<O<O<O<O<O<", +"O<O<O<O<O<O<O<O<.{X'XJ.PO5.[O iOgXVX:OVXsoKomomomomomomom.bOMX/.1O .[O5.PXJX'.{O<O<O<O<O<O<O<O<", +".|.|.|.|.|.|.|.|.|.}X]XH.KXn.G eX<oN.e 8 6 Qomomomom.bXN.roo xX< e.GXn.KXHX].}.|.|.|.|.|.|.|.|.|", +"O4O4O4O4O4O4O4O4O4O4O<X;Xe.vXBX+ofoFob 7.@XQ W | | WXQ.@ 7oboFofX+XB.vXeX;O<O4O4O4O4O4O4O4O4O4O4", +"X.X.X.X.X.X.X.X.X.X.X.O4X#XW sO. J.K.xo@oC `O%.8.8O% `oCo@.x.K JO. sXWX#O4X.X.X.X.X.X.X.X.X.X.X.", +"O8O8O8O6O8XUXUO8O8XUXUO8X..|OnX,oc.F $ Jo&XbXRO5O5XRXbo& J $.FocX,On.|X.O8XUX@X@O8.3O8O8O8O8O8X@", +"O8O8O8O8O8O8O8O8O8O8O8O8O8O8X.X. aop ; c Eo}.PXMXM.Po} E c ;op aX.X.O8O8O8O8O8O8O8O8O8O8O8O8O8O8", +"X#X#X#X#X#X#X#X#X#X#X#X#X#X#X#X#O8O4X$X6 P.-onX3X3on.- PX6X$O4O8X#X#X#X#X#X#X#X#X#X#X#X#X#X#X#X#", +"OeOeOeOeOeOeOeOeOeOeOeOeOeOeOeOeOeOeOeO8X4OGOnOcOcX} MOSX#OeOeOeOeOeOeOeOeOeOeOeOeOeOeOeOeOeOeOe", +"X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$O8ono-oAov.w.u.koEX#X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$", +"X$X$X$X$X$X$X$X$X$olX$X$X$X$X$X$X$X$X$X#oD l.>o1O+.P.T.BOeX$X$X$X$X$X$X$OrOrX$X$X$X$X$X$X$X$X$X$", +"OyOyOyOyOyOyOyOyOyOyOyOyOyOyOyOyOyOyOyX#oHXEXFoBO&.TO:OYX$OyOyOyOyOyOyOyOyOyOyOyOyOyOyOyOyOyOyOy", +"X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%Oy POo.CX0 -Xx.g TOyX%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%", +"X%X%OuOuOuOuOuOuOuOuOuOuOuOuOuOuOuOuOuX% oo$.h boYo4.O UX%OuOuOuOuOuOuOuOuOuOuOuOuOuOuOuOuOuX%X%", +" Ou.#OuOuOiX&X&X&X&X&X&X&X&X&X&X&X&X&Oy.a 4 * h.K.KO&XlX%X&X&X&X&X&X&X&X&X&X&X&X&X&X&OuOuX~Ou " +}; diff --git a/seccomp.patch b/seccomp.patch new file mode 100644 index 000000000000..f551dc87f85d --- /dev/null +++ b/seccomp.patch @@ -0,0 +1,813 @@ +diff -Naur mupdf-1.11-source/Makefile mupdf-1.11/Makefile +--- mupdf-1.11-source/Makefile 2017-04-05 13:02:21.000000000 +0200 ++++ mupdf-1.11/Makefile 2017-08-20 13:59:29.260759197 +0200 +@@ -16,6 +16,12 @@ + # set a variable that was set on the command line. + CFLAGS += $(XCFLAGS) -Iinclude -Igenerated + LIBS += $(XLIBS) -lm ++LIBS += -lseccomp ++ ++# please note: rules set in makerules do not work yet. ++# HAVE_LIBSECCOMP should be defined here ++# todo: implement protectedView option ++# and additional mupdf-x11-sandbox binary should be created for protectedView + + LIBS += $(FREETYPE_LIBS) + LIBS += $(HARFBUZZ_LIBS) +@@ -34,6 +40,7 @@ + CFLAGS += $(JPEGXR_CFLAGS) + CFLAGS += $(LIBCRYPTO_CFLAGS) + CFLAGS += $(LIBJPEG_CFLAGS) ++CFLAGS += $(LIBSECCOMP_CFLAGS) + CFLAGS += $(LURATECH_CFLAGS) + CFLAGS += $(MUJS_CFLAGS) + CFLAGS += $(OPENJPEG_CFLAGS) +@@ -344,14 +351,14 @@ + + ifeq "$(HAVE_X11)" "yes" + MUVIEW_X11_EXE := $(OUT)/mupdf-x11 +-MUVIEW_X11_OBJ := $(addprefix $(OUT)/platform/x11/, x11_main.o x11_image.o pdfapp.o) ++MUVIEW_X11_OBJ := $(addprefix $(OUT)/platform/x11/, x11_main.o libsec.o x11_image.o pdfapp.o) + $(MUVIEW_X11_OBJ) : $(FITZ_HDR) $(PDF_HDR) + $(MUVIEW_X11_EXE) : $(MUVIEW_X11_OBJ) $(MUPDF_LIB) $(THIRD_LIB) + $(LINK_CMD) $(X11_LIBS) + + ifeq "$(HAVE_CURL)" "yes" + MUVIEW_X11_CURL_EXE := $(OUT)/mupdf-x11-curl +-MUVIEW_X11_CURL_OBJ := $(addprefix $(OUT)/platform/x11/curl/, x11_main.o x11_image.o pdfapp.o curl_stream.o) ++MUVIEW_X11_CURL_OBJ := $(addprefix $(OUT)/platform/x11/curl/, x11_main.o libsec.o x11_image.o pdfapp.o curl_stream.o) + $(MUVIEW_X11_CURL_OBJ) : $(FITZ_HDR) $(PDF_HDR) + $(MUVIEW_X11_CURL_EXE) : $(MUVIEW_X11_CURL_OBJ) $(MUPDF_LIB) $(THIRD_LIB) $(CURL_LIB) + $(LINK_CMD) $(X11_LIBS) $(CURL_LIBS) $(SYS_CURL_DEPS) +diff -Naur mupdf-1.11-source/Makerules mupdf-1.11/Makerules +--- mupdf-1.11-source/Makerules 2017-04-05 13:02:21.000000000 +0200 ++++ mupdf-1.11/Makerules 2017-08-20 13:57:17.007431598 +0200 +@@ -155,6 +155,12 @@ + SYS_OPENJPEG_LIBS := $(shell pkg-config --libs libopenjp2) + endif + ++ifeq "$(shell pkg-config --exists libseccomp && echo yes)" "yes" ++HAVE_LIBSECCOMP = yes ++SYS_LIBSECCOMP_CFLAGS = $(shell pkg-config --cflags libseccomp) ++SYS_LIBSECCOMP_LIBS = $(shell pkg-config --libs libseccomp) ++endif ++ + SYS_JBIG2DEC_LIBS := -ljbig2dec + SYS_LIBJPEG_LIBS := -ljpeg + SYS_ZLIB_LIBS := -lz +@@ -279,3 +285,8 @@ + HAVE_X11 ?= no + HAVE_GLFW ?= no + endif ++ ++ifeq "$(HAVE_PTHREADS)" "yes" ++CFLAGS += -DHAVE_PTHREADS ++LIBS += -lpthread ++endif +diff -Naur mupdf-1.11-source/Makethird mupdf-1.11/Makethird +--- mupdf-1.11-source/Makethird 2017-04-05 13:02:21.000000000 +0200 ++++ mupdf-1.11/Makethird 2017-08-20 14:00:35.777422980 +0200 +@@ -721,3 +721,10 @@ + PTHREAD_CFLAGS := $(SYS_PTHREAD_CFLAGS) + PTHREAD_LIBS := $(SYS_PTHREAD_LIBS) + #endif ++ ++# --- libSeccomp --- ++ ++ifeq "$(HAVE_LIBSECCOMP)" "yes" ++LIBSECCOMP_CFLAGS := $(SYS_LIBSECCOMP_CFLAGS) ++LIBSECCOMP_LIBS := $(SYS_LIBSECCOMP_LIBS) ++endif +diff -Naur mupdf-1.11-source/README.md mupdf-1.11/README.md +--- mupdf-1.11-source/README.md 1970-01-01 01:00:00.000000000 +0100 ++++ mupdf-1.11/README.md 2017-03-12 20:37:31.149547576 +0100 +@@ -0,0 +1,37 @@ ++# mupdf ++Sandboxed Mupdf Document Viewer ++ ++This modified version of Mupdf includes support for seccomp to implement sandbox support on linux systems using libseccomp ++ ++The original application can be found here: https://mupdf.com ++ ++ ++Sandbox modes: ++-------------- ++ ++There are two different sandbox modes available at the moment: ++ ++- Invisible sandbox mode: this mode does not affect the normal functionality at all and will not be noticed by the user. It only blacklists some dangerous and rare syscalls and uses the no_new_privs flag to prevent the process to gain more privileges (e.g. by using suid) ++ ++- Read only mode: this mode does not allow writing files or access to the network. It is designed to only allow reading local files. By using a whitelist of allowed systemcalls, 90 % of the kernel interface is unavailable for the process, reducing the attack surface of the kernel significantly and limiting the movement of exploit code. ++ ++ ++ ++Future Work ++----------- ++ ++It is possible to further restrict the list of allowed syscalls right before a document file is interpreted. This also includes blocking the use of syscalls needed for unix domain socket communication as used to communicate to IPC services like Dbus, which presents a weakpoint in sandboxing for modern Linux desktop systems. ++ ++ ++ ++Weak Points ++----------- ++ ++One of the remaining weak points is the X11 Server. Without switching to wayland and blocking X11 access, keylogging is trivial. ++ ++ ++ ++Additional Sandbox support ++-------------------------- ++ ++Using linux namespaces container features, it is possible to further isolate the application from the rest of the system. With the bubblewrap project there is already some nice code that can be used for the purpose as demonstrated here: https://github.com/valoq/bwscripts/tree/master/profiles +diff -Naur mupdf-1.11-source/platform/x11/libsec.c mupdf-1.11/platform/x11/libsec.c +--- mupdf-1.11-source/platform/x11/libsec.c 1970-01-01 01:00:00.000000000 +0100 ++++ mupdf-1.11/platform/x11/libsec.c 2017-03-15 23:17:31.421689510 +0100 +@@ -0,0 +1,472 @@ ++#include "libsec.h" ++#include <stdio.h> ++ ++#define HAVE_LIBSECCOMP ++#ifdef HAVE_LIBSECCOMP ++ ++#include <seccomp.h> /* libseccomp */ ++#include <sys/prctl.h> /* prctl */ ++#include <sys/socket.h> ++#include <fcntl.h> ++#include <stdlib.h> ++#include <errno.h> ++ ++#define DENY_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_KILL, SCMP_SYS(call), 0) < 0) goto out; } ++#define ALLOW_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) < 0) goto out; } ++ ++scmp_filter_ctx ctx; ++ ++ ++int protectedMode(void){ ++ ++ // prevent child processes from getting more priv e.g. via setuid, capabilities, ... ++ //prctl(PR_SET_NO_NEW_PRIVS, 1); ++ ++ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { ++ perror("prctl SET_NO_NEW_PRIVS"); ++ exit(EXIT_FAILURE); ++ } ++ ++ ++ // prevent escape via ptrace ++ //prctl(PR_SET_DUMPABLE, 0); ++ ++ if(prctl (PR_SET_DUMPABLE, 0, 0, 0, 0)){ ++ perror("prctl PR_SET_DUMPABLE"); ++ exit(EXIT_FAILURE); ++ } ++ ++ ++ // initialize the filter ++ ctx = seccomp_init(SCMP_ACT_ALLOW); ++ if (ctx == NULL) ++ return 1; ++ ++ DENY_RULE (_sysctl); ++ DENY_RULE (acct); ++ DENY_RULE (add_key); ++ DENY_RULE (adjtimex); ++ DENY_RULE (chroot); ++ DENY_RULE (clock_adjtime); ++ DENY_RULE (create_module); ++ DENY_RULE (delete_module); ++ DENY_RULE (fanotify_init); ++ DENY_RULE (finit_module); ++ DENY_RULE (get_kernel_syms); ++ DENY_RULE (get_mempolicy); ++ DENY_RULE (init_module); ++ DENY_RULE (io_cancel); ++ DENY_RULE (io_destroy); ++ DENY_RULE (io_getevents); ++ DENY_RULE (io_setup); ++ DENY_RULE (io_submit); ++ DENY_RULE (ioperm); ++ DENY_RULE (iopl); ++ DENY_RULE (ioprio_set); ++ DENY_RULE (kcmp); ++ DENY_RULE (kexec_file_load); ++ DENY_RULE (kexec_load); ++ DENY_RULE (keyctl); ++ DENY_RULE (lookup_dcookie); ++ DENY_RULE (mbind); ++ DENY_RULE (nfsservctl); ++ DENY_RULE (migrate_pages); ++ DENY_RULE (modify_ldt); ++ DENY_RULE (mount); ++ DENY_RULE (move_pages); ++ DENY_RULE (name_to_handle_at); ++ DENY_RULE (open_by_handle_at); ++ DENY_RULE (perf_event_open); ++ DENY_RULE (pivot_root); ++ DENY_RULE (process_vm_readv); ++ DENY_RULE (process_vm_writev); ++ DENY_RULE (ptrace); ++ DENY_RULE (reboot); ++ DENY_RULE (remap_file_pages); ++ DENY_RULE (request_key); ++ DENY_RULE (set_mempolicy); ++ DENY_RULE (swapoff); ++ DENY_RULE (swapon); ++ DENY_RULE (sysfs); ++ DENY_RULE (syslog); ++ DENY_RULE (tuxcall); ++ DENY_RULE (umount2); ++ DENY_RULE (uselib); ++ DENY_RULE (vmsplice); ++ ++ //applying filter... ++ if (seccomp_load (ctx) >= 0){ ++ // free ctx after the filter has been loaded into the kernel ++ seccomp_release(ctx); ++ return 0; ++ } ++ ++ out: ++ //something went wrong ++ //printf("something went wrong\n"); ++ seccomp_release(ctx); ++ return 1; ++} ++ ++ ++int protectedView(void){ ++ ++ // prevent child processes from getting more priv e.g. via setuid, capabilities, ... ++ //prctl(PR_SET_NO_NEW_PRIVS, 1); ++ ++ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { ++ perror("prctl SET_NO_NEW_PRIVS"); ++ exit(EXIT_FAILURE); ++ } ++ ++ ++ // prevent escape via ptrace ++ //prctl(PR_SET_DUMPABLE, 0); ++ ++ if(prctl (PR_SET_DUMPABLE, 0, 0, 0, 0)){ ++ perror("prctl PR_SET_DUMPABLE"); ++ exit(EXIT_FAILURE); ++ } ++ ++ ++ // initialize the filter ++ ctx = seccomp_init(SCMP_ACT_KILL); ++ if (ctx == NULL) ++ return 1; ++ ++ ++ ALLOW_RULE (access); ++ ALLOW_RULE (brk); ++ ALLOW_RULE (clock_gettime); ++ ALLOW_RULE (close); ++ ALLOW_RULE (connect); ++ ALLOW_RULE (exit); ++ ALLOW_RULE (exit_group); ++ ALLOW_RULE (fcntl); /* not specified below */ ++ ALLOW_RULE (fstat); ++ ALLOW_RULE (futex); ++ ALLOW_RULE (getpeername); ++ ALLOW_RULE (getrlimit); ++ ALLOW_RULE (getsockname); ++ ALLOW_RULE (getsockopt); /* needed for access to x11 socket in network namespace (without abstract sockets) */ ++ ALLOW_RULE (lseek); ++ ALLOW_RULE (mmap); ++ ALLOW_RULE (mprotect); ++ ALLOW_RULE (mremap); ++ ALLOW_RULE (munmap); ++ //ALLOW_RULE (open); /* specified below */ ++ ALLOW_RULE (prctl); ++ ALLOW_RULE (poll); ++ ALLOW_RULE (read); ++ ALLOW_RULE (recvfrom); ++ ALLOW_RULE (recvmsg); ++ ALLOW_RULE (restart_syscall); ++ ALLOW_RULE (rt_sigaction); ++ ALLOW_RULE (seccomp); ++ ALLOW_RULE (select); ++ ALLOW_RULE (shmat); ++ ALLOW_RULE (shmctl); ++ ALLOW_RULE (shmget); ++ ALLOW_RULE (shutdown); ++ ALLOW_RULE (stat); ++ //ALLOW_RULE (socket); /* specified below */ ++ ALLOW_RULE (sysinfo); ++ ALLOW_RULE (uname); ++ //ALLOW_RULE (write); /* specified below */ ++ ALLOW_RULE (writev); /* not specified below */ ++ ALLOW_RULE (wait4); /* trying to open links should not crash the app */ ++ ++ ++ /* special restrictions for socket, only allow AF_UNIX/AF_LOCAL */ ++ if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1, ++ SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) < 0) ++ goto out; ++ ++ if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1, ++ SCMP_CMP(0, SCMP_CMP_EQ, AF_LOCAL)) < 0) ++ goto out; ++ ++ ++ /* special restrictions for open, prevent opening files for writing */ ++ if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, ++ SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0) ++ goto out; ++ ++ if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(open), 1, ++ SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0) ++ goto out; ++ ++ if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(open), 1, ++ SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0) ++ goto out; ++ ++ ++ ++ ++ ++ // ------------ experimental filters --------------- ++ ++ ++ ++ ++ /* this filter is susceptible to TOCTOU race conditions, providing limited use */ ++ /* allow opening only specified files identified by their file descriptors*/ ++ ++ // this requires either a list of all files to open (A LOT!!!) ++ // or needs to be applied only after initialisation, right before parsing ++ // if(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, ++ // SCMP_CMP(SCMP_CMP_EQ, fd)) < 0) // or < 1 ??? ++ // goto out; ++ ++ ++ /* restricting write access */ ++ ++ /* allow stdin */ ++ // if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, ++ // SCMP_CMP(0, SCMP_CMP_EQ, 0)) < 0 ) ++ // goto out; ++ ++ /* allow stdout */ ++ // if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, ++ // SCMP_CMP(0, SCMP_CMP_EQ, 1)) < 0 ) ++ // goto out; ++ ++ /* allow stderr */ ++ if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, ++ SCMP_CMP(0, SCMP_CMP_EQ, 2)) < 0 ) ++ goto out; ++ ++ ++ /* restrict writev (write a vector) access */ ++ // this does not seem reliable but it surprisingly is. investigate more ++ //if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(writev), 1, ++ // SCMP_CMP(0, SCMP_CMP_EQ, 3)) < 0 ) ++ // goto out; ++ ++ //test if repeating this after some time or denying it works ++ ++ ++ // firest attempt to filter poll requests ++ // if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), 1, ++ // SCMP_CMP(0, SCMP_CMP_MASKED_EQ, POLLIN | POLL, 0)) < 0) ++ // goto out; ++ ++ ++ /* restrict fcntl calls */ ++ // this syscall sets the file descriptor to read write ++ //if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 1, ++ // SCMP_CMP(0, SCMP_CMP_EQ, 3)) < 0 ) ++ // goto out; ++ // fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) ++ // fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 ++ // fcntl(3, F_SETFD, FD_CLOEXEC) = 0 ++ ++ ++ ++ ++ // ------------------ end of experimental filters ------------------ ++ ++ //applying filter... ++ if (seccomp_load (ctx) >= 0){ ++ // free ctx after the filter has been loaded into the kernel ++ seccomp_release(ctx); ++ return 0; ++ } ++ ++ out: ++ //something went wrong ++ seccomp_release(ctx); ++ return 1; ++} ++ ++int renderFilter(void){ ++ ++ // prevent child processes from getting more priv e.g. via setuid, capabilities, ... ++ //prctl(PR_SET_NO_NEW_PRIVS, 1); ++ ++ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { ++ perror("prctl SET_NO_NEW_PRIVS"); ++ exit(EXIT_FAILURE); ++ } ++ ++ ++ // prevent escape via ptrace ++ //prctl(PR_SET_DUMPABLE, 0); ++ ++ if(prctl (PR_SET_DUMPABLE, 0, 0, 0, 0)){ ++ perror("prctl PR_SET_DUMPABLE"); ++ exit(EXIT_FAILURE); ++ } ++ ++ ++ // initialize the filter ++ ctx = seccomp_init(SCMP_ACT_KILL); ++ if (ctx == NULL) ++ return 1; ++ ++ ++ ALLOW_RULE (access); ++ ALLOW_RULE (brk); ++ ALLOW_RULE (clock_gettime); ++ ALLOW_RULE (close); ++ //ALLOW_RULE (connect); ++ ALLOW_RULE (exit); ++ ALLOW_RULE (exit_group); ++ ALLOW_RULE (fcntl); /* not specified below */ ++ ALLOW_RULE (fstat); ++ ALLOW_RULE (futex); ++ ALLOW_RULE (getpeername); ++ ALLOW_RULE (getrlimit); ++ //ALLOW_RULE (getsockname); ++ //ALLOW_RULE (getsockopt); ++ ALLOW_RULE (lseek); ++ ALLOW_RULE (mmap); ++ ALLOW_RULE (mprotect); ++ ALLOW_RULE (mremap); ++ ALLOW_RULE (munmap); ++ //ALLOW_RULE (open); /* specified below */ ++ ALLOW_RULE (poll); ++ ALLOW_RULE (read); ++ ALLOW_RULE (recvfrom); ++ ALLOW_RULE (recvmsg); ++ ALLOW_RULE (restart_syscall); ++ ALLOW_RULE (rt_sigaction); ++ ALLOW_RULE (select); ++ ALLOW_RULE (shmat); ++ ALLOW_RULE (shmctl); ++ ALLOW_RULE (shmget); ++ ALLOW_RULE (shutdown); ++ ALLOW_RULE (stat); ++ //ALLOW_RULE (socket); ++ ALLOW_RULE (sysinfo); ++ ALLOW_RULE (uname); ++ //ALLOW_RULE (write); /* specified below */ ++ ALLOW_RULE (writev); /* not specified below */ ++ ALLOW_RULE (wait4); /* trying to open links should not crash the app */ ++ ++ ++ /* special restrictions for socket, only allow AF_UNIX/AF_LOCAL */ ++ // if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1, ++ // SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) < 0) ++ // goto out; ++ ++ // if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1, ++ // SCMP_CMP(0, SCMP_CMP_EQ, AF_LOCAL)) < 0) ++ // goto out; ++ ++ ++ /* special restrictions for open, prevent opening files for writing */ ++ if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, ++ SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0) ++ goto out; ++ ++ if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(open), 1, ++ SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0) ++ goto out; ++ ++ if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(open), 1, ++ SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0) ++ goto out; ++ ++ ++ ++ ++ ++ // ------------ experimental filters --------------- ++ ++ ++ ++ ++ /* this filter is susceptible to TOCTOU race conditions, providing limited use */ ++ /* allow opening only specified files identified by their file descriptors*/ ++ ++ // this requires either a list of all files to open (A LOT!!!) ++ // or needs to be applied only after initialisation, right before parsing ++ // if(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, ++ // SCMP_CMP(SCMP_CMP_EQ, fd)) < 0) // or < 1 ??? ++ // goto out; ++ ++ ++ /* restricting write access */ ++ ++ /* allow stdin */ ++ // if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, ++ // SCMP_CMP(0, SCMP_CMP_EQ, 0)) < 0 ) ++ // goto out; ++ ++ /* allow stdout */ ++ // if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, ++ // SCMP_CMP(0, SCMP_CMP_EQ, 1)) < 0 ) ++ // goto out; ++ ++ /* allow stderr */ ++ if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, ++ SCMP_CMP(0, SCMP_CMP_EQ, 2)) < 0 ) ++ goto out; ++ ++ ++ /* restrict writev (write a vector) access */ ++ // this does not seem reliable but it surprisingly is. investigate more ++ //if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(writev), 1, ++ // SCMP_CMP(0, SCMP_CMP_EQ, 3)) < 0 ) ++ // goto out; ++ ++ //test if repeating this after some time or denying it works ++ ++ ++ // firest attempt to filter poll requests ++ // if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), 1, ++ // SCMP_CMP(0, SCMP_CMP_MASKED_EQ, POLLIN | POLL, 0)) < 0) ++ // goto out; ++ ++ ++ /* restrict fcntl calls */ ++ // this syscall sets the file descriptor to read write ++ //if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 1, ++ // SCMP_CMP(0, SCMP_CMP_EQ, 3)) < 0 ) ++ // goto out; ++ // fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) ++ // fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 ++ // fcntl(3, F_SETFD, FD_CLOEXEC) = 0 ++ ++ ++ ++ ++ // ------------------ end of experimental filters ------------------ ++ ++ //applying filter... ++ if (seccomp_load (ctx) >= 0){ ++ // free ctx after the filter has been loaded into the kernel ++ seccomp_release(ctx); ++ return 0; ++ } ++ ++ out: ++ //something went wrong ++ seccomp_release(ctx); ++ return 1; ++} ++ ++ ++#else /* HAVE_LIBSECCOMP */ ++ ++ ++int protectedMode(void){ ++ ++ perror("No seccomp support compiled-in\n"); ++ return 1; ++} ++ ++int protectedView(void){ ++ ++ perror("No seccomp support compiled-in\n"); ++ return 1; ++} ++ ++int renderFilter(void){ ++ ++ perror("No seccomp support compiled-in\n"); ++ return 1; ++} ++ ++#endif /* HAVE_LIBSECCOMP */ +diff -Naur mupdf-1.11-source/platform/x11/libsec.h mupdf-1.11/platform/x11/libsec.h +--- mupdf-1.11-source/platform/x11/libsec.h 1970-01-01 01:00:00.000000000 +0100 ++++ mupdf-1.11/platform/x11/libsec.h 2017-03-15 23:01:14.285040855 +0100 +@@ -0,0 +1,19 @@ ++#ifndef SECCOMP_H ++#define SECCOMP_H ++ ++/* basic filter */ ++// this mode allows normal use ++// only dangerous syscalls are blacklisted ++int protectedMode(void); ++ ++/* secure read-only mode */ ++// whitelist minimal syscalls only ++// this mode does not allow writing files ++// or to open external links and applications ++// network connections are prohibited as well ++int protectedView(void); ++ ++// restrict the process to use only the minimal syscalls needed to render the target document ++int renderFilter(void); ++ ++#endif +diff -Naur mupdf-1.11-source/platform/x11/x11_main.c mupdf-1.11/platform/x11/x11_main.c +--- mupdf-1.11-source/platform/x11/x11_main.c 2017-04-05 13:02:21.000000000 +0200 ++++ mupdf-1.11/platform/x11/x11_main.c 2017-08-20 13:54:43.330771594 +0200 +@@ -1,5 +1,18 @@ + #include "pdfapp.h" + ++//todo: set this flag in makefile ++#define HAVE_LIBSECCOMP ++#define USE_PROTECTEDVIEW ++#ifdef USE_PROTECTEDVIEW ++#ifndef HAVE_LIBSECCOMP ++#define HAVE_LIBSECCOMP ++#endif /* HAVE_LIBSECCOMP */ ++#endif /* USE_PROTECTEDVIEW */ ++ ++#ifdef HAVE_LIBSECCOMP ++#include "libsec.h" ++#endif /* HAVE_LIBSECCOMP */ ++ + #include <X11/Xlib.h> + #include <X11/Xutil.h> + #include <X11/Xatom.h> +@@ -108,6 +121,8 @@ + static struct timeval tmo_advance; + static struct timeval tmo_at; + ++int protectedViewSet = 0; ++ + /* + * Dialog boxes + */ +@@ -723,32 +738,41 @@ + + void winopenuri(pdfapp_t *app, char *buf) + { +- char *browser = getenv("BROWSER"); +- pid_t pid; +- if (!browser) +- { ++ ++ ++ //protectedView does not allow opening external apps ++ if(!protectedViewSet){ ++ ++ ++ char *browser = getenv("BROWSER"); ++ pid_t pid; ++ if (!browser) ++ { + #ifdef __APPLE__ +- browser = "open"; ++ browser = "open"; + #else +- browser = "xdg-open"; ++ browser = "xdg-open"; + #endif +- } +- /* Fork once to start a child process that we wait on. This +- * child process forks again and immediately exits. The +- * grandchild process continues in the background. The purpose +- * of this strange two-step is to avoid zombie processes. See +- * bug 695701 for an explanation. */ +- pid = fork(); +- if (pid == 0) +- { +- if (fork() == 0) ++ } ++ /* Fork once to start a child process that we wait on. This ++ * child process forks again and immediately exits. The ++ * grandchild process continues in the background. The purpose ++ * of this strange two-step is to avoid zombie processes. See ++ * bug 695701 for an explanation. */ ++ pid = fork(); ++ if (pid == 0) + { +- execlp(browser, browser, buf, (char*)0); +- fprintf(stderr, "cannot exec '%s'\n", browser); ++ if (fork() == 0) ++ { ++ execlp(browser, browser, buf, (char*)0); ++ fprintf(stderr, "cannot exec '%s'\n", browser); ++ } ++ exit(0); + } +- exit(0); +- } +- waitpid(pid, NULL, 0); ++ waitpid(pid, NULL, 0); ++ ++ }//protectedViewSet ++ + } + + static void onkey(int c, int modifiers) +@@ -816,12 +840,42 @@ + fprintf(stderr, "\t-S -\tfont size for EPUB layout\n"); + fprintf(stderr, "\t-U -\tuser style sheet for EPUB layout\n"); + fprintf(stderr, "\t-X\tdisable document styles for EPUB layout\n"); ++ ++#ifdef HAVE_LIBSECCOMP ++#ifndef USE_PROTECTEDVIEW //this flag enforces protectedView by default ++ ++ fprintf(stderr, "\t-s -\t[strict] - use protectedView (strict sandbox)\n"); ++ ++#endif /* USE_PROTECTEDVIEW */ ++#endif /* HAVE_LIBSECCOMP */ ++ + exit(1); + } + + int main(int argc, char **argv) + { +- int c; ++ ++ ++#ifdef HAVE_LIBSECCOMP ++ ++ if(protectedMode()){ ++ perror("SECCOMP initialisation failed"); ++ exit(EXIT_FAILURE); ++ } ++ ++#endif /* HAVE_LIBSECCOMP */ ++ ++#ifdef USE_PROTECTEDVIEW ++ ++ if(protectedView()){ ++ perror("SECCOMP initialisation failed"); ++ exit(EXIT_FAILURE); ++ } ++ ++#endif /* USE_PROTECTEDVIEW */ ++ ++ ++ int c; + int len; + char buf[128]; + KeySym keysym; +@@ -847,7 +901,7 @@ + + pdfapp_init(ctx, &gapp); + +- while ((c = fz_getopt(argc, argv, "Ip:r:A:C:W:H:S:U:Xb:")) != -1) ++ while ((c = fz_getopt(argc, argv, "Ip:r:A:C:W:H:S:U:Xb:s:")) != -1) + { + switch (c) + { +@@ -868,6 +922,24 @@ + case 'U': gapp.layout_css = fz_optarg; break; + case 'X': gapp.layout_use_doc_css = 0; break; + case 'b': bps = (fz_optarg && *fz_optarg) ? fz_atoi(fz_optarg) : 4096; break; ++ ++#ifdef HAVE_LIBSECCOMP ++#ifndef USE_PROTECTEDVIEW //this flag enforces protectedView by default ++ ++ case 's': ++ //activate protectedView Sandbox ++ protectedViewSet = 1; ++ ++ if(protectedView()){ ++ perror("SECCOMP initialisation failed"); ++ exit(EXIT_FAILURE); ++ } ++ ++ break; ++ ++#endif /* USE_PROTECTEDVIEW */ ++#endif /* HAVE_LIBSECCOMP */ ++ + default: usage(); + } + } +@@ -882,6 +954,20 @@ + + winopen(); + ++ // at this stage, the socket connection to the X11 server has been established and further use of socket syscalls calls can blocked ++ // this filter allow only very few syscalls that are needed for rendering the target document ++ ++ #ifdef USE_PROTECTEDVIEW ++ ++ if(renderFilter()){ ++ perror("SECCOMP initialisation failed"); ++ exit(EXIT_FAILURE); ++ } ++ ++ #endif /* USE_PROTECTEDVIEW */ ++ ++ ++ + if (resolution == -1) + resolution = winresolution(); + if (resolution < MINRES) |