path: root/seccomp.patch

diff -Naur mupdf-1.11-source/Makefile mupdf-1.11/Makefile
--- mupdf-1.11-source/Makefile	2017-04-05 13:02:21.000000000 +0200
+++ mupdf-1.11/Makefile	2017-08-20 13:59:29.260759197 +0200
@@ -16,6 +16,12 @@
 # set a variable that was set on the command line.
 CFLAGS += $(XCFLAGS) -Iinclude -Igenerated
 LIBS += $(XLIBS) -lm
+LIBS += -lseccomp
+
+# please note: rules set in makerules do not work yet.
+# HAVE_LIBSECCOMP should be defined here
+# todo: implement protectedView option
+# and additional mupdf-x11-sandbox binary should be created for protectedView
 
 LIBS += $(FREETYPE_LIBS)
 LIBS += $(HARFBUZZ_LIBS)
@@ -34,6 +40,7 @@
 CFLAGS += $(JPEGXR_CFLAGS)
 CFLAGS += $(LIBCRYPTO_CFLAGS)
 CFLAGS += $(LIBJPEG_CFLAGS)
+CFLAGS += $(LIBSECCOMP_CFLAGS)
 CFLAGS += $(LURATECH_CFLAGS)
 CFLAGS += $(MUJS_CFLAGS)
 CFLAGS += $(OPENJPEG_CFLAGS)
@@ -344,14 +351,14 @@
 
 ifeq "$(HAVE_X11)" "yes"
 MUVIEW_X11_EXE := $(OUT)/mupdf-x11
-MUVIEW_X11_OBJ := $(addprefix $(OUT)/platform/x11/, x11_main.o x11_image.o pdfapp.o)
+MUVIEW_X11_OBJ := $(addprefix $(OUT)/platform/x11/, x11_main.o libsec.o x11_image.o pdfapp.o)
 $(MUVIEW_X11_OBJ) : $(FITZ_HDR) $(PDF_HDR)
 $(MUVIEW_X11_EXE) : $(MUVIEW_X11_OBJ) $(MUPDF_LIB) $(THIRD_LIB)
 	$(LINK_CMD) $(X11_LIBS)
 
 ifeq "$(HAVE_CURL)" "yes"
 MUVIEW_X11_CURL_EXE := $(OUT)/mupdf-x11-curl
-MUVIEW_X11_CURL_OBJ := $(addprefix $(OUT)/platform/x11/curl/, x11_main.o x11_image.o pdfapp.o curl_stream.o)
+MUVIEW_X11_CURL_OBJ := $(addprefix $(OUT)/platform/x11/curl/, x11_main.o libsec.o x11_image.o pdfapp.o curl_stream.o)
 $(MUVIEW_X11_CURL_OBJ) : $(FITZ_HDR) $(PDF_HDR)
 $(MUVIEW_X11_CURL_EXE) : $(MUVIEW_X11_CURL_OBJ) $(MUPDF_LIB) $(THIRD_LIB) $(CURL_LIB)
 	$(LINK_CMD) $(X11_LIBS) $(CURL_LIBS) $(SYS_CURL_DEPS)
diff -Naur mupdf-1.11-source/Makerules mupdf-1.11/Makerules
--- mupdf-1.11-source/Makerules	2017-04-05 13:02:21.000000000 +0200
+++ mupdf-1.11/Makerules	2017-08-20 13:57:17.007431598 +0200
@@ -155,6 +155,12 @@
 SYS_OPENJPEG_LIBS := $(shell pkg-config --libs libopenjp2)
 endif
 
+ifeq "$(shell pkg-config --exists libseccomp && echo yes)" "yes"
+HAVE_LIBSECCOMP = yes
+SYS_LIBSECCOMP_CFLAGS = $(shell pkg-config --cflags libseccomp)
+SYS_LIBSECCOMP_LIBS = $(shell pkg-config --libs libseccomp)
+endif
+
 SYS_JBIG2DEC_LIBS := -ljbig2dec
 SYS_LIBJPEG_LIBS := -ljpeg
 SYS_ZLIB_LIBS := -lz
@@ -279,3 +285,8 @@
 HAVE_X11 ?= no
 HAVE_GLFW ?= no
 endif
+
+ifeq "$(HAVE_PTHREADS)" "yes"
+CFLAGS += -DHAVE_PTHREADS
+LIBS += -lpthread
+endif
diff -Naur mupdf-1.11-source/Makethird mupdf-1.11/Makethird
--- mupdf-1.11-source/Makethird	2017-04-05 13:02:21.000000000 +0200
+++ mupdf-1.11/Makethird	2017-08-20 14:00:35.777422980 +0200
@@ -721,3 +721,10 @@
 PTHREAD_CFLAGS := $(SYS_PTHREAD_CFLAGS)
 PTHREAD_LIBS := $(SYS_PTHREAD_LIBS)
 #endif
+
+# --- libSeccomp ---
+
+ifeq "$(HAVE_LIBSECCOMP)" "yes"
+LIBSECCOMP_CFLAGS := $(SYS_LIBSECCOMP_CFLAGS)
+LIBSECCOMP_LIBS := $(SYS_LIBSECCOMP_LIBS)
+endif
diff -Naur mupdf-1.11-source/README.md mupdf-1.11/README.md
--- mupdf-1.11-source/README.md	1970-01-01 01:00:00.000000000 +0100
+++ mupdf-1.11/README.md	2017-03-12 20:37:31.149547576 +0100
@@ -0,0 +1,37 @@
+# mupdf
+Sandboxed Mupdf Document Viewer
+
+This modified version of Mupdf includes support for seccomp to implement sandbox support on linux systems using libseccomp
+
+The original application can be found here: https://mupdf.com
+
+
+Sandbox modes:
+--------------
+
+There are two different sandbox modes available at the moment:
+
+- Invisible sandbox mode: this mode does not affect the normal functionality at all and will not be noticed by the user. It only blacklists some dangerous and rare syscalls and uses the no_new_privs flag to prevent the process to gain more privileges (e.g. by using suid)
+
+- Read only mode: this mode does not allow writing files or access to the network. It is designed to only allow reading local files. By using a whitelist of allowed systemcalls, 90 % of the kernel interface is unavailable for the process, reducing the attack surface of the kernel significantly and limiting the movement of exploit code.
+
+
+
+Future Work
+-----------
+
+It is possible to further restrict the list of allowed syscalls right before a document file is interpreted. This also includes blocking the use of syscalls needed for unix domain socket communication as used to communicate to IPC services like Dbus, which presents a weakpoint in sandboxing for modern Linux desktop systems.
+
+
+
+Weak Points
+-----------
+
+One of the remaining weak points is the X11 Server. Without switching to wayland and blocking X11 access, keylogging is trivial.
+
+
+
+Additional Sandbox support
+--------------------------
+
+Using linux namespaces container features, it is possible to further isolate the application from the rest of the system. With the bubblewrap project there is already some nice code that can be used for the purpose as demonstrated here: https://github.com/valoq/bwscripts/tree/master/profiles 
diff -Naur mupdf-1.11-source/platform/x11/libsec.c mupdf-1.11/platform/x11/libsec.c
--- mupdf-1.11-source/platform/x11/libsec.c	1970-01-01 01:00:00.000000000 +0100
+++ mupdf-1.11/platform/x11/libsec.c	2017-03-15 23:17:31.421689510 +0100
@@ -0,0 +1,472 @@
+#include "libsec.h"
+#include <stdio.h>
+
+#define HAVE_LIBSECCOMP
+#ifdef HAVE_LIBSECCOMP
+
+#include <seccomp.h> /* libseccomp */
+#include <sys/prctl.h> /* prctl */
+#include <sys/socket.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#define DENY_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_KILL, SCMP_SYS(call), 0) < 0) goto out; }
+#define ALLOW_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) < 0) goto out; }
+
+scmp_filter_ctx ctx;
+
+
+int protectedMode(void){
+
+    // prevent child processes from getting more priv e.g. via setuid, capabilities, ...
+    //prctl(PR_SET_NO_NEW_PRIVS, 1);
+
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+        perror("prctl SET_NO_NEW_PRIVS");
+        exit(EXIT_FAILURE);
+    }
+
+
+    // prevent escape via ptrace
+    //prctl(PR_SET_DUMPABLE, 0);
+
+    if(prctl (PR_SET_DUMPABLE, 0, 0, 0, 0)){
+        perror("prctl PR_SET_DUMPABLE");
+        exit(EXIT_FAILURE);
+    }
+
+
+    // initialize the filter
+    ctx = seccomp_init(SCMP_ACT_ALLOW);
+    if (ctx == NULL)
+        return 1;
+
+    DENY_RULE (_sysctl);
+    DENY_RULE (acct);
+    DENY_RULE (add_key);
+    DENY_RULE (adjtimex);
+    DENY_RULE (chroot);
+    DENY_RULE (clock_adjtime);
+    DENY_RULE (create_module);
+    DENY_RULE (delete_module);
+    DENY_RULE (fanotify_init);
+    DENY_RULE (finit_module);
+    DENY_RULE (get_kernel_syms);
+    DENY_RULE (get_mempolicy);
+    DENY_RULE (init_module);
+    DENY_RULE (io_cancel);
+    DENY_RULE (io_destroy);
+    DENY_RULE (io_getevents);
+    DENY_RULE (io_setup);
+    DENY_RULE (io_submit);
+    DENY_RULE (ioperm);
+    DENY_RULE (iopl);
+    DENY_RULE (ioprio_set);
+    DENY_RULE (kcmp);
+    DENY_RULE (kexec_file_load);
+    DENY_RULE (kexec_load);
+    DENY_RULE (keyctl);
+    DENY_RULE (lookup_dcookie);
+    DENY_RULE (mbind);
+    DENY_RULE (nfsservctl);
+    DENY_RULE (migrate_pages);
+    DENY_RULE (modify_ldt);
+    DENY_RULE (mount);
+    DENY_RULE (move_pages);
+    DENY_RULE (name_to_handle_at);
+    DENY_RULE (open_by_handle_at);
+    DENY_RULE (perf_event_open);
+    DENY_RULE (pivot_root);
+    DENY_RULE (process_vm_readv);
+    DENY_RULE (process_vm_writev);
+    DENY_RULE (ptrace);
+    DENY_RULE (reboot);
+    DENY_RULE (remap_file_pages);
+    DENY_RULE (request_key);
+    DENY_RULE (set_mempolicy);
+    DENY_RULE (swapoff);
+    DENY_RULE (swapon);
+    DENY_RULE (sysfs);
+    DENY_RULE (syslog);
+    DENY_RULE (tuxcall);
+    DENY_RULE (umount2);
+    DENY_RULE (uselib);
+    DENY_RULE (vmsplice);
+
+    //applying filter...
+    if (seccomp_load (ctx) >= 0){
+	// free ctx after the filter has been loaded into the kernel
+	seccomp_release(ctx);
+        return 0;
+    }
+    
+  out:
+    //something went wrong
+    //printf("something went wrong\n");
+    seccomp_release(ctx);
+    return 1;
+}
+
+
+int protectedView(void){
+
+    // prevent child processes from getting more priv e.g. via setuid, capabilities, ...
+    //prctl(PR_SET_NO_NEW_PRIVS, 1);
+
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+        perror("prctl SET_NO_NEW_PRIVS");
+        exit(EXIT_FAILURE);
+    }
+
+
+    // prevent escape via ptrace
+    //prctl(PR_SET_DUMPABLE, 0);
+
+    if(prctl (PR_SET_DUMPABLE, 0, 0, 0, 0)){
+        perror("prctl PR_SET_DUMPABLE");
+        exit(EXIT_FAILURE);
+    }
+
+    
+    // initialize the filter
+    ctx = seccomp_init(SCMP_ACT_KILL);
+    if (ctx == NULL)
+        return 1;
+
+
+    ALLOW_RULE (access);
+    ALLOW_RULE (brk);
+    ALLOW_RULE (clock_gettime);
+    ALLOW_RULE (close);
+    ALLOW_RULE (connect);
+    ALLOW_RULE (exit);
+    ALLOW_RULE (exit_group);
+    ALLOW_RULE (fcntl);  /* not specified below */
+    ALLOW_RULE (fstat);
+    ALLOW_RULE (futex);
+    ALLOW_RULE (getpeername);
+    ALLOW_RULE (getrlimit);
+    ALLOW_RULE (getsockname);
+    ALLOW_RULE (getsockopt);  /* needed for access to x11 socket in network namespace (without abstract sockets) */
+    ALLOW_RULE (lseek);
+    ALLOW_RULE (mmap);
+    ALLOW_RULE (mprotect);
+    ALLOW_RULE (mremap);
+    ALLOW_RULE (munmap);
+    //ALLOW_RULE (open);  /* specified below */
+    ALLOW_RULE (prctl);
+    ALLOW_RULE (poll);
+    ALLOW_RULE (read);
+    ALLOW_RULE (recvfrom);
+    ALLOW_RULE (recvmsg);
+    ALLOW_RULE (restart_syscall);
+    ALLOW_RULE (rt_sigaction);
+    ALLOW_RULE (seccomp);
+    ALLOW_RULE (select);
+    ALLOW_RULE (shmat);
+    ALLOW_RULE (shmctl);
+    ALLOW_RULE (shmget);
+    ALLOW_RULE (shutdown);
+    ALLOW_RULE (stat);
+    //ALLOW_RULE (socket);  /* specified below */
+    ALLOW_RULE (sysinfo);
+    ALLOW_RULE (uname);
+    //ALLOW_RULE (write);  /* specified below */
+    ALLOW_RULE (writev);  /* not specified below */
+    ALLOW_RULE (wait4);  /* trying to open links should not crash the app */
+
+    
+	/* special restrictions for socket, only allow AF_UNIX/AF_LOCAL */
+	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
+	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) < 0)
+		goto out;
+
+	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
+	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_LOCAL)) < 0)
+		goto out;
+
+
+	/* special restrictions for open, prevent opening files for writing */
+	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
+	                      SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0)
+		goto out;
+
+	if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(open), 1,
+	                      SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0)
+		goto out;
+
+	if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(open), 1,
+	                      SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0)
+		goto out;
+
+
+
+
+
+    // ------------ experimental filters ---------------
+
+
+
+
+    /* this filter is susceptible to TOCTOU race conditions, providing limited use */
+    /* allow opening only specified files identified by their file descriptors*/
+
+    // this requires either a list of all files to open (A LOT!!!)
+    // or needs to be applied only after initialisation, right before parsing
+    // if(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1,
+    //                         SCMP_CMP(SCMP_CMP_EQ, fd)) < 0) // or < 1 ???
+    //     goto out;
+
+
+    /* restricting write access */
+
+    /* allow stdin */
+    // if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+    //                         SCMP_CMP(0, SCMP_CMP_EQ, 0)) < 0 )
+    //     goto out;
+
+    /* allow stdout */
+    // if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+    //                             SCMP_CMP(0, SCMP_CMP_EQ, 1)) < 0 )
+    //     goto out;
+
+    /* allow stderr */
+    if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+                                 SCMP_CMP(0, SCMP_CMP_EQ, 2)) < 0 )
+        goto out;
+
+
+    /* restrict writev (write a vector) access */
+    // this does not seem reliable but it surprisingly is. investigate more
+    //if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(writev), 1,
+    //                            SCMP_CMP(0, SCMP_CMP_EQ, 3)) < 0 )
+    //    goto out;
+
+    //test if repeating this after some time or denying it works
+
+
+    // firest attempt to filter poll requests
+    // if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), 1,
+    // 	                      SCMP_CMP(0, SCMP_CMP_MASKED_EQ, POLLIN | POLL, 0)) < 0)
+    // 	goto out;
+
+
+    /* restrict fcntl calls */
+    // this syscall sets the file descriptor to read write
+    //if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 1,
+    //                            SCMP_CMP(0, SCMP_CMP_EQ, 3)) < 0 )
+    //    goto out;
+    // fcntl(3, F_GETFL)                       = 0x2 (flags O_RDWR)
+    // fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
+    // fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
+
+
+
+
+    // ------------------ end of experimental filters ------------------
+
+    //applying filter...
+    if (seccomp_load (ctx) >= 0){
+	// free ctx after the filter has been loaded into the kernel
+	seccomp_release(ctx);
+        return 0;
+    }
+
+ out:
+    //something went wrong
+    seccomp_release(ctx);
+    return 1;
+}
+
+int renderFilter(void){
+
+    // prevent child processes from getting more priv e.g. via setuid, capabilities, ...
+    //prctl(PR_SET_NO_NEW_PRIVS, 1);
+
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+        perror("prctl SET_NO_NEW_PRIVS");
+        exit(EXIT_FAILURE);
+    }
+
+
+    // prevent escape via ptrace
+    //prctl(PR_SET_DUMPABLE, 0);
+
+    if(prctl (PR_SET_DUMPABLE, 0, 0, 0, 0)){
+        perror("prctl PR_SET_DUMPABLE");
+        exit(EXIT_FAILURE);
+    }
+
+    
+    // initialize the filter
+    ctx = seccomp_init(SCMP_ACT_KILL);
+    if (ctx == NULL)
+        return 1;
+
+
+    ALLOW_RULE (access);
+    ALLOW_RULE (brk);
+    ALLOW_RULE (clock_gettime);
+    ALLOW_RULE (close);
+    //ALLOW_RULE (connect);
+    ALLOW_RULE (exit);
+    ALLOW_RULE (exit_group);
+    ALLOW_RULE (fcntl);  /* not specified below */
+    ALLOW_RULE (fstat);
+    ALLOW_RULE (futex);
+    ALLOW_RULE (getpeername);
+    ALLOW_RULE (getrlimit);
+    //ALLOW_RULE (getsockname);
+    //ALLOW_RULE (getsockopt); 
+    ALLOW_RULE (lseek);
+    ALLOW_RULE (mmap);
+    ALLOW_RULE (mprotect);
+    ALLOW_RULE (mremap);
+    ALLOW_RULE (munmap);
+    //ALLOW_RULE (open);  /* specified below */
+    ALLOW_RULE (poll);
+    ALLOW_RULE (read);
+    ALLOW_RULE (recvfrom);
+    ALLOW_RULE (recvmsg);
+    ALLOW_RULE (restart_syscall);
+    ALLOW_RULE (rt_sigaction);
+    ALLOW_RULE (select);
+    ALLOW_RULE (shmat);
+    ALLOW_RULE (shmctl);
+    ALLOW_RULE (shmget);
+    ALLOW_RULE (shutdown);
+    ALLOW_RULE (stat);
+    //ALLOW_RULE (socket);
+    ALLOW_RULE (sysinfo);
+    ALLOW_RULE (uname);
+    //ALLOW_RULE (write);  /* specified below */
+    ALLOW_RULE (writev);  /* not specified below */
+    ALLOW_RULE (wait4);  /* trying to open links should not crash the app */
+
+    
+	/* special restrictions for socket, only allow AF_UNIX/AF_LOCAL */
+    //	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
+    //	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) < 0)
+    //		goto out;
+
+    //	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
+    //	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_LOCAL)) < 0)
+    //		goto out;
+
+
+	/* special restrictions for open, prevent opening files for writing */
+	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
+	                      SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0)
+		goto out;
+
+	if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(open), 1,
+	                      SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0)
+		goto out;
+
+	if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(open), 1,
+	                      SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0)
+		goto out;
+
+
+
+
+
+    // ------------ experimental filters ---------------
+
+
+
+
+    /* this filter is susceptible to TOCTOU race conditions, providing limited use */
+    /* allow opening only specified files identified by their file descriptors*/
+
+    // this requires either a list of all files to open (A LOT!!!)
+    // or needs to be applied only after initialisation, right before parsing
+    // if(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1,
+    //                         SCMP_CMP(SCMP_CMP_EQ, fd)) < 0) // or < 1 ???
+    //     goto out;
+
+
+    /* restricting write access */
+
+    /* allow stdin */
+    // if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+    //                         SCMP_CMP(0, SCMP_CMP_EQ, 0)) < 0 )
+    //     goto out;
+
+    /* allow stdout */
+    // if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+    //                             SCMP_CMP(0, SCMP_CMP_EQ, 1)) < 0 )
+    //     goto out;
+
+    /* allow stderr */
+    if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+                                 SCMP_CMP(0, SCMP_CMP_EQ, 2)) < 0 )
+        goto out;
+
+
+    /* restrict writev (write a vector) access */
+    // this does not seem reliable but it surprisingly is. investigate more
+    //if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(writev), 1,
+    //                            SCMP_CMP(0, SCMP_CMP_EQ, 3)) < 0 )
+    //    goto out;
+
+    //test if repeating this after some time or denying it works
+
+
+    // firest attempt to filter poll requests
+    // if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), 1,
+    // 	                      SCMP_CMP(0, SCMP_CMP_MASKED_EQ, POLLIN | POLL, 0)) < 0)
+    // 	goto out;
+
+
+    /* restrict fcntl calls */
+    // this syscall sets the file descriptor to read write
+    //if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 1,
+    //                            SCMP_CMP(0, SCMP_CMP_EQ, 3)) < 0 )
+    //    goto out;
+    // fcntl(3, F_GETFL)                       = 0x2 (flags O_RDWR)
+    // fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
+    // fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
+
+
+
+
+    // ------------------ end of experimental filters ------------------
+
+    //applying filter...
+    if (seccomp_load (ctx) >= 0){
+	// free ctx after the filter has been loaded into the kernel
+	seccomp_release(ctx);
+        return 0;
+    }
+
+ out:
+    //something went wrong
+    seccomp_release(ctx);
+    return 1;
+}
+
+
+#else /* HAVE_LIBSECCOMP */
+
+
+int protectedMode(void){
+
+    perror("No seccomp support compiled-in\n");
+    return 1;
+}
+
+int protectedView(void){
+
+    perror("No seccomp support compiled-in\n");
+    return 1;
+}
+
+int renderFilter(void){
+
+    perror("No seccomp support compiled-in\n");
+    return 1;
+}
+
+#endif /* HAVE_LIBSECCOMP */
diff -Naur mupdf-1.11-source/platform/x11/libsec.h mupdf-1.11/platform/x11/libsec.h
--- mupdf-1.11-source/platform/x11/libsec.h	1970-01-01 01:00:00.000000000 +0100
+++ mupdf-1.11/platform/x11/libsec.h	2017-03-15 23:01:14.285040855 +0100
@@ -0,0 +1,19 @@
+#ifndef SECCOMP_H
+#define SECCOMP_H
+
+/* basic filter */
+// this mode allows normal use
+// only dangerous syscalls are blacklisted
+int protectedMode(void);
+
+/* secure read-only mode */
+// whitelist minimal syscalls only
+// this mode does not allow writing files
+// or to open external links and applications
+// network connections are prohibited as well
+int protectedView(void);
+
+// restrict the process to use only the minimal syscalls needed to render the target document
+int renderFilter(void);
+
+#endif
diff -Naur mupdf-1.11-source/platform/x11/x11_main.c mupdf-1.11/platform/x11/x11_main.c
--- mupdf-1.11-source/platform/x11/x11_main.c	2017-04-05 13:02:21.000000000 +0200
+++ mupdf-1.11/platform/x11/x11_main.c	2017-08-20 13:54:43.330771594 +0200
@@ -1,5 +1,18 @@
 #include "pdfapp.h"
 
+//todo: set this flag in makefile
+#define HAVE_LIBSECCOMP
+#define USE_PROTECTEDVIEW
+#ifdef USE_PROTECTEDVIEW
+#ifndef HAVE_LIBSECCOMP
+#define HAVE_LIBSECCOMP
+#endif /* HAVE_LIBSECCOMP */
+#endif /* USE_PROTECTEDVIEW */
+
+#ifdef HAVE_LIBSECCOMP
+#include "libsec.h"
+#endif /* HAVE_LIBSECCOMP */
+
 #include <X11/Xlib.h>
 #include <X11/Xutil.h>
 #include <X11/Xatom.h>
@@ -108,6 +121,8 @@
 static struct timeval tmo_advance;
 static struct timeval tmo_at;
 
+int protectedViewSet = 0;
+
 /*
  * Dialog boxes
  */
@@ -723,32 +738,41 @@
 
 void winopenuri(pdfapp_t *app, char *buf)
 {
-	char *browser = getenv("BROWSER");
-	pid_t pid;
-	if (!browser)
-	{
+
+
+        //protectedView does not allow opening external apps
+        if(!protectedViewSet){
+
+
+	    char *browser = getenv("BROWSER");
+	    pid_t pid;
+	    if (!browser)
+		{
 #ifdef __APPLE__
-		browser = "open";
+		    browser = "open";
 #else
-		browser = "xdg-open";
+		    browser = "xdg-open";
 #endif
-	}
-	/* Fork once to start a child process that we wait on. This
-	 * child process forks again and immediately exits. The
-	 * grandchild process continues in the background. The purpose
-	 * of this strange two-step is to avoid zombie processes. See
-	 * bug 695701 for an explanation. */
-	pid = fork();
-	if (pid == 0)
-	{
-		if (fork() == 0)
+		}
+	    /* Fork once to start a child process that we wait on. This
+	     * child process forks again and immediately exits. The
+	     * grandchild process continues in the background. The purpose
+	     * of this strange two-step is to avoid zombie processes. See
+	     * bug 695701 for an explanation. */
+	    pid = fork();
+	    if (pid == 0)
 		{
-			execlp(browser, browser, buf, (char*)0);
-			fprintf(stderr, "cannot exec '%s'\n", browser);
+		    if (fork() == 0)
+			{
+			    execlp(browser, browser, buf, (char*)0);
+			    fprintf(stderr, "cannot exec '%s'\n", browser);
+			}
+		    exit(0);
 		}
-		exit(0);
-	}
-	waitpid(pid, NULL, 0);
+	    waitpid(pid, NULL, 0);
+
+	}//protectedViewSet
+	
 }
 
 static void onkey(int c, int modifiers)
@@ -816,12 +840,42 @@
 	fprintf(stderr, "\t-S -\tfont size for EPUB layout\n");
 	fprintf(stderr, "\t-U -\tuser style sheet for EPUB layout\n");
 	fprintf(stderr, "\t-X\tdisable document styles for EPUB layout\n");
+
+#ifdef HAVE_LIBSECCOMP
+#ifndef USE_PROTECTEDVIEW //this flag enforces protectedView by default
+
+	fprintf(stderr, "\t-s -\t[strict] - use protectedView (strict sandbox)\n");
+
+#endif /* USE_PROTECTEDVIEW */
+#endif /* HAVE_LIBSECCOMP */
+
 	exit(1);
 }
 
 int main(int argc, char **argv)
 {
-	int c;
+
+
+#ifdef HAVE_LIBSECCOMP
+
+    if(protectedMode()){
+        perror("SECCOMP initialisation failed");
+        exit(EXIT_FAILURE);
+    }
+
+#endif /* HAVE_LIBSECCOMP */
+
+#ifdef USE_PROTECTEDVIEW
+
+    if(protectedView()){
+        perror("SECCOMP initialisation failed");
+        exit(EXIT_FAILURE);
+    }
+
+#endif /* USE_PROTECTEDVIEW */
+    
+
+        int c;
 	int len;
 	char buf[128];
 	KeySym keysym;
@@ -847,7 +901,7 @@
 
 	pdfapp_init(ctx, &gapp);
 
-	while ((c = fz_getopt(argc, argv, "Ip:r:A:C:W:H:S:U:Xb:")) != -1)
+	while ((c = fz_getopt(argc, argv, "Ip:r:A:C:W:H:S:U:Xb:s:")) != -1)
 	{
 		switch (c)
 		{
@@ -868,6 +922,24 @@
 		case 'U': gapp.layout_css = fz_optarg; break;
 		case 'X': gapp.layout_use_doc_css = 0; break;
 		case 'b': bps = (fz_optarg && *fz_optarg) ? fz_atoi(fz_optarg) : 4096; break;
+
+#ifdef HAVE_LIBSECCOMP
+#ifndef USE_PROTECTEDVIEW //this flag enforces protectedView by default
+
+		case 's':
+			//activate protectedView Sandbox
+			protectedViewSet = 1;
+
+    			if(protectedView()){
+		            perror("SECCOMP initialisation failed");
+		            exit(EXIT_FAILURE);
+		    	}
+
+			break;
+			
+#endif /* USE_PROTECTEDVIEW */
+#endif /* HAVE_LIBSECCOMP */
+
 		default: usage();
 		}
 	}
@@ -882,6 +954,20 @@
 
 	winopen();
 
+	// at this stage, the socket connection to the X11 server has been established and further use of socket syscalls calls can blocked
+	// this filter allow only very few syscalls that are needed for rendering the target document
+	
+	#ifdef USE_PROTECTEDVIEW
+
+	if(renderFilter()){
+	  perror("SECCOMP initialisation failed");
+	  exit(EXIT_FAILURE);
+	  }
+	    
+	#endif /* USE_PROTECTEDVIEW */
+
+
+	
 	if (resolution == -1)
 		resolution = winresolution();
 	if (resolution < MINRES)