search

pwmt / zathura

Document viewer
https://pwmt.org/projects/zathura
zlib License
2.05k stars 144 forks source link

Cannot launch flatpak apps when sandbox set to normal #373

Closed sebastinas closed 2 months ago

sebastinas commented 1 year ago

On GitLab by @MithicSpirit on Jan 24, 2023, 23:24

The documentation states that No feature regressions are expected when using normal sandbox mode, but this is innacurate as launching programs (through :exec, or, more importantly, when opening links) that use flatpak does not work if not using set sandbox none.

I'm not sure if disabling sandboxing for launching external programs is a good idea (maybe have that as another setting?), but I believe that this should at least be documented, if at least to save someone else's time.

sebastinas commented 1 year ago

On GitLab by @valoq on Jan 25, 2023, 11:39

Seems like the same issue as #151

Suggested fix for next release is to set the sandbox to "none" by default.

@MithicSpirit Do you by any chance run flatpak with the suid version of bubblewrap

sebastinas commented 1 year ago

On GitLab by @MithicSpirit on Jan 25, 2023, 16:22

Seems like the same issue as #151

Suggested fix for next release is to set the sandbox to "none" by default.

Looks like it. Not sure how much sandbox normal does (from the comments on that issue it doesn't seem to matter much), but another solution might be to just disable it for the child processes (if possible) and keep it enabled for the main zathura process itself.

Do you by any chance run flatpak with the suid version of bubblewrap

No; the bwrap binary on my system (Arch Linux) does not have the suid bit set, but bwrap does seem related to the issue. Particularly, with verbose output enabled, the flatpak output ends on

F: Allowing session-dbus access
F: Running 'bwrap --args 41 xdg-dbus-proxy --args=43'
error: Failed to sync with dbus proxy
sebastinas commented 1 year ago

On GitLab by @valoq on Jan 25, 2023, 18:20

Child processes will inherit the same restrictions that seccomp sets for the parent, however there is a solution that the flatpak/xdg project has come up with which runs xdg-open through dbus instead.

I am currently working on a patch to integrate that into zathura for the normal sandbox mode together with landlock support. The idea being that the normal sandbox will allow opening links unrestricted while the process itself is read only (through landlock) with a minimal seccomp filter. There is no common use case for writing file in zathura though you can dump contents into a new file if you want to. The result will be a "normal" sandbox mode with opportunistic security against simple malware that exploits vulnerabilities backend parsing libraries without attempting to escape the sandboxed process.

Only the strict mode will provide a real sandbox that should not be possible to escape even by a targeted attack, but that will also disable dbus/ipc and running external applications to open links directly.

Whether any of this makes it into zathura will be up to Sebastian and Moritz though.

sebastinas commented 2 months ago

The sandboxed version is now separate binary where we allow feature regressions.