diff --git a/greeter/seccomp_filter.cpp b/greeter/seccomp_filter.cpp index b4d0d46..bca3001 100644 --- a/greeter/seccomp_filter.cpp +++ b/greeter/seccomp_filter.cpp @@ -1,141 +1,142 @@ /******************************************************************** KSld - the KDE Screenlocker Daemon This file is part of the KDE project. Copyright (C) 2017 Martin Gräßlin This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License or (at your option) version 3 or any later version accepted by the membership of KDE e.V. (or its successor approved by the membership of KDE e.V.), which shall act as a proxy defined in Section 14 of version 3 of the license. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . *********************************************************************/ #include "seccomp_filter.h" #include "kwinglplatform.h" #include #include #include #include #include #include #include +#include namespace ScreenLocker { namespace SecComp { void init() { // trigger OpenGL context creation // we need this to ensure that all required files are opened for write // on NVIDIA we need to keep write around, otherwise BUG 384005 happens bool writeSupported = true; // Mesa's software renderers create buffers in $XDG_RUNTIME_DIR on wayland bool createSupported = true; QScopedPointer dummySurface(new QOffscreenSurface); dummySurface->create(); QOpenGLContext dummyGlContext; if (dummyGlContext.create()) { if (dummyGlContext.makeCurrent(dummySurface.data())) { auto gl = KWin::GLPlatform::instance(); gl->detect(); gl->printResults(); if (gl->driver() == KWin::Driver_NVidia) { // BUG: 384005 writeSupported = false; } else if (gl->isSoftwareEmulation() && KWindowSystem::isPlatformWayland()) { createSupported = writeSupported = false; } } } // access DBus to have the socket open QDBusConnection::sessionBus(); // default action: allow // we cannot use a whitelist approach of syscalls // Qt, OpenGL, DBus just need to much and too broad auto context = seccomp_init(SCMP_ACT_ALLOW); if (!context) { return; } // add a filter to prevent that the password gets written to a file // we cannot disallow write syscall. That one is needed to wake up threads // Qt and OpenGL might create additional threads and then it would fail as we have an fd which // is not allowed to write to // instead disallow opening new files for writing // they should fail with EPERM error if (writeSupported) { seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open), 1, SCMP_A1(SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open), 1, SCMP_A1(SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(openat), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(openat), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)); } if (createSupported) { seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(openat), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT)); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open), 1, SCMP_A1(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT)); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open_by_handle_at), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open_by_handle_at), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open_by_handle_at), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT)); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(creat), 0); } // Disallow everything which modifies the filesystem. An attacker could store the password as a directory name or encode it in chmod bits. // Also prevent deleting anything, to prevent an attacker from deleting the users files. seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(truncate), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(rename), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(renameat), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(renameat2), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mkdir), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mkdirat), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(rmdir), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(link), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(linkat), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(unlink), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(unlinkat), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(symlink), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(symlinkat), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mknod), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(mknodat), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(chmod), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(fchmod), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(fchmodat), 0); // disallow going to a socket seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socket), 0); // disallow fork+exec // note glibc seems to use clone which is allowed for threads seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(fork), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(vfork), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(execve), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(execveat), 0); // disallow pipe, that should destroy copy and paste on Wayland seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(pipe), 0); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(pipe2), 0); // and activate our rules seccomp_load(context); seccomp_release(context); } } } diff --git a/greeter/themes/org.kde.passworddialog/metadata.desktop b/greeter/themes/org.kde.passworddialog/metadata.desktop index 4822392..023849e 100644 --- a/greeter/themes/org.kde.passworddialog/metadata.desktop +++ b/greeter/themes/org.kde.passworddialog/metadata.desktop @@ -1,97 +1,97 @@ [Desktop Entry] Name=Password dialog Name[ar]=حواريّ كلمة المرور Name[ca]=Diàleg de contrasenya Name[ca@valencia]=Diàleg de contrasenya Name[cs]=Dialog hesla Name[da]=Adgangskodedialog Name[de]=Passwort-Dialog Name[el]=Διάλογος κωδικού πρόσβασης Name[en_GB]=Password dialogue Name[es]=Diálogo de contraseña Name[et]=Paroolidialoog Name[eu]=Pasahitzaren elkarrizketa-koadroa Name[fi]=Salasanaikkuna Name[fr]=Boîtes de dialogue de mot de passe Name[gl]=Diálogo de contrasinal Name[he]=דו־שיח סיסמה Name[hu]=Jelszó párbeszédablak Name[ia]=Dialogo de contrasigno -Name[id]=Dialog sandi +Name[id]=Password dialog Name[it]=Finestra della password Name[ja]=パスワード入力ダイアログ Name[ko]=암호 대화 상자 Name[nb]=Passorddialog Name[nl]=Wachtwoordvenster Name[nn]=Passordvindauge Name[pa]=ਪਾਸਵਰਡ ਡਾਈਲਾਗ Name[pl]=Okno dialogowe hasła Name[pt]=Janela da senha Name[pt_BR]=Janela de senha Name[ru]=Диалог ввода пароля Name[sk]=Dialóg hesla Name[sl]=Pogovorno okno gesla Name[sr]=Дијалог за лозинку Name[sr@ijekavian]=Дијалог за лозинку Name[sr@ijekavianlatin]=Dijalog za lozinku Name[sr@latin]=Dijalog za lozinku Name[sv]=Lösenordsdialogruta Name[tr]=Parola penceresi Name[uk]=Вікно для введення пароля Name[x-test]=xxPassword dialogxx Name[zh_CN]=密码对话框 Name[zh_TW]=密碼對話框 Comment=Screen locker that provides a password dialog and an interface to switch the current user Comment[ar]=قافل شاشة يوفّر حواريّ كلمة مرور وواجهة لتبديل المستخدم الحاليّ Comment[ca]=Bloqueig de pantalla que proporciona un diàleg de contrasenya i una interfície per commutar l'usuari actual Comment[ca@valencia]=Bloqueig de pantalla que proporciona un diàleg de contrasenya i una interfície per commutar l'usuari actual Comment[cs]=Zámek obrazovky poskytující dialog s heslem a rozhraní pro přepínání uživatelů Comment[da]=Skærmlås som giver en adgangskodedialog med en brugerflade til at skifte aktuel bruger Comment[de]=Bildschirmsperre mit einem Passwortdialog und der Möglichkeit, den aktuellen Benutzer zu wechseln Comment[el]=Εφαρμογή κλειδώματος οθόνης με διάλογο κωδικού πρόσβασης και μια διεπαφή για την εναλλαγή του τρέχοντος χρήστη Comment[en_GB]=Screen locker that provides a password dialogue and an interface to switch the current user Comment[es]=Bloqueador de pantalla que proporciona un diálogo de contraseña y una interfaz para cambiar el usuario actual Comment[et]=Ekraani lukustaja, mis pakub paroolidialoogi ja liidest aktiivse kasutaja vahetamiseks Comment[eu]=Pantaila giltzatzailea, pasahitzaren elkarrizketa-koadro bat eta uneko erabiltzailea aldatzeko interfaze bat eskaintzen dituena Comment[fi]=Salasanakyselyn ja käyttäjävaihdon tarjoava näyttölukko Comment[fr]=Outil de verrouillage d'écran fournissant une boîte de dialogue de mot de passe et une interface pour changer d'utilisateur Comment[gl]=Bloqueador da pantalla que fornece un diálogo de contrasinal e unha interface para cambiar de usuario. Comment[he]=מסך נעילה שמספק החלפת משתמשים והתחברות באמצעות סיסמה Comment[hu]=Jelszómegadó párbeszédablakot és felhasználóváltó felületet biztosító képernyőzároló Comment[ia]=Blocator de schermo que da un dialogo de contrasigno e uninterfacie pro commutar le usator currente Comment[id]=Penguncian layar yang menyediakan dialog sandi dan sebuah antarmuka untuk mengalihkan pengguna saat ini Comment[it]=Un bloccaschermo che fornisce una finestra per la password ed un'interfaccia per cambiare utente Comment[ja]=パスワード入力ダイアログと現在のユーザを切り替えるインターフェースを提供するスクリーンロッカー Comment[ko]=암호 입력 및 사용자 전환 기능을 제공하는 잠금 화면 Comment[nb]=Skjermlåser som viser en passorddialog og et grensesnitt for å bytte gjeldende bruker Comment[nl]=Schermvergrendeling die een wachtwoordvenster en een interface om naar de huidige gebruiker om te schakelen biedt Comment[nn]=Skjermlåsar som spør om brukarpassord og gjer det mogleg å byta brukar Comment[pa]=ਸਕਰੀਨ ਲਾਕਰ ਪਾਸਵਰਡ ਡਾਈਲਾਗ ਅਤੇ ਮੌਜੂਦਾ ਵਰਤੋਂਕਰਾਂ ਨੂੰ ਬਦਲਣ ਲਈ ਇੰਟਰਫੇਸ ਦਿੰਦਾ ਹੈ। Comment[pl]=Blokada ekranu, która zapewnia okno dialogowe hasła i interfejs do przełączania bieżącego użytkownika Comment[pt]=Bloqueio do ecrã que mostra uma janela de introdução da senha e para mudar o utilizador actual Comment[pt_BR]=Bloqueador de sessão que fornece uma caixa de diálogo de senha e uma interface para mudar o usuário atual Comment[ru]=Блокировщик экрана защищает компьютер паролем, а также позволяет входить в систему с другим именем пользователя Comment[sk]=Zamykač obrazovky, ktorý poskytuje dialóg s heslom a rozhranie na prepnutie aktuálneho používateľa Comment[sl]=Zaklep zaslona, ki ponuja pogovorno okno za geslo in vmesnik za zamenjavo trenutnega uporabnika Comment[sr]=Закључавач екрана који пружа дијалог за лозинку и сучеље за мењање тренутног корисника Comment[sr@ijekavian]=Закључавач екрана који пружа дијалог за лозинку и сучеље за мењање тренутног корисника Comment[sr@ijekavianlatin]=Zaključavač ekrana koji pruža dijalog za lozinku i sučelje za menjanje trenutnog korisnika Comment[sr@latin]=Zaključavač ekrana koji pruža dijalog za lozinku i sučelje za menjanje trenutnog korisnika Comment[sv]=Skärmlåsning som tillhandahåller en lösenordsdialogruta och ett gränssnitt för att byta aktuell användare Comment[tr]=Geçerli kullanıcıyı değiştirmek için parola penceresi ve arayüz sunan ekran kilitleyici Comment[uk]=Блокувальник екрана з вікном пароля і інтерфейсом для перемикання поточного користувача Comment[x-test]=xxScreen locker that provides a password dialog and an interface to switch the current userxx Comment[zh_CN]=屏幕锁定程序提供密码对话框和切换当前用户的界面 Comment[zh_TW]=提供輸入密碼與切換使用者功能的螢幕保護鎖定器 Icon=system-lock-screen X-Plasma-MainScript=ui/main.qml X-KDE-PluginInfo-Author=Martin Gräßlin X-KDE-PluginInfo-Email=mgraesslin@kde.org X-KDE-PluginInfo-Name=org.kde.passworddialog X-KDE-PluginInfo-Version=1.0 X-KDE-PluginInfo-Depends= X-KDE-PluginInfo-License=GPL Type=Service