2 files changed, 2 insertions(+), 61 deletions(-)
D seccomp-whitelists/seccomp-allowed-w3m
M w3m-sandbox
D seccomp-whitelists/seccomp-allowed-w3m => seccomp-whitelists/seccomp-allowed-w3m +0 -59
@@ 1,59 0,0 @@
-# very restricted set of allowed syscalls for using w3m offline, reading a file or from stdin.
-
-access
-arch_prctl
-brk
-clock_gettime
-clone
-close
-connect
-dup
-dup2
-execve
-exit_group
-fcntl
-futex
-getcwd
-getegid
-geteuid
-getgid
-getpgrp
-getpid
-getppid
-getrandom
-getuid
-lseek
-munmap
-newfstatat
-openat
-pipe2
-read
-readlink
-rt_sigaction
-rt_sigprocmask
-rt_sigreturn
-sched_getaffinity
-sigaltstack
-sysinfo
-uname
-write
-
-socket 0 AF_UNIX
-
-## W^X.
-# Disallow creating writable and executable mappings.
-mmap 2 PROT_NONE
-mmap 2 PROT_READ
-mmap 2 PROT_READ|PROT_EXEC
-mmap 2 PROT_READ|PROT_WRITE
-
-# Disallow transitioning mappings to executable.
-mprotect 2 PROT_NONE
-mprotect 2 PROT_READ
-mprotect 2 PROT_WRITE
-mprotect 2 PROT_READ|PROT_WRITE
-
-ioctl 1 TCGETS
-ioctl 1 TCGETS
-ioctl 1 TIOCGWINSZ
-ioctl 1 SNDCTL_TMR_START
M w3m-sandbox => w3m-sandbox +2 -2
@@ 67,12 67,12 @@ bwrap_wrapper() {
--setenv TERM "$TERM" \
--new-session --die-with-parent --cap-drop ALL \
--seccomp 9 \
- "$@" 9<"$xdg_data/seccomp/seccomp-filter-w3m.bpf"
+ "$@" 9<"$xdg_data/seccomp/seccomp-filter-default.bpf"
}
if [ -z "$file_path" ]; then
- bwrap_wrapper w3m -I %{charset} -T text/html -cols "$COLUMNS" -o display_link=true -o display_link_number=true -o display_image=false $args
+ bwrap_wrapper w3m -I %{charset} -T text/html -no-mouse -no-cookie -cols "$COLUMNS" -o display_link=true -o display_link_number=true -o display_image=false $args
else
bwrap_wrapper --ro-bind "$(dirname "$file_path")" /data w3m -I %{charset} -T text/html -cols "$COLUMNS" -o display_link=true -o display_link_number=true -o display_image=false $args "/data/$(basename "$file_path")"
fi