[Poppler-bugs] [Bug 100224] [PATCH] Seccomp sandbox support for pdftotext
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Thu Mar 16 15:04:13 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=100224
--- Comment #1 from Jason Crain <jason at aquaticape.us> ---
I have a few comments, though you'll also have to wait for Albert to comment on
whether he wants to add seccomp support.
1. Instead of just adding the library to Makefile.am, you should conditionally
depend on the library through checks in both configure.ac and CMakeLists.txt.
The way you have it now is likely to break compilation on anything other than
Linux. And poppler has two parallel build systems, cmake and autotools, so if
something is changed, it needs to be changed in both.
2. Patches should not include generated files like Makefile.in. Using 'git
format-patch' on the git repo to generate a patch works better.
3. At least 'stat', 'getdents', 'sysinfo', and 'mremap' need to be added to the
list. I haven't tested very thoroughly so they may be more.
I also wonder how maintainable this is. It seems to me that the exact syscalls
used are going to vary between systems and depend on what poppler's
dependencies and libraries do. pdftotext doesn't depend on a lot, but trying
to use seccomp on pdftocairo could be difficult.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170316/325eda17/attachment.html>
More information about the Poppler-bugs
mailing list