diff -Naur poppler-0.52.0/utils/Makefile.am poppler-0.52.0_/utils/Makefile.am --- poppler-0.52.0/utils/Makefile.am 2017-01-16 22:37:00.000000000 +0100 +++ poppler-0.52.0_/utils/Makefile.am 2017-03-16 06:11:52.704564361 +0100 @@ -91,7 +91,23 @@ pdftotext_SOURCES = \ pdftotext.cc \ printencodings.cc \ - printencodings.h + printencodings.h \ + libsec.cc \ + libsec.h + + +PDFTOTEXT_CFLAGS = -lseccomp +PDFTOTEXT_LIBS = -lseccomp + +pdftotext_LDADD = $(LDADD) \ + $(PDFTOTEXT_LIBS) \ + $(PTHREAD_LIBS) + +pdftotext_CPPFLAGS = \ + $(AM_CPPFLAGS) \ + $(PDFTOTEXT_CFLAGS) + + pdftohtml_SOURCES = \ pdftohtml.cc \ diff -Naur poppler-0.52.0/utils/Makefile.in poppler-0.52.0_/utils/Makefile.in --- poppler-0.52.0/utils/Makefile.in 2017-02-15 23:11:22.000000000 +0100 +++ poppler-0.52.0_/utils/Makefile.in 2017-03-16 06:02:53.847907543 +0100 @@ -198,7 +198,7 @@ pdftops_LDADD = $(LDADD) pdftops_DEPENDENCIES = libparseargs.la \ $(top_builddir)/poppler/libpoppler.la -am_pdftotext_OBJECTS = pdftotext.$(OBJEXT) printencodings.$(OBJEXT) +am_pdftotext_OBJECTS = pdftotext.$(OBJEXT) printencodings.$(OBJEXT) pdftotext-libsec.$(OBJEXT) pdftotext_OBJECTS = $(am_pdftotext_OBJECTS) pdftotext_LDADD = $(LDADD) pdftotext_DEPENDENCIES = libparseargs.la \ @@ -530,7 +530,6 @@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ -runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -586,7 +585,19 @@ pdftotext_SOURCES = \ pdftotext.cc \ printencodings.cc \ - printencodings.h + printencodings.h \ + libsec.cc \ + libsec.h + +PDFTOTEXT_CFLAGS = -lseccomp +PDFTOTEXT_LIBS = -lseccomp +pdftotext_LDADD = $(LDADD) \ + $(PDFTOTEXT_LIBS) \ + $(PTHREAD_LIBS) + +pdftotext_CPPFLAGS = \ + $(AM_CPPFLAGS) \ + $(PDFTOTEXT_CFLAGS) pdftohtml_SOURCES = \ pdftohtml.cc \ @@ -802,6 +813,7 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pdftohtml-pdftohtml.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pdftoppm.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pdftops.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pdftotext-libsec.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pdftotext.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pdfunite.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/printencodings.Po@am__quote@ @@ -911,6 +923,48 @@ @AMDEP_TRUE@@am__fastdepCXX_FALSE@ DEPDIR=$(DEPDIR) $(CXXDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCXX_FALSE@ $(AM_V_CXX@am__nodep@)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pdftohtml_CXXFLAGS) $(CXXFLAGS) -c -o pdftohtml-HtmlOutputDev.obj `if test -f 'HtmlOutputDev.cc'; then $(CYGPATH_W) 'HtmlOutputDev.cc'; else $(CYGPATH_W) '$(srcdir)/HtmlOutputDev.cc'; fi` +pdftotext-pdftotext.o: pdftotext.cc +@am__fastdepCXX_TRUE@ $(AM_V_CXX)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(pdftotext_CPPFLAGS) $(CPPFLAGS) $(AM_CXXFLAGS) $(CXXFLAGS) -MT pdftotext-pdftotext.o -MD -MP -MF $(DEPDIR)/pdftotext-pdftotext.Tpo -c -o pdftotext-pdftotext.o `test -f 'pdftotext.cc' || echo '$(srcdir)/'`pdftotext.cc +@am__fastdepCXX_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pdftotext-pdftotext.Tpo $(DEPDIR)/pdftotext-pdftotext.Po +@AMDEP_TRUE@@am__fastdepCXX_FALSE@ $(AM_V_CXX)source='pdftotext.cc' object='pdftotext-pdftotext.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCXX_FALSE@ DEPDIR=$(DEPDIR) $(CXXDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCXX_FALSE@ $(AM_V_CXX@am__nodep@)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(pdftotext_CPPFLAGS) $(CPPFLAGS) $(AM_CXXFLAGS) $(CXXFLAGS) -c -o pdftotext-pdftotext.o `test -f 'pdftotext.cc' || echo '$(srcdir)/'`pdftotext.cc + +pdftotext-pdftotext.obj: pdftotext.cc +@am__fastdepCXX_TRUE@ $(AM_V_CXX)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(pdftotext_CPPFLAGS) $(CPPFLAGS) $(AM_CXXFLAGS) $(CXXFLAGS) -MT pdftotext-pdftotext.obj -MD -MP -MF $(DEPDIR)/pdftotext-pdftotext.Tpo -c -o pdftotext-pdftotext.obj `if test -f 'pdftotext.cc'; then $(CYGPATH_W) 'pdftotext.cc'; else $(CYGPATH_W) '$(srcdir)/pdftotext.cc'; fi` +@am__fastdepCXX_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pdftotext-pdftotext.Tpo $(DEPDIR)/pdftotext-pdftotext.Po +@AMDEP_TRUE@@am__fastdepCXX_FALSE@ $(AM_V_CXX)source='pdftotext.cc' object='pdftotext-pdftotext.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCXX_FALSE@ DEPDIR=$(DEPDIR) $(CXXDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCXX_FALSE@ $(AM_V_CXX@am__nodep@)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(pdftotext_CPPFLAGS) $(CPPFLAGS) $(AM_CXXFLAGS) $(CXXFLAGS) -c -o pdftotext-pdftotext.obj `if test -f 'pdftotext.cc'; then $(CYGPATH_W) 'pdftotext.cc'; else $(CYGPATH_W) '$(srcdir)/pdftotext.cc'; fi` + +pdftotext-printencodings.o: printencodings.cc +@am__fastdepCXX_TRUE@ $(AM_V_CXX)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(pdftotext_CPPFLAGS) $(CPPFLAGS) $(AM_CXXFLAGS) $(CXXFLAGS) -MT pdftotext-printencodings.o -MD -MP -MF $(DEPDIR)/pdftotext-printencodings.Tpo -c -o pdftotext-printencodings.o `test -f 'printencodings.cc' || echo '$(srcdir)/'`printencodings.cc +@am__fastdepCXX_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pdftotext-printencodings.Tpo $(DEPDIR)/pdftotext-printencodings.Po +@AMDEP_TRUE@@am__fastdepCXX_FALSE@ $(AM_V_CXX)source='printencodings.cc' object='pdftotext-printencodings.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCXX_FALSE@ DEPDIR=$(DEPDIR) $(CXXDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCXX_FALSE@ $(AM_V_CXX@am__nodep@)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(pdftotext_CPPFLAGS) $(CPPFLAGS) $(AM_CXXFLAGS) $(CXXFLAGS) -c -o pdftotext-printencodings.o `test -f 'printencodings.cc' || echo '$(srcdir)/'`printencodings.cc + +pdftotext-printencodings.obj: printencodings.cc +@am__fastdepCXX_TRUE@ $(AM_V_CXX)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(pdftotext_CPPFLAGS) $(CPPFLAGS) $(AM_CXXFLAGS) $(CXXFLAGS) -MT pdftotext-printencodings.obj -MD -MP -MF $(DEPDIR)/pdftotext-printencodings.Tpo -c -o pdftotext-printencodings.obj `if test -f 'printencodings.cc'; then $(CYGPATH_W) 'printencodings.cc'; else $(CYGPATH_W) '$(srcdir)/printencodings.cc'; fi` +@am__fastdepCXX_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pdftotext-printencodings.Tpo $(DEPDIR)/pdftotext-printencodings.Po +@AMDEP_TRUE@@am__fastdepCXX_FALSE@ $(AM_V_CXX)source='printencodings.cc' object='pdftotext-printencodings.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCXX_FALSE@ DEPDIR=$(DEPDIR) $(CXXDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCXX_FALSE@ $(AM_V_CXX@am__nodep@)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(pdftotext_CPPFLAGS) $(CPPFLAGS) $(AM_CXXFLAGS) $(CXXFLAGS) -c -o pdftotext-printencodings.obj `if test -f 'printencodings.cc'; then $(CYGPATH_W) 'printencodings.cc'; else $(CYGPATH_W) '$(srcdir)/printencodings.cc'; fi` + +pdftotext-libsec.o: libsec.cc +@am__fastdepCXX_TRUE@ $(AM_V_CXX)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(pdftotext_CPPFLAGS) $(CPPFLAGS) $(AM_CXXFLAGS) $(CXXFLAGS) -MT pdftotext-libsec.o -MD -MP -MF $(DEPDIR)/pdftotext-libsec.Tpo -c -o pdftotext-libsec.o `test -f 'libsec.cc' || echo '$(srcdir)/'`libsec.cc +@am__fastdepCXX_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pdftotext-libsec.Tpo $(DEPDIR)/pdftotext-libsec.Po +@AMDEP_TRUE@@am__fastdepCXX_FALSE@ $(AM_V_CXX)source='libsec.cc' object='pdftotext-libsec.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCXX_FALSE@ DEPDIR=$(DEPDIR) $(CXXDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCXX_FALSE@ $(AM_V_CXX@am__nodep@)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(pdftotext_CPPFLAGS) $(CPPFLAGS) $(AM_CXXFLAGS) $(CXXFLAGS) -c -o pdftotext-libsec.o `test -f 'libsec.cc' || echo '$(srcdir)/'`libsec.cc + +pdftotext-libsec.obj: libsec.cc +@am__fastdepCXX_TRUE@ $(AM_V_CXX)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(pdftotext_CPPFLAGS) $(CPPFLAGS) $(AM_CXXFLAGS) $(CXXFLAGS) -MT pdftotext-libsec.obj -MD -MP -MF $(DEPDIR)/pdftotext-libsec.Tpo -c -o pdftotext-libsec.obj `if test -f 'libsec.cc'; then $(CYGPATH_W) 'libsec.cc'; else $(CYGPATH_W) '$(srcdir)/libsec.cc'; fi` +@am__fastdepCXX_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pdftotext-libsec.Tpo $(DEPDIR)/pdftotext-libsec.Po +@AMDEP_TRUE@@am__fastdepCXX_FALSE@ $(AM_V_CXX)source='libsec.cc' object='pdftotext-libsec.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCXX_FALSE@ DEPDIR=$(DEPDIR) $(CXXDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCXX_FALSE@ $(AM_V_CXX@am__nodep@)$(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(pdftotext_CPPFLAGS) $(CPPFLAGS) $(AM_CXXFLAGS) $(CXXFLAGS) -c -o pdftotext-libsec.obj `if test -f 'libsec.cc'; then $(CYGPATH_W) 'libsec.cc'; else $(CYGPATH_W) '$(srcdir)/libsec.cc'; fi` + mostlyclean-libtool: -rm -f *.lo diff -Naur poppler-0.52.0/utils/libsec.cc poppler-0.52.0_/utils/libsec.cc --- poppler-0.52.0/utils/libsec.cc 1970-01-01 01:00:00.000000000 +0100 +++ poppler-0.52.0_/utils/libsec.cc 2017-03-16 05:50:52.441254377 +0100 @@ -0,0 +1,98 @@ +#include "libsec.h" +#include + +#define HAVE_LIBSECCOMP +#ifdef HAVE_LIBSECCOMP + +#include /* libseccomp */ +#include /* prctl */ +#include +#include +#include +#include + +#define ALLOW_RULE(call) { if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) < 0) goto out; } + +scmp_filter_ctx ctx; + +int syscallfilter(void){ + + // prevent child processes from getting more priv e.g. via setuid, capabilities, ... + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { + perror("prctl SET_NO_NEW_PRIVS"); + exit(EXIT_FAILURE); + } + + + // prevent escape via ptrace + if(prctl (PR_SET_DUMPABLE, 0, 0, 0, 0)){ + perror("prctl PR_SET_DUMPABLE"); + exit(EXIT_FAILURE); + } + + // initialize the filter + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return 1; + + + ALLOW_RULE (access); + ALLOW_RULE (arch_prctl); + ALLOW_RULE (brk); + ALLOW_RULE (close); + ALLOW_RULE (exit); + ALLOW_RULE (exit_group); + ALLOW_RULE (fstat); + ALLOW_RULE (lseek); + ALLOW_RULE (mmap); + ALLOW_RULE (mprotect); + ALLOW_RULE (munmap); + ALLOW_RULE (open); + ALLOW_RULE (pread64); + ALLOW_RULE (read); + ALLOW_RULE (rt_sigaction); + ALLOW_RULE (rt_sigprocmask); + ALLOW_RULE (set_robust_list); + ALLOW_RULE (set_tid_address); + ALLOW_RULE (write); + + + /* /\* special restrictions for open, prevent opening files for writing *\/ */ + /* if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, */ + /* SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0) */ + /* goto out; */ + + /* if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(open), 1, */ + /* SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0) */ + /* goto out; */ + + /* if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(open), 1, */ + /* SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0) */ + /* goto out; */ + + + //applying filter... + if (seccomp_load (ctx) >= 0){ + // free ctx after the filter has been loaded into the kernel + seccomp_release(ctx); + return 0; + } + + out: + //something went wrong + seccomp_release(ctx); + return 1; +} + +#else /* HAVE_LIBSECCOMP */ + + +int syscallfilter(void){ + + perror("No seccomp support compiled-in\n"); + return 1; +} + + + +#endif /* HAVE_LIBSECCOMP */ diff -Naur poppler-0.52.0/utils/libsec.h poppler-0.52.0_/utils/libsec.h --- poppler-0.52.0/utils/libsec.h 1970-01-01 01:00:00.000000000 +0100 +++ poppler-0.52.0_/utils/libsec.h 2017-03-16 05:51:35.824586868 +0100 @@ -0,0 +1,6 @@ +#ifndef SECCOMP_H +#define SECCOMP_H + +int syscallfilter(void); + +#endif diff -Naur poppler-0.52.0/utils/pdftotext.cc poppler-0.52.0_/utils/pdftotext.cc --- poppler-0.52.0/utils/pdftotext.cc 2016-12-06 23:48:28.000000000 +0100 +++ poppler-0.52.0_/utils/pdftotext.cc 2017-03-16 05:47:39.017924497 +0100 @@ -60,6 +60,13 @@ #include #include +//todo: put this in makefiles +#define HAVE_LIBSECCOMP + +#ifdef HAVE_LIBSECCOMP +#include "libsec.h" +#endif /* HAVE_LIBSECCOMP */ + static void printInfoString(FILE *f, Dict *infoDict, const char *key, const char *text1, const char *text2, UnicodeMap *uMap); static void printInfoDate(FILE *f, Dict *infoDict, const char *key, const char *fmt); @@ -168,6 +175,13 @@ } int main(int argc, char *argv[]) { + +#ifdef HAVE_LIBSECCOMP + + syscallfilter(); + +#endif /* HAVE_LIBSECCOMP */ + PDFDoc *doc; GooString *fileName; GooString *textFileName;