From 6fdf5f8f5adff307f3fcb03cf25b122935a92a28 Mon Sep 17 00:00:00 2001 From: Albert S Date: Sun, 17 Nov 2019 12:51:45 +0100 Subject: [PATCH] sandboxing: sync with qssb.h upstream + isolate network --- cgit.c | 23 +++++++++++++---------- qssb | 2 +- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/cgit.c b/cgit.c index eb33b98..da47f23 100644 --- a/cgit.c +++ b/cgit.c @@ -1049,24 +1049,27 @@ static int calc_ttl(void) void enable_sandbox() { struct qssb_policy *policy = qssb_init_policy(); - - size_t allowed_paths_length = cgit_repolist.count+2; - char **allowed_paths = malloc(sizeof(char *) * allowed_paths_length); - allowed_paths[0] = "/dev/"; //TODO: drop this once qssb can create some minimal /dev itself + struct qssb_path_policy dev_policy; + //TODO: drop this once qssb can create some minimal /dev itself + dev_policy.mountpoint = "/dev/"; + dev_policy.policy = QSSB_MOUNT_ALLOW_READ | QSSB_MOUNT_ALLOW_DEV; + dev_policy.next = malloc(sizeof(struct qssb_path_policy)); + struct qssb_path_policy **current_target = &dev_policy.next; for(int i = 0; i < cgit_repolist.count; i++) { - struct cgit_repo *current = &cgit_repolist.repos[i]; - allowed_paths[i+1] = current->path; + *current_target = malloc(sizeof(struct qssb_path_policy)); + (*current_target)->mountpoint = cgit_repolist.repos[i].path; + (*current_target)->policy = QSSB_MOUNT_ALLOW_READ; + (*current_target)->next = NULL; + current_target = &(*current_target)->next; } - allowed_paths[allowed_paths_length-1] = NULL; - policy->readonly_paths = allowed_paths; + policy->path_policies = &dev_policy; + policy->namespace_options |= QSSB_UNSHARE_NETWORK; if(qssb_enable_policy(policy) != 0) { fprintf(stderr, "%s", "Failed to init sandbox\n"); exit(EXIT_FAILURE); } - - free(allowed_paths); qssb_free_policy(policy); } diff --git a/qssb b/qssb index 1635ffc..8f104a2 160000 --- a/qssb +++ b/qssb @@ -1 +1 @@ -Subproject commit 1635ffce087130ca25f97a31841c9d28f7808b87 +Subproject commit 8f104a231cf63c39569d60bbd5d379f728f89ca9