sandboxing: sync with qssb.h upstream + isolate network

cgit.c

@@ -1049,24 +1049,27 @@ static int calc_ttl(void)
 void enable_sandbox()
 {
 	struct qssb_policy *policy = qssb_init_policy();
-
-	size_t allowed_paths_length = cgit_repolist.count+2;
-	char **allowed_paths = malloc(sizeof(char *) * allowed_paths_length);
-	allowed_paths[0] = "/dev/"; //TODO: drop this once qssb can create some minimal /dev itself
+	struct qssb_path_policy dev_policy;
+	//TODO: drop this once qssb can create some minimal /dev itself
+	dev_policy.mountpoint = "/dev/";
+	dev_policy.policy = QSSB_MOUNT_ALLOW_READ | QSSB_MOUNT_ALLOW_DEV;
+	dev_policy.next = malloc(sizeof(struct qssb_path_policy));
+	struct qssb_path_policy **current_target = &dev_policy.next;
 	for(int i = 0; i < cgit_repolist.count; i++)
 	{
-		struct cgit_repo *current = &cgit_repolist.repos[i];
-		allowed_paths[i+1] = current->path;
+		*current_target = malloc(sizeof(struct qssb_path_policy));
+		(*current_target)->mountpoint = cgit_repolist.repos[i].path;
+		(*current_target)->policy = QSSB_MOUNT_ALLOW_READ;
+		(*current_target)->next = NULL;
+		current_target = &(*current_target)->next;
 	}
-	allowed_paths[allowed_paths_length-1] = NULL;
-	policy->readonly_paths = allowed_paths;
+	policy->path_policies = &dev_policy;
+	policy->namespace_options |= QSSB_UNSHARE_NETWORK;
 	if(qssb_enable_policy(policy) != 0)
 	{
 		fprintf(stderr, "%s", "Failed to init sandbox\n");
 		exit(EXIT_FAILURE);
 	}
-
-	free(allowed_paths);
 	qssb_free_policy(policy);
 }
 

qssb

@@ -1 +1 @@
-Subproject commit 1635ffce087130ca25f97a31841c9d28f7808b87
+Subproject commit 8f104a231cf63c39569d60bbd5d379f728f89ca9