sandboxing: Disable mechanisms requiring namespaces
Needs detection whether we have them available at some point, especially since Ubuntu 24.04 blocks them with Apparmor. But for now, don't unshare anything. submodules: exile.h: Sync
This commit is contained in:
джерело
c74ef48b40
коміт
2906b56cd6
@ -25,11 +25,10 @@ void enableIpcSandbox()
|
||||
qCritical() << "Failed to init policy for sandbox";
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
policy->namespace_options = EXILE_UNSHARE_USER | EXILE_UNSHARE_MOUNT | EXILE_UNSHARE_NETWORK;
|
||||
policy->namespace_options = 0;
|
||||
policy->no_new_privs = 1;
|
||||
policy->drop_caps = 1;
|
||||
policy->drop_caps = 0;
|
||||
policy->vow_promises = exile_vows_from_str("thread cpath rpath wpath unix stdio proc error");
|
||||
policy->mount_path_policies_to_chroot = 1;
|
||||
|
||||
QString ipcSocketPath = Common::ipcSocketPath();
|
||||
QFileInfo info{ipcSocketPath};
|
||||
|
@ -38,13 +38,11 @@ void SandboxedProcessor::enableSandbox(QString readablePath)
|
||||
qCritical() << "Could not init exile" << Qt::endl;
|
||||
exit(PROCESSFAIL);
|
||||
}
|
||||
policy->namespace_options = EXILE_UNSHARE_NETWORK | EXILE_UNSHARE_USER;
|
||||
policy->namespace_options = 0;
|
||||
|
||||
std::string readablePathLocation;
|
||||
if(!readablePath.isEmpty())
|
||||
{
|
||||
policy->namespace_options |= EXILE_UNSHARE_MOUNT;
|
||||
policy->mount_path_policies_to_chroot = 1;
|
||||
readablePathLocation = readablePath.toStdString();
|
||||
if(exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ, readablePathLocation.c_str()) != 0)
|
||||
{
|
||||
|
@ -1 +1 @@
|
||||
Subproject commit 44b9a17becf6882e1b3728cbf885ae9e5a6717af
|
||||
Subproject commit 4cfdead5d0d2cb4ecee4e5e654e8e90dda683744
|
Завантаження…
Посилання в новій задачі
Block a user