From 67189f34c6065182ac0d0f42ece6d14813393d23 Mon Sep 17 00:00:00 2001 From: Albert S Date: Mon, 6 Jun 2022 22:11:58 +0200 Subject: [PATCH] gui: main: Make sandboxing work on kernels without landlock Those are still around of course, so deal with that --- gui/main.cpp | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/gui/main.cpp b/gui/main.cpp index 0ca8e6c..eb11553 100644 --- a/gui/main.cpp +++ b/gui/main.cpp @@ -23,19 +23,23 @@ void enableIpcSandbox() qCritical() << "Failed to init policy for sandbox"; exit(EXIT_FAILURE); } - policy->namespace_options = EXILE_UNSHARE_NETWORK | EXILE_UNSHARE_USER; + policy->namespace_options = EXILE_UNSHARE_USER | EXILE_UNSHARE_MOUNT | EXILE_UNSHARE_NETWORK; policy->no_new_privs = 1; policy->drop_caps = 1; policy->vow_promises = exile_vows_from_str("thread cpath wpath rpath unix stdio prot_exec proc shm fsnotify ioctl error"); + policy->mount_path_policies_to_chroot = 1; QString ipcSocketPath = Common::ipcSocketPath(); QFileInfo info{ipcSocketPath}; QString ipcSocketPathDir = info.absolutePath(); std::string stdIpcSocketPath = ipcSocketPathDir.toStdString(); - exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ, "/"); - exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, stdIpcSocketPath.c_str()); + /* ALLOW_EXEC is needed for fallback, not in landlock mode. It does not allow executing anything though here + * due to the vows */ + exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_EXEC, "/"); + exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE | EXILE_FS_ALLOW_EXEC, + stdIpcSocketPath.c_str()); int ret = exile_enable_policy(policy); if(ret != 0) { @@ -61,7 +65,7 @@ int main(int argc, char *argv[]) qDebug() << "Launching IPC Server"; if(!ipcserver->startSpawner(socketPath)) { - qCritical() << "Error failed to spawn"; + qCritical() << "Error failed to spawn" << Qt::endl; return 1; } qDebug() << "Launched IPC Server";