From bb5a7933000d550798c87570cdbeb5e844105cc0 Mon Sep 17 00:00:00 2001
From: Albert S <mail@quitesimple.org>
Date: Wed, 29 Dec 2021 11:51:52 +0100
Subject: [PATCH] gui: Add vow_promises to exile policy

---
 gui/main.cpp       | 31 +++++++++++++++++++++++++++----
 submodules/exile.h |  2 +-
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/gui/main.cpp b/gui/main.cpp
index 02819c6..dffd466 100644
--- a/gui/main.cpp
+++ b/gui/main.cpp
@@ -24,7 +24,7 @@ int main(int argc, char *argv[])
 			qDebug() << "Launching ipc";
 			if(!ipcserver->startSpawner(socketPath))
 			{
-				qDebug() << "Error failed to spawn";
+				qCritical() << "Error failed to spawn";
 				return 1;
 			}
 			qDebug() << "Launched";
@@ -42,15 +42,38 @@ int main(int argc, char *argv[])
 	}
 
 	struct exile_policy *policy = exile_init_policy();
+	if(policy == NULL)
+	{
+		qCritical() << "Failed to init policy for sandbox";
+		return 1;
+	}
 	std::string appDataLocation = QStandardPaths::writableLocation(QStandardPaths::AppLocalDataLocation).toStdString();
 	std::string cacheDataLocation = QStandardPaths::writableLocation(QStandardPaths::CacheLocation).toStdString();
 	std::string sockPath = socketPath.toStdString();
 	policy->namespace_options = EXILE_UNSHARE_NETWORK | EXILE_UNSHARE_USER;
+	policy->vow_promises = EXILE_SYSCALL_VOW_THREAD | EXILE_SYSCALL_VOW_CPATH | EXILE_SYSCALL_VOW_WPATH |
+						   EXILE_SYSCALL_VOW_RPATH | EXILE_SYSCALL_VOW_UNIX | EXILE_SYSCALL_VOW_STDIO |
+						   EXILE_SYSCALL_VOW_PROT_EXEC | EXILE_SYSCALL_VOW_PROC | EXILE_SYSCALL_VOW_SHM |
+						   EXILE_SYSCALL_VOW_FSNOTIFY | EXILE_SYSCALL_VOW_IOCTL;
 
-	exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_REMOVE_FILE, "/");
-	exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, appDataLocation.c_str());
-	exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, cacheDataLocation.c_str());
+	if(exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_REMOVE_FILE, "/") != 0)
+	{
+		qCritical() << "Failed to append a path to the path policy";
+		return 1;
+	}
 
+	if(exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, appDataLocation.c_str()) !=
+	   0)
+	{
+		qCritical() << "Failed to append a path to the path policy";
+		return 1;
+	}
+	if(exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE,
+								cacheDataLocation.c_str()) != 0)
+	{
+		qCritical() << "Failed to append a path to the path policy";
+		return 1;
+	}
 	int ret = exile_enable_policy(policy);
 	if(ret != 0)
 	{
diff --git a/submodules/exile.h b/submodules/exile.h
index d742397..4824c6e 160000
--- a/submodules/exile.h
+++ b/submodules/exile.h
@@ -1 +1 @@
-Subproject commit d742397b522eb91513bab54a3aa992dfb7121462
+Subproject commit 4824c6eaa9043878daaba7b3778338f5bf913f06