gui: Add vow_promises to exile policy

This commit is contained in:
Albert S. 2021-12-29 11:51:52 +01:00
parent ba636bf0fc
commit bb5a793300
2 changed files with 28 additions and 5 deletions

View File

@ -24,7 +24,7 @@ int main(int argc, char *argv[])
qDebug() << "Launching ipc"; qDebug() << "Launching ipc";
if(!ipcserver->startSpawner(socketPath)) if(!ipcserver->startSpawner(socketPath))
{ {
qDebug() << "Error failed to spawn"; qCritical() << "Error failed to spawn";
return 1; return 1;
} }
qDebug() << "Launched"; qDebug() << "Launched";
@ -42,15 +42,38 @@ int main(int argc, char *argv[])
} }
struct exile_policy *policy = exile_init_policy(); struct exile_policy *policy = exile_init_policy();
if(policy == NULL)
{
qCritical() << "Failed to init policy for sandbox";
return 1;
}
std::string appDataLocation = QStandardPaths::writableLocation(QStandardPaths::AppLocalDataLocation).toStdString(); std::string appDataLocation = QStandardPaths::writableLocation(QStandardPaths::AppLocalDataLocation).toStdString();
std::string cacheDataLocation = QStandardPaths::writableLocation(QStandardPaths::CacheLocation).toStdString(); std::string cacheDataLocation = QStandardPaths::writableLocation(QStandardPaths::CacheLocation).toStdString();
std::string sockPath = socketPath.toStdString(); std::string sockPath = socketPath.toStdString();
policy->namespace_options = EXILE_UNSHARE_NETWORK | EXILE_UNSHARE_USER; policy->namespace_options = EXILE_UNSHARE_NETWORK | EXILE_UNSHARE_USER;
policy->vow_promises = EXILE_SYSCALL_VOW_THREAD | EXILE_SYSCALL_VOW_CPATH | EXILE_SYSCALL_VOW_WPATH |
EXILE_SYSCALL_VOW_RPATH | EXILE_SYSCALL_VOW_UNIX | EXILE_SYSCALL_VOW_STDIO |
EXILE_SYSCALL_VOW_PROT_EXEC | EXILE_SYSCALL_VOW_PROC | EXILE_SYSCALL_VOW_SHM |
EXILE_SYSCALL_VOW_FSNOTIFY | EXILE_SYSCALL_VOW_IOCTL;
exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_REMOVE_FILE, "/"); if(exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_REMOVE_FILE, "/") != 0)
exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, appDataLocation.c_str()); {
exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, cacheDataLocation.c_str()); qCritical() << "Failed to append a path to the path policy";
return 1;
}
if(exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, appDataLocation.c_str()) !=
0)
{
qCritical() << "Failed to append a path to the path policy";
return 1;
}
if(exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE,
cacheDataLocation.c_str()) != 0)
{
qCritical() << "Failed to append a path to the path policy";
return 1;
}
int ret = exile_enable_policy(policy); int ret = exile_enable_policy(policy);
if(ret != 0) if(ret != 0)
{ {

@ -1 +1 @@
Subproject commit d742397b522eb91513bab54a3aa992dfb7121462 Subproject commit 4824c6eaa9043878daaba7b3778338f5bf913f06