shared: SandboxedProcessor: Enable fallback for non-landlock systems

Unless it's a processor that does not need fs access, this would
fail on systems without landlock, so we must fallback to
chroot() etc. again.
This commit is contained in:
Albert S. 2022-06-09 09:37:10 +02:00
parent f29f997289
commit e76988ee77

View File

@ -35,7 +35,7 @@ void SandboxedProcessor::enableSandbox(QString readablePath)
struct exile_policy *policy = exile_init_policy(); struct exile_policy *policy = exile_init_policy();
if(policy == NULL) if(policy == NULL)
{ {
qCritical() << "Could not init exile"; qCritical() << "Could not init exile" << Qt::endl;
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
policy->namespace_options = EXILE_UNSHARE_NETWORK | EXILE_UNSHARE_USER; policy->namespace_options = EXILE_UNSHARE_NETWORK | EXILE_UNSHARE_USER;
@ -43,6 +43,8 @@ void SandboxedProcessor::enableSandbox(QString readablePath)
std::string readablePathLocation; std::string readablePathLocation;
if(!readablePath.isEmpty()) if(!readablePath.isEmpty())
{ {
policy->namespace_options |= EXILE_UNSHARE_MOUNT;
policy->mount_path_policies_to_chroot = 1;
readablePathLocation = readablePath.toStdString(); readablePathLocation = readablePath.toStdString();
if(exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ, readablePathLocation.c_str()) != 0) if(exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ, readablePathLocation.c_str()) != 0)
{ {