diff --git a/gui/main.cpp b/gui/main.cpp index d9b4915..c5101d6 100644 --- a/gui/main.cpp +++ b/gui/main.cpp @@ -3,6 +3,7 @@ #include #include #include +#include #include "mainwindow.h" #include "searchresult.h" @@ -11,6 +12,54 @@ #include "../submodules/exile.h/exile.h" #include "ipcserver.h" +void enableSandbox(QString socketPath) +{ + struct exile_policy *policy = exile_init_policy(); + if(policy == NULL) + { + qCritical() << "Failed to init policy for sandbox"; + exit(EXIT_FAILURE); + } + QDir dir; + dir.mkpath(QStandardPaths::writableLocation(QStandardPaths::AppLocalDataLocation)); + dir.mkpath(QStandardPaths::writableLocation(QStandardPaths::CacheLocation)); + + std::string appDataLocation = QStandardPaths::writableLocation(QStandardPaths::AppLocalDataLocation).toStdString(); + std::string cacheDataLocation = QStandardPaths::writableLocation(QStandardPaths::CacheLocation).toStdString(); + + std::string sockPath = socketPath.toStdString(); + policy->namespace_options = EXILE_UNSHARE_NETWORK | EXILE_UNSHARE_USER; + policy->vow_promises = EXILE_SYSCALL_VOW_THREAD | EXILE_SYSCALL_VOW_CPATH | EXILE_SYSCALL_VOW_WPATH | + EXILE_SYSCALL_VOW_RPATH | EXILE_SYSCALL_VOW_UNIX | EXILE_SYSCALL_VOW_STDIO | + EXILE_SYSCALL_VOW_PROT_EXEC | EXILE_SYSCALL_VOW_PROC | EXILE_SYSCALL_VOW_SHM | + EXILE_SYSCALL_VOW_FSNOTIFY | EXILE_SYSCALL_VOW_IOCTL; + + if(exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_REMOVE_FILE, "/") != 0) + { + qCritical() << "Failed to append a path to the path policy"; + exit(EXIT_FAILURE); + } + + if(exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, appDataLocation.c_str()) != + 0) + { + qCritical() << "Failed to append a path to the path policy"; + exit(EXIT_FAILURE); + } + if(exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, + cacheDataLocation.c_str()) != 0) + { + qCritical() << "Failed to append a path to the path policy"; + exit(EXIT_FAILURE); + } + int ret = exile_enable_policy(policy); + if(ret != 0) + { + qDebug() << "Failed to establish sandbox"; + exit(EXIT_FAILURE); + } + exile_free_policy(policy); +} int main(int argc, char *argv[]) { QString socketPath = "/tmp/looqs-spawner"; @@ -41,49 +90,8 @@ int main(int argc, char *argv[]) qDebug() << errorMsg; QMessageBox::critical(nullptr, "Error", errorMsg); } - - struct exile_policy *policy = exile_init_policy(); - if(policy == NULL) - { - qCritical() << "Failed to init policy for sandbox"; - return 1; - } - std::string appDataLocation = QStandardPaths::writableLocation(QStandardPaths::AppLocalDataLocation).toStdString(); - std::string cacheDataLocation = QStandardPaths::writableLocation(QStandardPaths::CacheLocation).toStdString(); - std::string sockPath = socketPath.toStdString(); - policy->namespace_options = EXILE_UNSHARE_NETWORK | EXILE_UNSHARE_USER; - policy->vow_promises = EXILE_SYSCALL_VOW_THREAD | EXILE_SYSCALL_VOW_CPATH | EXILE_SYSCALL_VOW_WPATH | - EXILE_SYSCALL_VOW_RPATH | EXILE_SYSCALL_VOW_UNIX | EXILE_SYSCALL_VOW_STDIO | - EXILE_SYSCALL_VOW_PROT_EXEC | EXILE_SYSCALL_VOW_PROC | EXILE_SYSCALL_VOW_SHM | - EXILE_SYSCALL_VOW_FSNOTIFY | EXILE_SYSCALL_VOW_IOCTL; - - if(exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_REMOVE_FILE, "/") != 0) - { - qCritical() << "Failed to append a path to the path policy"; - return 1; - } - - if(exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, appDataLocation.c_str()) != - 0) - { - qCritical() << "Failed to append a path to the path policy"; - return 1; - } - if(exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, - cacheDataLocation.c_str()) != 0) - { - qCritical() << "Failed to append a path to the path policy"; - return 1; - } - int ret = exile_enable_policy(policy); - if(ret != 0) - { - qDebug() << "Failed to establish sandbox"; - return 1; - } - exile_free_policy(policy); - Common::setupAppInfo(); + enableSandbox(socketPath); QApplication a(argc, argv); try {