From ebea074fcb47d1ff331a8a10a8577d111e4d7247 Mon Sep 17 00:00:00 2001
From: Albert S <mail@quitesimple.org>
Date: Sat, 7 Aug 2021 12:03:35 +0200
Subject: [PATCH] gui: Begin basic sandboxing

---
 gui/main.cpp | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/gui/main.cpp b/gui/main.cpp
index df3ee28..cd8766d 100644
--- a/gui/main.cpp
+++ b/gui/main.cpp
@@ -1,13 +1,34 @@
 #include <QApplication>
 #include <QSettings>
 #include <QMessageBox>
+#include <QStandardPaths>
 #include "mainwindow.h"
 #include "searchresult.h"
 #include "pdfpreview.h"
 #include "../shared/common.h"
+#include "../submodules/qssb.h/qssb.h"
 
 int main(int argc, char *argv[])
 {
+	struct qssb_policy *policy = qssb_init_policy();
+	std::string appDataLocation = QStandardPaths::writableLocation(QStandardPaths::AppLocalDataLocation).toStdString();
+	std::string cacheDataLocation = QStandardPaths::writableLocation(QStandardPaths::CacheLocation).toStdString();
+
+	policy->namespace_options = QSSB_UNSHARE_NETWORK | QSSB_UNSHARE_USER;
+	qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ | QSSB_FS_ALLOW_REMOVE_FILE, "/");
+	qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ | QSSB_FS_ALLOW_REMOVE_FILE | QSSB_FS_ALLOW_WRITE,
+							appDataLocation.c_str());
+	qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ | QSSB_FS_ALLOW_REMOVE_FILE | QSSB_FS_ALLOW_WRITE,
+							cacheDataLocation.c_str());
+
+	int ret = qssb_enable_policy(policy);
+	if(ret != 0)
+	{
+		qDebug() << "Failed to establish sandbox";
+		return 1;
+	}
+	qssb_free_policy(policy);
+
 	Common::setupAppInfo();
 	QApplication a(argc, argv);
 	try