gui: ipc sandbox: Restrict sandbox further
Switch to QCoreApplication, since the ipc worker is not a GUI application. We can also remove some vows this ways. Furthermore, disable connect() syscall explicitly.
Cette révision appartient à :
Parent
afa9d33f3d
révision
f29f997289
30
gui/main.cpp
30
gui/main.cpp
@ -26,8 +26,7 @@ void enableIpcSandbox()
|
||||
policy->namespace_options = EXILE_UNSHARE_USER | EXILE_UNSHARE_MOUNT | EXILE_UNSHARE_NETWORK;
|
||||
policy->no_new_privs = 1;
|
||||
policy->drop_caps = 1;
|
||||
policy->vow_promises =
|
||||
exile_vows_from_str("thread cpath wpath rpath unix stdio prot_exec proc shm fsnotify ioctl error");
|
||||
policy->vow_promises = exile_vows_from_str("thread cpath rpath unix stdio proc error");
|
||||
policy->mount_path_policies_to_chroot = 1;
|
||||
|
||||
QString ipcSocketPath = Common::ipcSocketPath();
|
||||
@ -35,6 +34,12 @@ void enableIpcSandbox()
|
||||
QString ipcSocketPathDir = info.absolutePath();
|
||||
std::string stdIpcSocketPath = ipcSocketPathDir.toStdString();
|
||||
|
||||
/* we only need the 'server' side of the 'unix' vow (for unix sockets)'. The process
|
||||
* has no business to connect anywhere.
|
||||
*
|
||||
* Maybe this case should be handled by exile at some point, but for now deal with it here */
|
||||
exile_append_syscall_policy(policy, EXILE_SYS(connect), EXILE_SYSCALL_DENY_RET_ERROR, NULL, 0);
|
||||
|
||||
/* ALLOW_EXEC is needed for fallback, not in landlock mode. It does not allow executing anything though here
|
||||
* due to the vows */
|
||||
exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_EXEC, "/");
|
||||
@ -43,9 +48,26 @@ void enableIpcSandbox()
|
||||
int ret = exile_enable_policy(policy);
|
||||
if(ret != 0)
|
||||
{
|
||||
qDebug() << "Failed to establish sandbox";
|
||||
qDebug() << "Failed to establish sandbox" << Qt::endl;
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
/* Arguments are irrelevant for sandbox test, just want to silence analyzer/compiler warnings */
|
||||
ret = socket(AF_INET, SOCK_STREAM, 0);
|
||||
if(ret != -1 || errno != EACCES)
|
||||
{
|
||||
qCritical() << "Sandbox sanity check failed" << Qt::endl;
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
const struct sockaddr *addr = {};
|
||||
ret = connect(3, addr, sizeof(*addr));
|
||||
if(ret != -1 || errno != EACCES)
|
||||
{
|
||||
qCritical() << "Sandbox sanity check failed" << Qt::endl;
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
exile_free_policy(policy);
|
||||
}
|
||||
|
||||
@ -66,7 +88,7 @@ int main(int argc, char *argv[])
|
||||
{
|
||||
enableIpcSandbox();
|
||||
}
|
||||
QApplication a(argc, argv);
|
||||
QCoreApplication a(argc, argv);
|
||||
|
||||
IpcServer *ipcserver = new IpcServer();
|
||||
qDebug() << "Launching IPC Server";
|
||||
|
Chargement…
Référencer dans un nouveau ticket
Block a user