From f67a37bc21bd49b356c8e3f647c34150a1a9757e Mon Sep 17 00:00:00 2001 From: Albert S Date: Tue, 3 May 2022 15:56:06 +0200 Subject: [PATCH] GUI: Disable general sandbox due to inpracticability Qt is usually built with Accessibility and D-Bus. If D-Bus connections work, a bypass should be considered trivial. If we block D-Bus, we experience quite some slowdowns in certain contexts. That's because Qt makes D-Bus connections for accessibility features etc. They appear to run into timeouts, but this slows down things. Sandboxing also makes things like showing (native) file picker dialogs harder. Sandboxing efforts will focus on the critical paths such as the existing Indexer sandbox and the to be implemented sandboxing for preview generation. We keep no_new_privs for now as chances are that this shouldn't hurt. --- gui/main.cpp | 58 +++++----------------------------------------------- 1 file changed, 5 insertions(+), 53 deletions(-) diff --git a/gui/main.cpp b/gui/main.cpp index a5b82cf..a02c1ea 100644 --- a/gui/main.cpp +++ b/gui/main.cpp @@ -14,63 +14,16 @@ #include "../submodules/exile.h/exile.h" #include "ipcserver.h" -void enableSandbox(QString socketPath) +void enableSandbox() { - struct exile_policy *policy = exile_init_policy(); + struct exile_policy *policy = exile_create_policy(); if(policy == NULL) { qCritical() << "Failed to init policy for sandbox"; exit(EXIT_FAILURE); } - QDir dir; - dir.mkpath(QStandardPaths::writableLocation(QStandardPaths::AppLocalDataLocation)); - dir.mkpath(QStandardPaths::writableLocation(QStandardPaths::CacheLocation)); - - std::string appDataLocation = QStandardPaths::writableLocation(QStandardPaths::AppLocalDataLocation).toStdString(); - std::string cacheDataLocation = QStandardPaths::writableLocation(QStandardPaths::CacheLocation).toStdString(); - std::string configDataLocation = QStandardPaths::writableLocation(QStandardPaths::ConfigLocation).toStdString(); - - std::string sockPath = socketPath.toStdString(); - std::string dbPath = QFileInfo(Common::databasePath()).absolutePath().toStdString(); - std::string mySelf = QFileInfo("/proc/self/exe").symLinkTarget().toStdString(); - policy->namespace_options = EXILE_UNSHARE_USER; - if(exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ, "/") != 0) - { - qCritical() << "Failed to append a path to the path policy"; - exit(EXIT_FAILURE); - } - - if(exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, - appDataLocation.c_str()) != 0) - { - qCritical() << "Failed to append appDataLocation path to the path policy"; - exit(EXIT_FAILURE); - } - if(exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, - cacheDataLocation.c_str()) != 0) - { - qCritical() << "Failed to append cacheDataLocation path to the path policy"; - exit(EXIT_FAILURE); - } - if(exile_append_path_policies(policy, - EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_REMOVE_FILE | EXILE_FS_ALLOW_ALL_WRITE, - dbPath.c_str()) != 0) - { - qCritical() << "Failed to append dbPath path to the path policy"; - exit(EXIT_FAILURE); - } - if(exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_EXEC, mySelf.c_str(), "/lib64", - "/lib") != 0) - { - qCritical() << "Failed to append mySelf path to the path policy"; - exit(EXIT_FAILURE); - } - if(exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, - configDataLocation.c_str()) != 0) - { - qCritical() << "Failed to append configDataLocation path to the path policy"; - exit(EXIT_FAILURE); - } + policy->namespace_options = 0; + policy->no_new_privs = 1; int ret = exile_enable_policy(policy); if(ret != 0) { @@ -141,7 +94,7 @@ int main(int argc, char *argv[]) Common::ensureConfigured(); if(!parser.isSet("no-sandbox")) { - enableSandbox(socketPath); + enableSandbox(); qInfo() << "Sandbox: on"; } else @@ -167,6 +120,5 @@ int main(int argc, char *argv[]) IPCClient client{socketPath}; MainWindow w{0, client}; w.showMaximized(); - return a.exec(); }