Commit grafiek

39 Commits

Auteur SHA1 Bericht Datum
2906b56cd6 sandboxing: Disable mechanisms requiring namespaces
Needs detection whether we have them available at some point, especially
since Ubuntu 24.04 blocks them with Apparmor. But for now, don't unshare
anything.

submodules: exile.h: Sync
2024-07-21 15:39:47 +02:00
07630c3b36 gui: main: Fix exiting after failed migration 2023-04-02 21:41:35 +02:00
efca45b88a gui sandbox: Allow wpath to improve poppler text rendering
Apparently poppler or something needs open() with write
flags to render pdfs with proper fonts.

Landlock guards file system write access, so this is fine.
2023-01-08 17:37:28 +01:00
7fa266e5e8 gui: main: Execute migrations. Show migration progress dialog
We don't do silent upgrades anymore because they might take considerable
time.
2022-07-28 13:43:02 +02:00
b6b3e2f3c0 shared SandBoxedProcessor: Return SaveFileResult, remove defines
Not entirely ideal as SandboxedProcessor does not save anything,
but an improvement nevertheless over the current mess
2022-06-24 19:17:50 +02:00
c82cf03814 gui: main: Remove leftover old, now removed --no-sandboxing option from parser 2022-06-13 21:57:34 +02:00
a408173064 main: Ensure event loops runs before Common::ensureConfigured() called
Otherwise migration progress cannot be reported
2022-06-13 21:57:34 +02:00
f29f997289 gui: ipc sandbox: Restrict sandbox further
Switch to QCoreApplication, since the ipc worker is not a GUI application.

We can also remove some vows this ways. Furthermore, disable connect() syscall
explicitly.
2022-06-09 10:04:48 +02:00
87ebc137d5 shared/gui: Add LOOQS_DISABLE_SANDBOX env to allow disabling sandboxing
Mainly for devs to check whether a problem is caused by sandboxing.
2022-06-06 23:23:07 +02:00
67189f34c6 gui: main: Make sandboxing work on kernels without landlock
Those are still around of course, so deal with that
2022-06-06 22:16:36 +02:00
0d81452a67 rename icon to looqs.svg 2022-06-06 15:55:21 +02:00
1ec7a5a865 gui: main: Ensure a clean exit 2022-06-04 17:09:26 +02:00
40207c3399 gui: Remove enableSandbox() for general GUI
While f67a37bc21 indicated the last remaining code could stay,
it can't because there is a launch failure of SandboxedProcessor.

This has been revealed by the changes of the previous commit,
aa03d0a4920e.

Hence, the GUI will be untouched by exile. We only sandbox
the preview generation and the indexing trough IPC.
2022-06-04 17:09:26 +02:00
e715be9787 gui: Fix dispatch of SandboxedProcessor
There was an off-by-one, the SandboxedProcessor was only passed
'process', not the path to the file.

No processor was found for 'process', thus 'nothingProcessor' was
returned. Therefore, we never sandboxed (because we never had
to process anything).

The sandboxing would have failed though, because we need to launch
QCoreApplication, not QApplication.

The CLI was never affected.
2022-06-04 17:09:26 +02:00
11af6e530e gui: sandbox: Add 'error' to vow_promises to avoid getting killed on ioctl() with TIOCSTI 2022-06-04 17:09:26 +02:00
ad0fc74439 ipc: Place socket in /tmp/.looqs/, remove ipc path settings 2022-05-29 11:20:28 +02:00
e44fb1a942 gui: main: Enable exile.h for IPC preview generation 2022-05-29 11:20:28 +02:00
d66e395fda gui: main: Kill IPCServer process on exit 2022-05-29 11:20:28 +02:00
0d6fb1d482 gui: mainwindow: Use new IPCPreviewClient 2022-05-29 11:20:28 +02:00
f67a37bc21 GUI: Disable general sandbox due to inpracticability
Qt is usually built with Accessibility and D-Bus. If D-Bus
connections work, a bypass should be considered trivial.
If we block D-Bus, we experience quite some slowdowns in
certain contexts. That's because Qt makes D-Bus connections
for accessibility features etc. They appear to run into timeouts,
but this slows down things. Sandboxing also makes things
like showing (native) file picker dialogs harder.

Sandboxing efforts will focus on the critical paths such as
the existing Indexer sandbox and the to be implemented sandboxing
for preview generation.

We keep no_new_privs for now as chances are that this shouldn't hurt.
2022-05-03 15:56:08 +02:00
9d160ed7a0 gui: Add icon
Not the best on dark themes, better than nothing for now.
2022-04-28 09:13:34 +02:00
a132485924 gui: enableSandbox: Don't unshare network due to slowdowns
The indexer is quite slow with unshared network namespaces. It appears something in
Qt needs it as IPC or whatever. Seeing also dbus-related errors:

Issue: #33

So disable it for now.
2022-04-24 19:40:43 +02:00
d2d576e617 gui: Call enableSandboxing() after ensureConfigured() so all paths are guaranteed to exist 2022-04-24 19:40:43 +02:00
08da6b4349 gui: main: Remove vows from exile policy
SandboxedProcessor is not launched via IPCServer at this point.
The vow set is already very big and SandboxedProcessor
would require exec too.

So use exile default policy and add some path permisisons.

Once SandboxedProcessor is handled by IPC and preview generation
is also exiled separately, it has to be reevaluated whether
it makes sense for vows to return.
2022-04-24 19:40:43 +02:00
4d0d9ba9c6 main: sandbox: Add clone vow, Use exile_vows_from_str()
Fresh ubuntu 22.04 uses clone3(). thread vow is not enough anymore.

Maybe Qt uses it now, who knows, let's just allow it for the time being.
2022-04-24 15:52:20 +02:00
0af7d4a3dc GUI: Begin new 'Indexer' tab 2022-04-15 21:06:56 +02:00
56414ee5e2 shared: Begin basic ConcurrentQueue 2022-04-15 21:06:56 +02:00
2e3b008207 gui: main: Add --no-sandbox 2022-01-04 23:44:37 +01:00
ea1d027621 gui: main: Enable sandbox post call to Common::setupAppInfo()
Move sandboxing code to own function
2022-01-04 23:27:45 +01:00
404ce22ce6 Generalize previews: Mainwindow: Do necessary renames 2022-01-04 11:24:37 +01:00
c51487c4b2 gui: Call setupAppinfo() also for the IPC server 2022-01-03 23:14:55 +01:00
bb5a793300 gui: Add vow_promises to exile policy 2022-01-03 23:14:55 +01:00
88ee2383f7 Switch to exile.h 2022-01-01 17:58:52 +01:00
890925929a GUI: Begin IPC mechanism to open files despite sandboxing 2022-01-01 17:58:52 +01:00
ebea074fcb gui: Begin basic sandboxing 2022-01-01 17:58:52 +01:00
e97551be97 Rename all symbols to new project name 2021-06-12 14:59:58 +02:00
ef78e74cdd Detect first run and initialize database and config
Relates to #1
2020-08-24 21:36:45 +02:00
13fb901044 added Common namespace. cli: use settings instead of env for db path 2020-05-23 22:52:42 +02:00
68ab917756 begin work on qt gui - basic search & pdf preview 2018-08-12 16:45:39 +02:00