shared: SandboxedProcessor: Enable fallback for non-landlock systems

Unless it's a processor that does not need fs access, this would
fail on systems without landlock, so we must fallback to
chroot() etc. again.

.gitignore

@@ -0,0 +1,11 @@
+.user
+.o
+*.user
+*.o
+*.a
+moc_*.cpp
+moc_*.h
+Makefile
+cli/looqs
+gui/looqs-gui
+qrc_*

CHANGELOG.md

@@ -1,5 +1,10 @@
 # looqs: Release notes
 
+## 2022-06-07 - v0.2
+CHANGES:
+- Sandboxing: Add environment variable `LOOQS_DISABLE_SANDBOXING` to disable sandboxing. This is intended for troubleshooting
+- Sandboxing: Fix issue where activation failed on kernels without landlock
+
 ## 2022-06-06 - v0.1
 The first release comes with basic functionality. It's a start that can be considered useful to some degree.
 

README.md

@@ -30,7 +30,7 @@ There is no need to write the long form of filters. There are also booleans avai
 
 
 ## Current status
-Last version: 2022-06-06, v0.1
+Last version: 2022-06-07, v0.2
 
 Please see [Changelog](CHANGELOG.md) for a human readable list of changes.
 

gui/main.cpp

@@ -26,8 +26,7 @@ void enableIpcSandbox()
 	policy->namespace_options = EXILE_UNSHARE_USER | EXILE_UNSHARE_MOUNT | EXILE_UNSHARE_NETWORK;
 	policy->no_new_privs = 1;
 	policy->drop_caps = 1;
-	policy->vow_promises =
-		exile_vows_from_str("thread cpath wpath rpath unix stdio prot_exec proc shm fsnotify ioctl error");
+	policy->vow_promises = exile_vows_from_str("thread cpath rpath unix stdio proc error");
 	policy->mount_path_policies_to_chroot = 1;
 
 	QString ipcSocketPath = Common::ipcSocketPath();
@@ -35,6 +34,12 @@ void enableIpcSandbox()
 	QString ipcSocketPathDir = info.absolutePath();
 	std::string stdIpcSocketPath = ipcSocketPathDir.toStdString();
 
+	/* we only need the 'server' side of the 'unix' vow (for unix sockets)'. The process
+	 * has no business to connect anywhere.
+	 *
+	 * Maybe this case should be handled by exile at some point, but for now deal with it here */
+	exile_append_syscall_policy(policy, EXILE_SYS(connect), EXILE_SYSCALL_DENY_RET_ERROR, NULL, 0);
+
 	/* ALLOW_EXEC is needed for fallback, not in landlock mode. It does not allow executing anything though here
 	 * due to the vows */
 	exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_EXEC, "/");
@@ -43,9 +48,26 @@ void enableIpcSandbox()
 	int ret = exile_enable_policy(policy);
 	if(ret != 0)
 	{
-		qDebug() << "Failed to establish sandbox";
+		qDebug() << "Failed to establish sandbox" << Qt::endl;
 		exit(EXIT_FAILURE);
 	}
+
+	/* Arguments are irrelevant for sandbox test, just want to silence analyzer/compiler warnings */
+	ret = socket(AF_INET, SOCK_STREAM, 0);
+	if(ret != -1 || errno != EACCES)
+	{
+		qCritical() << "Sandbox sanity check failed" << Qt::endl;
+		exit(EXIT_FAILURE);
+	}
+
+	const struct sockaddr *addr = {};
+	ret = connect(3, addr, sizeof(*addr));
+	if(ret != -1 || errno != EACCES)
+	{
+		qCritical() << "Sandbox sanity check failed" << Qt::endl;
+		exit(EXIT_FAILURE);
+	}
+
 	exile_free_policy(policy);
 }
 
@@ -66,7 +88,7 @@ int main(int argc, char *argv[])
 			{
 				enableIpcSandbox();
 			}
-			QApplication a(argc, argv);
+			QCoreApplication a(argc, argv);
 
 			IpcServer *ipcserver = new IpcServer();
 			qDebug() << "Launching IPC Server";

shared/sandboxedprocessor.cpp

@@ -35,7 +35,7 @@ void SandboxedProcessor::enableSandbox(QString readablePath)
 	struct exile_policy *policy = exile_init_policy();
 	if(policy == NULL)
 	{
-		qCritical() << "Could not init exile";
+		qCritical() << "Could not init exile" << Qt::endl;
 		exit(EXIT_FAILURE);
 	}
 	policy->namespace_options = EXILE_UNSHARE_NETWORK | EXILE_UNSHARE_USER;
@@ -43,6 +43,8 @@ void SandboxedProcessor::enableSandbox(QString readablePath)
 	std::string readablePathLocation;
 	if(!readablePath.isEmpty())
 	{
+		policy->namespace_options |= EXILE_UNSHARE_MOUNT;
+		policy->mount_path_policies_to_chroot = 1;
 		readablePathLocation = readablePath.toStdString();
 		if(exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ, readablePathLocation.c_str()) != 0)
 		{