Compare commits
5 Commits
87ebc137d5
...
e76988ee77
Author | SHA1 | Date | |
---|---|---|---|
e76988ee77 | |||
f29f997289 | |||
afa9d33f3d | |||
fc92b963d4 | |||
9acbd5dccf |
11
.gitignore
vendored
Normal file
11
.gitignore
vendored
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
.user
|
||||||
|
.o
|
||||||
|
*.user
|
||||||
|
*.o
|
||||||
|
*.a
|
||||||
|
moc_*.cpp
|
||||||
|
moc_*.h
|
||||||
|
Makefile
|
||||||
|
cli/looqs
|
||||||
|
gui/looqs-gui
|
||||||
|
qrc_*
|
@ -1,5 +1,10 @@
|
|||||||
# looqs: Release notes
|
# looqs: Release notes
|
||||||
|
|
||||||
|
## 2022-06-07 - v0.2
|
||||||
|
CHANGES:
|
||||||
|
- Sandboxing: Add environment variable `LOOQS_DISABLE_SANDBOXING` to disable sandboxing. This is intended for troubleshooting
|
||||||
|
- Sandboxing: Fix issue where activation failed on kernels without landlock
|
||||||
|
|
||||||
## 2022-06-06 - v0.1
|
## 2022-06-06 - v0.1
|
||||||
The first release comes with basic functionality. It's a start that can be considered useful to some degree.
|
The first release comes with basic functionality. It's a start that can be considered useful to some degree.
|
||||||
|
|
||||||
|
@ -30,7 +30,7 @@ There is no need to write the long form of filters. There are also booleans avai
|
|||||||
|
|
||||||
|
|
||||||
## Current status
|
## Current status
|
||||||
Last version: 2022-06-06, v0.1
|
Last version: 2022-06-07, v0.2
|
||||||
|
|
||||||
Please see [Changelog](CHANGELOG.md) for a human readable list of changes.
|
Please see [Changelog](CHANGELOG.md) for a human readable list of changes.
|
||||||
|
|
||||||
|
30
gui/main.cpp
30
gui/main.cpp
@ -26,8 +26,7 @@ void enableIpcSandbox()
|
|||||||
policy->namespace_options = EXILE_UNSHARE_USER | EXILE_UNSHARE_MOUNT | EXILE_UNSHARE_NETWORK;
|
policy->namespace_options = EXILE_UNSHARE_USER | EXILE_UNSHARE_MOUNT | EXILE_UNSHARE_NETWORK;
|
||||||
policy->no_new_privs = 1;
|
policy->no_new_privs = 1;
|
||||||
policy->drop_caps = 1;
|
policy->drop_caps = 1;
|
||||||
policy->vow_promises =
|
policy->vow_promises = exile_vows_from_str("thread cpath rpath unix stdio proc error");
|
||||||
exile_vows_from_str("thread cpath wpath rpath unix stdio prot_exec proc shm fsnotify ioctl error");
|
|
||||||
policy->mount_path_policies_to_chroot = 1;
|
policy->mount_path_policies_to_chroot = 1;
|
||||||
|
|
||||||
QString ipcSocketPath = Common::ipcSocketPath();
|
QString ipcSocketPath = Common::ipcSocketPath();
|
||||||
@ -35,6 +34,12 @@ void enableIpcSandbox()
|
|||||||
QString ipcSocketPathDir = info.absolutePath();
|
QString ipcSocketPathDir = info.absolutePath();
|
||||||
std::string stdIpcSocketPath = ipcSocketPathDir.toStdString();
|
std::string stdIpcSocketPath = ipcSocketPathDir.toStdString();
|
||||||
|
|
||||||
|
/* we only need the 'server' side of the 'unix' vow (for unix sockets)'. The process
|
||||||
|
* has no business to connect anywhere.
|
||||||
|
*
|
||||||
|
* Maybe this case should be handled by exile at some point, but for now deal with it here */
|
||||||
|
exile_append_syscall_policy(policy, EXILE_SYS(connect), EXILE_SYSCALL_DENY_RET_ERROR, NULL, 0);
|
||||||
|
|
||||||
/* ALLOW_EXEC is needed for fallback, not in landlock mode. It does not allow executing anything though here
|
/* ALLOW_EXEC is needed for fallback, not in landlock mode. It does not allow executing anything though here
|
||||||
* due to the vows */
|
* due to the vows */
|
||||||
exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_EXEC, "/");
|
exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_EXEC, "/");
|
||||||
@ -43,9 +48,26 @@ void enableIpcSandbox()
|
|||||||
int ret = exile_enable_policy(policy);
|
int ret = exile_enable_policy(policy);
|
||||||
if(ret != 0)
|
if(ret != 0)
|
||||||
{
|
{
|
||||||
qDebug() << "Failed to establish sandbox";
|
qDebug() << "Failed to establish sandbox" << Qt::endl;
|
||||||
exit(EXIT_FAILURE);
|
exit(EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Arguments are irrelevant for sandbox test, just want to silence analyzer/compiler warnings */
|
||||||
|
ret = socket(AF_INET, SOCK_STREAM, 0);
|
||||||
|
if(ret != -1 || errno != EACCES)
|
||||||
|
{
|
||||||
|
qCritical() << "Sandbox sanity check failed" << Qt::endl;
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
const struct sockaddr *addr = {};
|
||||||
|
ret = connect(3, addr, sizeof(*addr));
|
||||||
|
if(ret != -1 || errno != EACCES)
|
||||||
|
{
|
||||||
|
qCritical() << "Sandbox sanity check failed" << Qt::endl;
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
|
||||||
exile_free_policy(policy);
|
exile_free_policy(policy);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -66,7 +88,7 @@ int main(int argc, char *argv[])
|
|||||||
{
|
{
|
||||||
enableIpcSandbox();
|
enableIpcSandbox();
|
||||||
}
|
}
|
||||||
QApplication a(argc, argv);
|
QCoreApplication a(argc, argv);
|
||||||
|
|
||||||
IpcServer *ipcserver = new IpcServer();
|
IpcServer *ipcserver = new IpcServer();
|
||||||
qDebug() << "Launching IPC Server";
|
qDebug() << "Launching IPC Server";
|
||||||
|
@ -35,7 +35,7 @@ void SandboxedProcessor::enableSandbox(QString readablePath)
|
|||||||
struct exile_policy *policy = exile_init_policy();
|
struct exile_policy *policy = exile_init_policy();
|
||||||
if(policy == NULL)
|
if(policy == NULL)
|
||||||
{
|
{
|
||||||
qCritical() << "Could not init exile";
|
qCritical() << "Could not init exile" << Qt::endl;
|
||||||
exit(EXIT_FAILURE);
|
exit(EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
policy->namespace_options = EXILE_UNSHARE_NETWORK | EXILE_UNSHARE_USER;
|
policy->namespace_options = EXILE_UNSHARE_NETWORK | EXILE_UNSHARE_USER;
|
||||||
@ -43,6 +43,8 @@ void SandboxedProcessor::enableSandbox(QString readablePath)
|
|||||||
std::string readablePathLocation;
|
std::string readablePathLocation;
|
||||||
if(!readablePath.isEmpty())
|
if(!readablePath.isEmpty())
|
||||||
{
|
{
|
||||||
|
policy->namespace_options |= EXILE_UNSHARE_MOUNT;
|
||||||
|
policy->mount_path_policies_to_chroot = 1;
|
||||||
readablePathLocation = readablePath.toStdString();
|
readablePathLocation = readablePath.toStdString();
|
||||||
if(exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ, readablePathLocation.c_str()) != 0)
|
if(exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ, readablePathLocation.c_str()) != 0)
|
||||||
{
|
{
|
||||||
|
@ -1 +1 @@
|
|||||||
Subproject commit 42d44b0cc1e4ef35d0429e43a1dd005556450b44
|
Subproject commit 8f38dc4480d51e2bf737ef87dd4a4f408d90a8a6
|
Loading…
Reference in New Issue
Block a user