.gitignore

@@ -1,11 +0,0 @@
-.user
-.o
-*.user
-*.o
-*.a
-moc_*.cpp
-moc_*.h
-Makefile
-cli/looqs
-gui/looqs-gui
-qrc_*

CHANGELOG.md

@@ -1,10 +1,5 @@
 # looqs: Release notes
 
-## 2022-06-07 - v0.2
-CHANGES:
-- Sandboxing: Add environment variable `LOOQS_DISABLE_SANDBOXING` to disable sandboxing. This is intended for troubleshooting
-- Sandboxing: Fix issue where activation failed on kernels without landlock
-
 ## 2022-06-06 - v0.1
 The first release comes with basic functionality. It's a start that can be considered useful to some degree.
 

README.md

@@ -30,7 +30,7 @@ There is no need to write the long form of filters. There are also booleans avai
 
 
 ## Current status
-Last version: 2022-06-07, v0.2
+Last version: 2022-06-06, v0.1
 
 Please see [Changelog](CHANGELOG.md) for a human readable list of changes.
 

gui/main.cpp

@@ -26,7 +26,8 @@ void enableIpcSandbox()
 	policy->namespace_options = EXILE_UNSHARE_USER | EXILE_UNSHARE_MOUNT | EXILE_UNSHARE_NETWORK;
 	policy->no_new_privs = 1;
 	policy->drop_caps = 1;
-	policy->vow_promises = exile_vows_from_str("thread cpath rpath unix stdio proc error");
+	policy->vow_promises =
+		exile_vows_from_str("thread cpath wpath rpath unix stdio prot_exec proc shm fsnotify ioctl error");
 	policy->mount_path_policies_to_chroot = 1;
 
 	QString ipcSocketPath = Common::ipcSocketPath();
@@ -34,12 +35,6 @@ void enableIpcSandbox()
 	QString ipcSocketPathDir = info.absolutePath();
 	std::string stdIpcSocketPath = ipcSocketPathDir.toStdString();
 
-	/* we only need the 'server' side of the 'unix' vow (for unix sockets)'. The process
-	 * has no business to connect anywhere.
-	 *
-	 * Maybe this case should be handled by exile at some point, but for now deal with it here */
-	exile_append_syscall_policy(policy, EXILE_SYS(connect), EXILE_SYSCALL_DENY_RET_ERROR, NULL, 0);
-
 	/* ALLOW_EXEC is needed for fallback, not in landlock mode. It does not allow executing anything though here
 	 * due to the vows */
 	exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_EXEC, "/");
@@ -48,26 +43,9 @@ void enableIpcSandbox()
 	int ret = exile_enable_policy(policy);
 	if(ret != 0)
 	{
-		qDebug() << "Failed to establish sandbox" << Qt::endl;
+		qDebug() << "Failed to establish sandbox";
 		exit(EXIT_FAILURE);
 	}
-
-	/* Arguments are irrelevant for sandbox test, just want to silence analyzer/compiler warnings */
-	ret = socket(AF_INET, SOCK_STREAM, 0);
-	if(ret != -1 || errno != EACCES)
-	{
-		qCritical() << "Sandbox sanity check failed" << Qt::endl;
-		exit(EXIT_FAILURE);
-	}
-
-	const struct sockaddr *addr = {};
-	ret = connect(3, addr, sizeof(*addr));
-	if(ret != -1 || errno != EACCES)
-	{
-		qCritical() << "Sandbox sanity check failed" << Qt::endl;
-		exit(EXIT_FAILURE);
-	}
-
 	exile_free_policy(policy);
 }
 
@@ -88,7 +66,7 @@ int main(int argc, char *argv[])
 			{
 				enableIpcSandbox();
 			}
-			QCoreApplication a(argc, argv);
+			QApplication a(argc, argv);
 
 			IpcServer *ipcserver = new IpcServer();
 			qDebug() << "Launching IPC Server";

shared/sandboxedprocessor.cpp

@@ -35,7 +35,7 @@ void SandboxedProcessor::enableSandbox(QString readablePath)
 	struct exile_policy *policy = exile_init_policy();
 	if(policy == NULL)
 	{
-		qCritical() << "Could not init exile" << Qt::endl;
+		qCritical() << "Could not init exile";
 		exit(EXIT_FAILURE);
 	}
 	policy->namespace_options = EXILE_UNSHARE_NETWORK | EXILE_UNSHARE_USER;
@@ -43,8 +43,6 @@ void SandboxedProcessor::enableSandbox(QString readablePath)
 	std::string readablePathLocation;
 	if(!readablePath.isEmpty())
 	{
-		policy->namespace_options |= EXILE_UNSHARE_MOUNT;
-		policy->mount_path_policies_to_chroot = 1;
 		readablePathLocation = readablePath.toStdString();
 		if(exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ, readablePathLocation.c_str()) != 0)
 		{

submodules/exile.h

@@ -1 +1 @@
-Subproject commit 8f38dc4480d51e2bf737ef87dd4a4f408d90a8a6
+Subproject commit 42d44b0cc1e4ef35d0429e43a1dd005556450b44