sandboxing: Disable mechanisms requiring namespaces

Needs detection whether we have them available at some point, especially since Ubuntu 24.04 blocks them with Apparmor. But for now, don't unshare anything. submodules: exile.h: Sync
shared: SandboxedProcessor: Return proper exit code for failures
2024-07-21 15:39:47 +02:00 · 2024-07-21 14:34:55 +02:00 · 2024-07-21 10:25:41 +02:00
4 changed files with 8 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -76,7 +76,7 @@ To build on Ubuntu and Debian, clone the repo and then run:
 ```
 git submodule init
 git submodule update
-sudo apt install build-essential qtbase5-dev libqt5sql5-sqlite libpoppler-qt5-dev libuchardet-dev libquazip5-dev
+sudo apt install build-essential qt6-base-dev libqt6sql6-sqlite libpoppler-qt6-dev libuchardet-dev libquazip1-qt6-dev
 qmake
 make
 ```
--- a/gui/main.cpp
+++ b/gui/main.cpp
@ -25,11 +25,10 @@ void enableIpcSandbox()
 		qCritical() << "Failed to init policy for sandbox";
 		exit(EXIT_FAILURE);
 	}
-	policy->namespace_options = EXILE_UNSHARE_USER | EXILE_UNSHARE_MOUNT | EXILE_UNSHARE_NETWORK;
+	policy->namespace_options = 0;
 	policy->no_new_privs = 1;
-	policy->drop_caps = 1;
+	policy->drop_caps = 0;
 	policy->vow_promises = exile_vows_from_str("thread cpath rpath wpath unix stdio proc error");
 	policy->mount_path_policies_to_chroot = 1;
 	QString ipcSocketPath = Common::ipcSocketPath();
 	QFileInfo info{ipcSocketPath};
--- a/shared/sandboxedprocessor.cpp
+++ b/shared/sandboxedprocessor.cpp
@ -36,20 +36,18 @@ void SandboxedProcessor::enableSandbox(QString readablePath)
 	if(policy == NULL)
 	{
 		qCritical() << "Could not init exile" << Qt::endl;
-		exit(EXIT_FAILURE);
+		exit(PROCESSFAIL);
 	}
-	policy->namespace_options = EXILE_UNSHARE_NETWORK | EXILE_UNSHARE_USER;
+	policy->namespace_options = 0;
 	std::string readablePathLocation;
 	if(!readablePath.isEmpty())
 	{
 		policy->namespace_options |= EXILE_UNSHARE_MOUNT;
 		policy->mount_path_policies_to_chroot = 1;
 		readablePathLocation = readablePath.toStdString();
 		if(exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ, readablePathLocation.c_str()) != 0)
 		{
 			qCritical() << "Failed to add path policies";
-			exit(EXIT_FAILURE);
+			exit(PROCESSFAIL);
 		}
 	}
 	else
@ -60,7 +58,7 @@ void SandboxedProcessor::enableSandbox(QString readablePath)
 	if(ret != 0)
 	{
 		qCritical() << "Failed to establish sandbox: " << ret;
-		exit(EXIT_FAILURE);
+		exit(PROCESSFAIL);
 	}
 	exile_free_policy(policy);
 }
--- a/submodules/exile.h
+++ b/submodules/exile.h
@ -1 +1 @@
-Subproject commit 44b9a17becf6882e1b3728cbf885ae9e5a6717af
+Subproject commit 4cfdead5d0d2cb4ecee4e5e654e8e90dda683744
Author	SHA1	Message	Date
Albert S.	2906b56cd6	sandboxing: Disable mechanisms requiring namespaces Needs detection whether we have them available at some point, especially since Ubuntu 24.04 blocks them with Apparmor. But for now, don't unshare anything. submodules: exile.h: Sync	2024-07-21 15:39:47 +02:00
Albert S.	c74ef48b40	shared: SandboxedProcessor: Return proper exit code for failures	2024-07-21 14:34:55 +02:00
Albert S.	877fb3b61a	Update Debian/Ubuntu build instructions	2024-07-21 10:25:41 +02:00
		`@ -1 +1 @@`
			`Subproject commit 44b9a17becf6882e1b3728cbf885ae9e5a6717af`				`Subproject commit 4cfdead5d0d2cb4ecee4e5e654e8e90dda683744`