gui/main.cpp

@@ -32,6 +32,31 @@ void enableSandbox()
 	}
 	exile_free_policy(policy);
 }
+
+void enableIpcSandbox(QString socketPath)
+{
+	struct exile_policy *policy = exile_create_policy();
+	if(policy == NULL)
+	{
+		qCritical() << "Failed to init policy for sandbox";
+		exit(EXIT_FAILURE);
+	}
+	policy->namespace_options = EXILE_UNSHARE_NETWORK | EXILE_UNSHARE_USER;
+	policy->no_new_privs = 1;
+	policy->drop_caps = 1;
+	policy->vow_promises = exile_vows_from_str("thread cpath wpath rpath unix stdio prot_exec proc shm fsnotify ioctl");
+
+	exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ, "/");
+	exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, "/tmp");
+	int ret = exile_enable_policy(policy);
+	if(ret != 0)
+	{
+		qDebug() << "Failed to establish sandbox";
+		exit(EXIT_FAILURE);
+	}
+	exile_free_policy(policy);
+}
+
 int main(int argc, char *argv[])
 {
 	QString socketPath = "/tmp/looqs-spawner";
@@ -41,6 +66,7 @@ int main(int argc, char *argv[])
 		if(arg == "ipc")
 		{
 			Common::setupAppInfo();
+			enableIpcSandbox(socketPath);
 			QApplication a(argc, argv);
 
 			IpcServer *ipcserver = new IpcServer();