From 4f6bcd27b45b4aa9d61453ed3a647a89f0cdb860 Mon Sep 17 00:00:00 2001
From: Albert S <mail@quitesimple.org>
Date: Sun, 14 Nov 2021 21:53:52 +0100
Subject: [PATCH] sandbox: Sync iwth qssb.h upstream: Use whitelisting and
 groups

---
 sandbox/sandbox-linux.cpp | 29 ++++++++++++++++++-----------
 submodules/qssb.h         |  2 +-
 2 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/sandbox/sandbox-linux.cpp b/sandbox/sandbox-linux.cpp
index d916faa..421b0f7 100644
--- a/sandbox/sandbox-linux.cpp
+++ b/sandbox/sandbox-linux.cpp
@@ -60,18 +60,25 @@ bool SandboxLinux::enable(std::vector<std::string> fsPaths)
 	policy->not_dumpable = 1;
 	policy->no_new_privs = 1;
 	policy->mount_path_policies_to_chroot = 1;
-	/* TODO: as said, a whitelist approach is better. As such, this list is bound to be incomplete in the
-	 * sense that more could be listed here and some critical ones are probably missing */
-
-	/* TODO: use qssb groups */
-	long blacklisted_syscalls[] = {QSSB_SYS(setuid),	  QSSB_SYS(connect), QSSB_SYS(chroot),	 QSSB_SYS(pivot_root),
-								   QSSB_SYS(mount),		  QSSB_SYS(setns),	 QSSB_SYS(unshare),	 QSSB_SYS(ptrace),
-								   QSSB_SYS(personality), QSSB_SYS(prctl),	 QSSB_SYS(execveat), QSSB_SYS(execve),
-								   QSSB_SYS(fork)};
-	qssb_append_syscalls_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, blacklisted_syscalls,
-								sizeof(blacklisted_syscalls) / sizeof(blacklisted_syscalls[0]));
-	qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
 
+	if(qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_DEFAULT_ALLOW) != 0)
+	{
+		Logger::error() << "Sandbox: Failed to add whitelist!";
+		qssb_free_policy(policy);
+		return false;
+	}
+	if(qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_SOCKET | QSSB_SYSCGROUP_FUTEX | QSSB_SYSCGROUP_PATH | QSSB_SYSCGROUP_SCHED) != 0)
+	{
+		Logger::error() << "Sandbox: Failed to add socket group!";
+		qssb_free_policy(policy);
+		return false;
+	}
+	if(qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS) != 0)
+	{
+		Logger::error() << "Sandbox: Default policy";
+		qssb_free_policy(policy);
+		return false;
+	}
 	if(qssb_enable_policy(policy) != 0)
 	{
 		Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";
diff --git a/submodules/qssb.h b/submodules/qssb.h
index 0d7c5bd..d847d0f 160000
--- a/submodules/qssb.h
+++ b/submodules/qssb.h
@@ -1 +1 @@
-Subproject commit 0d7c5bd6d437ae95a4900aab6b7b6cc207acbd1b
+Subproject commit d847d0f996679c77741b85959988dd9e65d63b97