sandbox: Sync iwth qssb.h upstream: Use whitelisting and groups

sandbox/sandbox-linux.cpp

@@ -60,18 +60,25 @@ bool SandboxLinux::enable(std::vector<std::string> fsPaths)
 	policy->not_dumpable = 1;
 	policy->no_new_privs = 1;
 	policy->mount_path_policies_to_chroot = 1;
-	/* TODO: as said, a whitelist approach is better. As such, this list is bound to be incomplete in the
-	 * sense that more could be listed here and some critical ones are probably missing */
-
-	/* TODO: use qssb groups */
-	long blacklisted_syscalls[] = {QSSB_SYS(setuid),	  QSSB_SYS(connect), QSSB_SYS(chroot),	 QSSB_SYS(pivot_root),
-								   QSSB_SYS(mount),		  QSSB_SYS(setns),	 QSSB_SYS(unshare),	 QSSB_SYS(ptrace),
-								   QSSB_SYS(personality), QSSB_SYS(prctl),	 QSSB_SYS(execveat), QSSB_SYS(execve),
-								   QSSB_SYS(fork)};
-	qssb_append_syscalls_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, blacklisted_syscalls,
-								sizeof(blacklisted_syscalls) / sizeof(blacklisted_syscalls[0]));
-	qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
 
+	if(qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_DEFAULT_ALLOW) != 0)
+	{
+		Logger::error() << "Sandbox: Failed to add whitelist!";
+		qssb_free_policy(policy);
+		return false;
+	}
+	if(qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_SOCKET | QSSB_SYSCGROUP_FUTEX | QSSB_SYSCGROUP_PATH | QSSB_SYSCGROUP_SCHED) != 0)
+	{
+		Logger::error() << "Sandbox: Failed to add socket group!";
+		qssb_free_policy(policy);
+		return false;
+	}
+	if(qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS) != 0)
+	{
+		Logger::error() << "Sandbox: Default policy";
+		qssb_free_policy(policy);
+		return false;
+	}
 	if(qssb_enable_policy(policy) != 0)
 	{
 		Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";

submodules/qssb.h

@@ -1 +1 @@
-Subproject commit 0d7c5bd6d437ae95a4900aab6b7b6cc207acbd1b
+Subproject commit d847d0f996679c77741b85959988dd9e65d63b97