From ca0c8a94fb8bace5b581c412505f8ec22535cac7 Mon Sep 17 00:00:00 2001
From: Albert S <mail@quitesimple.org>
Date: Wed, 29 Dec 2021 11:13:47 +0100
Subject: [PATCH] sandbox: Use exile.h vow promises

---
 sandbox/sandbox-linux.cpp | 23 ++++-------------------
 submodules/exile.h        |  2 +-
 2 files changed, 5 insertions(+), 20 deletions(-)

diff --git a/sandbox/sandbox-linux.cpp b/sandbox/sandbox-linux.cpp
index f6f4105..fab9fb2 100644
--- a/sandbox/sandbox-linux.cpp
+++ b/sandbox/sandbox-linux.cpp
@@ -54,31 +54,16 @@ bool SandboxLinux::enable(std::vector<std::string> fsPaths)
 	}
 	for(unsigned int i = 0; i < fsPaths.size(); i++)
 	{
-		exile_append_path_policy(policy, EXILE_FS_ALLOW_READ | EXILE_FS_ALLOW_WRITE, fsPaths[i].c_str());
+		exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, fsPaths[i].c_str());
 	}
 	policy->drop_caps = 1;
 	policy->not_dumpable = 1;
 	policy->no_new_privs = 1;
 	policy->mount_path_policies_to_chroot = 1;
+	policy->vow_promises = EXILE_SYSCALL_VOW_STDIO | EXILE_SYSCALL_VOW_WPATH | EXILE_SYSCALL_VOW_CPATH |
+							  EXILE_SYSCALL_VOW_RPATH | EXILE_SYSCALL_VOW_INET | EXILE_SYSCALL_VOW_UNIX |
+							  EXILE_SYSCALL_VOW_THREAD;
 
-	if(exile_append_group_syscall_policy(policy, EXILE_SYSCALL_ALLOW, EXILE_SYSCGROUP_DEFAULT_ALLOW) != 0)
-	{
-		Logger::error() << "Sandbox: Failed to add whitelist!";
-		exile_free_policy(policy);
-		return false;
-	}
-	if(exile_append_group_syscall_policy(policy, EXILE_SYSCALL_ALLOW, EXILE_SYSCGROUP_SOCKET | EXILE_SYSCGROUP_FUTEX | EXILE_SYSCGROUP_PATH | EXILE_SYSCGROUP_SCHED | EXILE_SYSCGROUP_TIME) != 0)
-	{
-		Logger::error() << "Sandbox: Failed to add socket group!";
-		exile_free_policy(policy);
-		return false;
-	}
-	if(exile_append_syscall_default_policy(policy, EXILE_SYSCALL_DENY_KILL_PROCESS) != 0)
-	{
-		Logger::error() << "Sandbox: Default policy";
-		exile_free_policy(policy);
-		return false;
-	}
 	if(exile_enable_policy(policy) != 0)
 	{
 		Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";
diff --git a/submodules/exile.h b/submodules/exile.h
index 1b4c547..4824c6e 160000
--- a/submodules/exile.h
+++ b/submodules/exile.h
@@ -1 +1 @@
-Subproject commit 1b4c5477a55191f74d29bc264678e041bf0f2a42
+Subproject commit 4824c6eaa9043878daaba7b3778338f5bf913f06