From d0e7ff0a8cd2545497c19a84bc4d58deb400ce1f Mon Sep 17 00:00:00 2001
From: Albert S <mail@quitesimple.org>
Date: Thu, 2 Dec 2021 10:15:11 +0100
Subject: [PATCH] sandbox: Switch to exile.h (former qssb.h)

---
 .gitmodules               |  6 +++---
 Makefile                  |  2 +-
 README.md                 |  3 +--
 sandbox/sandbox-linux.cpp | 24 ++++++++++++------------
 submodules/exile.h        |  1 +
 submodules/qssb.h         |  1 -
 6 files changed, 18 insertions(+), 19 deletions(-)
 create mode 160000 submodules/exile.h
 delete mode 160000 submodules/qssb.h

diff --git a/.gitmodules b/.gitmodules
index a3c7880..0ccc335 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -4,6 +4,6 @@
 [submodule "submodules/cpp-httplib"]
 	path = submodules/cpp-httplib
 	url = https://github.com/yhirose/cpp-httplib
-[submodule "submodules/qssb.h"]
-	path = submodules/qssb.h
-	url = https://gitea.quitesimple.org/crtxcr/qssb.h.git
+[submodule "submodules/exile.h"]
+	path = submodules/exile.h
+	url = https://gitea.quitesimple.org/crtxcr/exile.h.git
diff --git a/Makefile b/Makefile
index 7a7147b..268c067 100644
--- a/Makefile
+++ b/Makefile
@@ -3,7 +3,7 @@ CPPSTD=c++20
 CXXFLAGS=-std=$(CPPSTD) -O0 -g -no-pie -pipe -MMD -Wall -Wextra
 RELEASE_CXXFLAGS=-std=$(CPPSTD) -O3 -pipe -MMD -Wall -Wextra
 LDFLAGS=-lsqlite3 -lpthread -lcrypto -lstdc++fs
-INCLUDEFLAGS=-I submodules/sqlitemoderncpp/hdr -I submodules/cpp-httplib -I submodules/qssb.h
+INCLUDEFLAGS=-I submodules/sqlitemoderncpp/hdr -I submodules/cpp-httplib -I submodules/exile.h
 
 CXX=g++
 
diff --git a/README.md b/README.md
index 1dfcdb6..8d238e5 100644
--- a/README.md
+++ b/README.md
@@ -72,8 +72,7 @@ Building
 Dependencies:
   - cpp-httplib: https://github.com/yhirose/cpp-httplib
   - SqliteModernCpp: https://github.com/SqliteModernCpp
-  - qssb.h: https://gitea.quitesimple.org/crtxcr/qssb.h
-  - libseccomp: https://github.com/seccomp/libseccomp
+  - exile.h: https://gitea.quitesimple.org/crtxcr/exile.h
   - sqlite3: https://sqlite.org/index.html
     
 The first three are header-only libraries that are included as a git submodule. The others must
diff --git a/sandbox/sandbox-linux.cpp b/sandbox/sandbox-linux.cpp
index a078665..f6f4105 100644
--- a/sandbox/sandbox-linux.cpp
+++ b/sandbox/sandbox-linux.cpp
@@ -13,7 +13,7 @@
 #include <sys/mount.h>
 #include <sys/capability.h>
 #define HAVE_LANDLOCK 0
-#include <qssb.h>
+#include <exile.h>
 #include "../logger.h"
 #include "../utils.h"
 #include "../random.h"
@@ -46,7 +46,7 @@ bool SandboxLinux::enable(std::vector<std::string> fsPaths)
 	std::sort(fsPaths.begin(), fsPaths.end(),
 			  [](const std::string &a, const std::string &b) { return a.length() < b.length(); });
 
-	struct qssb_policy *policy = qssb_init_policy();
+	struct exile_policy *policy = exile_init_policy();
 	if(policy == NULL)
 	{
 		Logger::error() << "Failed to init sandboxing policy (worker) ";
@@ -54,37 +54,37 @@ bool SandboxLinux::enable(std::vector<std::string> fsPaths)
 	}
 	for(unsigned int i = 0; i < fsPaths.size(); i++)
 	{
-		qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ | QSSB_FS_ALLOW_WRITE, fsPaths[i].c_str());
+		exile_append_path_policy(policy, EXILE_FS_ALLOW_READ | EXILE_FS_ALLOW_WRITE, fsPaths[i].c_str());
 	}
 	policy->drop_caps = 1;
 	policy->not_dumpable = 1;
 	policy->no_new_privs = 1;
 	policy->mount_path_policies_to_chroot = 1;
 
-	if(qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_DEFAULT_ALLOW) != 0)
+	if(exile_append_group_syscall_policy(policy, EXILE_SYSCALL_ALLOW, EXILE_SYSCGROUP_DEFAULT_ALLOW) != 0)
 	{
 		Logger::error() << "Sandbox: Failed to add whitelist!";
-		qssb_free_policy(policy);
+		exile_free_policy(policy);
 		return false;
 	}
-	if(qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_SOCKET | QSSB_SYSCGROUP_FUTEX | QSSB_SYSCGROUP_PATH | QSSB_SYSCGROUP_SCHED | EXILE_SYSCGROUP_TIME) != 0)
+	if(exile_append_group_syscall_policy(policy, EXILE_SYSCALL_ALLOW, EXILE_SYSCGROUP_SOCKET | EXILE_SYSCGROUP_FUTEX | EXILE_SYSCGROUP_PATH | EXILE_SYSCGROUP_SCHED | EXILE_SYSCGROUP_TIME) != 0)
 	{
 		Logger::error() << "Sandbox: Failed to add socket group!";
-		qssb_free_policy(policy);
+		exile_free_policy(policy);
 		return false;
 	}
-	if(qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS) != 0)
+	if(exile_append_syscall_default_policy(policy, EXILE_SYSCALL_DENY_KILL_PROCESS) != 0)
 	{
 		Logger::error() << "Sandbox: Default policy";
-		qssb_free_policy(policy);
+		exile_free_policy(policy);
 		return false;
 	}
-	if(qssb_enable_policy(policy) != 0)
+	if(exile_enable_policy(policy) != 0)
 	{
 		Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";
-		qssb_free_policy(policy);
+		exile_free_policy(policy);
 		return false;
 	}
-	qssb_free_policy(policy);
+	exile_free_policy(policy);
 	return true;
 }
diff --git a/submodules/exile.h b/submodules/exile.h
new file mode 160000
index 0000000..1b4c547
--- /dev/null
+++ b/submodules/exile.h
@@ -0,0 +1 @@
+Subproject commit 1b4c5477a55191f74d29bc264678e041bf0f2a42
diff --git a/submodules/qssb.h b/submodules/qssb.h
deleted file mode 160000
index d847d0f..0000000
--- a/submodules/qssb.h
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit d847d0f996679c77741b85959988dd9e65d63b97