crtxcr/qswiki
1
0
派生 0
代码 工单 21 合并请求 1 版本发布 动态

sandbox: Switch to exile.h (former qssb.h)

浏览代码
这个提交包含在:
Albert S.
2021-12-02 10:15:11 +01:00
父节点 696ff9b7e7
当前提交 d0e7ff0a8c
共有 6 个文件被更改,包括 18 次插入19 次删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件

24
sandbox/sandbox-linux.cpp
查看文件

@ -13,7 +13,7 @@
#include <sys/mount.h>
#include <sys/capability.h>
#define HAVE_LANDLOCK 0
#include <qssb.h>
#include <exile.h>
#include "../logger.h"
#include "../utils.h"
#include "../random.h"
@ -46,7 +46,7 @@ bool SandboxLinux::enable(std::vector<std::string> fsPaths)
std::sort(fsPaths.begin(), fsPaths.end(),
[](const std::string &a, const std::string &b) { return a.length() < b.length(); });
struct qssb_policy *policy = qssb_init_policy();
struct exile_policy *policy = exile_init_policy();
if(policy == NULL)
{
Logger::error() << "Failed to init sandboxing policy (worker) ";
@ -54,37 +54,37 @@ bool SandboxLinux::enable(std::vector<std::string> fsPaths)
}
for(unsigned int i = 0; i < fsPaths.size(); i++)
{
qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ | QSSB_FS_ALLOW_WRITE, fsPaths[i].c_str());
exile_append_path_policy(policy, EXILE_FS_ALLOW_READ | EXILE_FS_ALLOW_WRITE, fsPaths[i].c_str());
}
policy->drop_caps = 1;
policy->not_dumpable = 1;
policy->no_new_privs = 1;
policy->mount_path_policies_to_chroot = 1;
if(qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_DEFAULT_ALLOW) != 0)
if(exile_append_group_syscall_policy(policy, EXILE_SYSCALL_ALLOW, EXILE_SYSCGROUP_DEFAULT_ALLOW) != 0)
{
Logger::error() << "Sandbox: Failed to add whitelist!";
qssb_free_policy(policy);
exile_free_policy(policy);
return false;
}
if(qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_SOCKET | QSSB_SYSCGROUP_FUTEX | QSSB_SYSCGROUP_PATH | QSSB_SYSCGROUP_SCHED | EXILE_SYSCGROUP_TIME) != 0)
if(exile_append_group_syscall_policy(policy, EXILE_SYSCALL_ALLOW, EXILE_SYSCGROUP_SOCKET | EXILE_SYSCGROUP_FUTEX | EXILE_SYSCGROUP_PATH | EXILE_SYSCGROUP_SCHED | EXILE_SYSCGROUP_TIME) != 0)
{
Logger::error() << "Sandbox: Failed to add socket group!";
qssb_free_policy(policy);
exile_free_policy(policy);
return false;
}
if(qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS) != 0)
if(exile_append_syscall_default_policy(policy, EXILE_SYSCALL_DENY_KILL_PROCESS) != 0)
{
Logger::error() << "Sandbox: Default policy";
qssb_free_policy(policy);
exile_free_policy(policy);
return false;
}
if(qssb_enable_policy(policy) != 0)
if(exile_enable_policy(policy) != 0)
{
Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";
qssb_free_policy(policy);
exile_free_policy(policy);
return false;
}
qssb_free_policy(policy);
exile_free_policy(policy);
return true;
}