crtxcr/qswiki
1
0
Fork 0
Code Issues 21 Pull Requests 1 Releases Activity

sandbox: Switch to exile.h (former qssb.h)

Browse Source
This commit is contained in:
Albert S. 2021-12-02 10:15:11 +01:00
parent 696ff9b7e7
commit d0e7ff0a8c
6 changed files with 18 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitmodules vendored
View File

@ -4,6 +4,6 @@
[submodule "submodules/cpp-httplib"] [submodule "submodules/cpp-httplib"]
path = submodules/cpp-httplib path = submodules/cpp-httplib
url = https://github.com/yhirose/cpp-httplib url = https://github.com/yhirose/cpp-httplib
[submodule "submodules/qssb.h"] [submodule "submodules/exile.h"]
path = submodules/qssb.h path = submodules/exile.h
url = https://gitea.quitesimple.org/crtxcr/qssb.h.git url = https://gitea.quitesimple.org/crtxcr/exile.h.git

2
Makefile
View File

@ -3,7 +3,7 @@ CPPSTD=c++20
CXXFLAGS=-std=$(CPPSTD) -O0 -g -no-pie -pipe -MMD -Wall -Wextra CXXFLAGS=-std=$(CPPSTD) -O0 -g -no-pie -pipe -MMD -Wall -Wextra
RELEASE_CXXFLAGS=-std=$(CPPSTD) -O3 -pipe -MMD -Wall -Wextra RELEASE_CXXFLAGS=-std=$(CPPSTD) -O3 -pipe -MMD -Wall -Wextra
LDFLAGS=-lsqlite3 -lpthread -lcrypto -lstdc++fs LDFLAGS=-lsqlite3 -lpthread -lcrypto -lstdc++fs
INCLUDEFLAGS=-I submodules/sqlitemoderncpp/hdr -I submodules/cpp-httplib -I submodules/qssb.h INCLUDEFLAGS=-I submodules/sqlitemoderncpp/hdr -I submodules/cpp-httplib -I submodules/exile.h
CXX=g++ CXX=g++

3
README.md
View File

@ -72,8 +72,7 @@ Building
Dependencies: Dependencies:
- cpp-httplib: https://github.com/yhirose/cpp-httplib - cpp-httplib: https://github.com/yhirose/cpp-httplib
- SqliteModernCpp: https://github.com/SqliteModernCpp - SqliteModernCpp: https://github.com/SqliteModernCpp
- qssb.h: https://gitea.quitesimple.org/crtxcr/qssb.h - exile.h: https://gitea.quitesimple.org/crtxcr/exile.h
- libseccomp: https://github.com/seccomp/libseccomp
- sqlite3: https://sqlite.org/index.html - sqlite3: https://sqlite.org/index.html
The first three are header-only libraries that are included as a git submodule. The others must The first three are header-only libraries that are included as a git submodule. The others must

24
sandbox/sandbox-linux.cpp
View File

@ -13,7 +13,7 @@
#include <sys/mount.h> #include <sys/mount.h>
#include <sys/capability.h> #include <sys/capability.h>
#define HAVE_LANDLOCK 0 #define HAVE_LANDLOCK 0
#include <qssb.h> #include <exile.h>
#include "../logger.h" #include "../logger.h"
#include "../utils.h" #include "../utils.h"
#include "../random.h" #include "../random.h"
@ -46,7 +46,7 @@ bool SandboxLinux::enable(std::vector<std::string> fsPaths)
std::sort(fsPaths.begin(), fsPaths.end(), std::sort(fsPaths.begin(), fsPaths.end(),
[](const std::string &a, const std::string &b) { return a.length() < b.length(); }); [](const std::string &a, const std::string &b) { return a.length() < b.length(); });
struct qssb_policy *policy = qssb_init_policy(); struct exile_policy *policy = exile_init_policy();
if(policy == NULL) if(policy == NULL)
{ {
Logger::error() << "Failed to init sandboxing policy (worker) "; Logger::error() << "Failed to init sandboxing policy (worker) ";
@ -54,37 +54,37 @@ bool SandboxLinux::enable(std::vector<std::string> fsPaths)
} }
for(unsigned int i = 0; i < fsPaths.size(); i++) for(unsigned int i = 0; i < fsPaths.size(); i++)
{ {
qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ | QSSB_FS_ALLOW_WRITE, fsPaths[i].c_str()); exile_append_path_policy(policy, EXILE_FS_ALLOW_READ | EXILE_FS_ALLOW_WRITE, fsPaths[i].c_str());
} }
policy->drop_caps = 1; policy->drop_caps = 1;
policy->not_dumpable = 1; policy->not_dumpable = 1;
policy->no_new_privs = 1; policy->no_new_privs = 1;
policy->mount_path_policies_to_chroot = 1; policy->mount_path_policies_to_chroot = 1;
if(qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_DEFAULT_ALLOW) != 0) if(exile_append_group_syscall_policy(policy, EXILE_SYSCALL_ALLOW, EXILE_SYSCGROUP_DEFAULT_ALLOW) != 0)
{ {
Logger::error() << "Sandbox: Failed to add whitelist!"; Logger::error() << "Sandbox: Failed to add whitelist!";
qssb_free_policy(policy); exile_free_policy(policy);
return false; return false;
} }
if(qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_SOCKET | QSSB_SYSCGROUP_FUTEX | QSSB_SYSCGROUP_PATH | QSSB_SYSCGROUP_SCHED | EXILE_SYSCGROUP_TIME) != 0) if(exile_append_group_syscall_policy(policy, EXILE_SYSCALL_ALLOW, EXILE_SYSCGROUP_SOCKET | EXILE_SYSCGROUP_FUTEX | EXILE_SYSCGROUP_PATH | EXILE_SYSCGROUP_SCHED | EXILE_SYSCGROUP_TIME) != 0)
{ {
Logger::error() << "Sandbox: Failed to add socket group!"; Logger::error() << "Sandbox: Failed to add socket group!";
qssb_free_policy(policy); exile_free_policy(policy);
return false; return false;
} }
if(qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS) != 0) if(exile_append_syscall_default_policy(policy, EXILE_SYSCALL_DENY_KILL_PROCESS) != 0)
{ {
Logger::error() << "Sandbox: Default policy"; Logger::error() << "Sandbox: Default policy";
qssb_free_policy(policy); exile_free_policy(policy);
return false; return false;
} }
if(qssb_enable_policy(policy) != 0) if(exile_enable_policy(policy) != 0)
{ {
Logger::error() << "Sandbox: Activation of seccomp blacklist failed!"; Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";
qssb_free_policy(policy); exile_free_policy(policy);
return false; return false;
} }
qssb_free_policy(policy); exile_free_policy(policy);
return true; return true;
} }

1
submodules/exile.h Submodule

@ -0,0 +1 @@
Subproject commit 1b4c5477a55191f74d29bc264678e041bf0f2a42

1
submodules/qssb.h

@ -1 +0,0 @@
Subproject commit d847d0f996679c77741b85959988dd9e65d63b97