From d17e59656344dbdf3e2ecef3719f8be851d8284d Mon Sep 17 00:00:00 2001
From: Albert S <mail@quitesimple.org>
Date: Sun, 27 Mar 2022 19:59:52 +0200
Subject: [PATCH] sandbox-linux: include exile.hpp

---
 sandbox/sandbox-linux.cpp | 15 +++++----------
 submodules/exile.h        |  2 +-
 2 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/sandbox/sandbox-linux.cpp b/sandbox/sandbox-linux.cpp
index fab9fb2..f7435d3 100644
--- a/sandbox/sandbox-linux.cpp
+++ b/sandbox/sandbox-linux.cpp
@@ -12,18 +12,13 @@
 #include <filesystem>
 #include <sys/mount.h>
 #include <sys/capability.h>
-#define HAVE_LANDLOCK 0
-#include <exile.h>
+#include <exile.hpp>
 #include "../logger.h"
 #include "../utils.h"
 #include "../random.h"
 
 #include "sandbox-linux.h"
 
-/* TODO: make a whitelist approach. So far we simply blacklist
- * obvious systemcalls. To whitelist, we need to analyse our
- * dependencies (http library, sqlite wrapper, sqlite lib etc.) */
-
 bool SandboxLinux::supported()
 {
 	std::fstream stream;
@@ -54,19 +49,19 @@ bool SandboxLinux::enable(std::vector<std::string> fsPaths)
 	}
 	for(unsigned int i = 0; i < fsPaths.size(); i++)
 	{
-		exile_append_path_policy(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, fsPaths[i].c_str());
+		exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, fsPaths[i].c_str());
 	}
 	policy->drop_caps = 1;
 	policy->not_dumpable = 1;
 	policy->no_new_privs = 1;
 	policy->mount_path_policies_to_chroot = 1;
 	policy->vow_promises = EXILE_SYSCALL_VOW_STDIO | EXILE_SYSCALL_VOW_WPATH | EXILE_SYSCALL_VOW_CPATH |
-							  EXILE_SYSCALL_VOW_RPATH | EXILE_SYSCALL_VOW_INET | EXILE_SYSCALL_VOW_UNIX |
-							  EXILE_SYSCALL_VOW_THREAD;
+						   EXILE_SYSCALL_VOW_RPATH | EXILE_SYSCALL_VOW_INET | EXILE_SYSCALL_VOW_UNIX |
+						   EXILE_SYSCALL_VOW_THREAD;
 
 	if(exile_enable_policy(policy) != 0)
 	{
-		Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";
+		Logger::error() << "Sandbox: Activation of exile failed!";
 		exile_free_policy(policy);
 		return false;
 	}
diff --git a/submodules/exile.h b/submodules/exile.h
index 4824c6e..f2ca260 160000
--- a/submodules/exile.h
+++ b/submodules/exile.h
@@ -1 +1 @@
-Subproject commit 4824c6eaa9043878daaba7b3778338f5bf913f06
+Subproject commit f2ca26010a2bb6d9e270d6ade2e8789c02ac3b31