fscache: Fix starts_with() broken by b41a5f4e5b

sandbox: Sync iwth qssb.h upstream: Use whitelisting and groups
handlers: HandlerSearch: Add missing call to setGeneralVars()
2021-11-30 19:14:59 +01:00 · 2021-11-14 21:54:08 +01:00 · 2021-11-14 21:54:08 +01:00 · 2021-11-14 21:54:08 +01:00
--- a/cache/fscache.cpp
+++ b/cache/fscache.cpp
@ -46,7 +46,7 @@ void FsCache::removePrefix(std::string_view prefix)
 	// TODO: lock dir
 	for(auto &entry : std::filesystem::directory_iterator(std::filesystem::path{this->path}))
 	{
-		if(std::string_view(entry.path().filename().c_str()).starts_with(prefix) == 0)
+		if(std::string_view(entry.path().filename().c_str()).starts_with(prefix))
 		{
 			std::filesystem::remove_all(entry);
 		}
--- a/handlers/handlersearch.cpp
+++ b/handlers/handlersearch.cpp
@ -28,6 +28,7 @@ Response HandlerSearch::handleRequest(const Request &r)
 		TemplatePage searchForm = this->templ->getPage("searchform");
 		response.setBody(searchForm.render());
 		response.setStatus(200);
+		setGeneralVars(searchForm);
 		return response;
 	}

--- a/sandbox/sandbox-linux.cpp
+++ b/sandbox/sandbox-linux.cpp
@ -60,18 +60,25 @@ bool SandboxLinux::enable(std::vector<std::string> fsPaths)
 	policy->not_dumpable = 1;
 	policy->no_new_privs = 1;
 	policy->mount_path_policies_to_chroot = 1;
-	/* TODO: as said, a whitelist approach is better. As such, this list is bound to be incomplete in the
-	 * sense that more could be listed here and some critical ones are probably missing */
-
-	/* TODO: use qssb groups */
-	long blacklisted_syscalls[] = {QSSB_SYS(setuid),	  QSSB_SYS(connect), QSSB_SYS(chroot),	 QSSB_SYS(pivot_root),
-								   QSSB_SYS(mount),		  QSSB_SYS(setns),	 QSSB_SYS(unshare),	 QSSB_SYS(ptrace),
-								   QSSB_SYS(personality), QSSB_SYS(prctl),	 QSSB_SYS(execveat), QSSB_SYS(execve),
-								   QSSB_SYS(fork)};
-	qssb_append_syscalls_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, blacklisted_syscalls,
-								sizeof(blacklisted_syscalls) / sizeof(blacklisted_syscalls[0]));
-	qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);

+	if(qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_DEFAULT_ALLOW) != 0)
+	{
+		Logger::error() << "Sandbox: Failed to add whitelist!";
+		qssb_free_policy(policy);
+		return false;
+	}
+	if(qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_ALLOW, QSSB_SYSCGROUP_SOCKET | QSSB_SYSCGROUP_FUTEX | QSSB_SYSCGROUP_PATH | QSSB_SYSCGROUP_SCHED) != 0)
+	{
+		Logger::error() << "Sandbox: Failed to add socket group!";
+		qssb_free_policy(policy);
+		return false;
+	}
+	if(qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS) != 0)
+	{
+		Logger::error() << "Sandbox: Default policy";
+		qssb_free_policy(policy);
+		return false;
+	}
 	if(qssb_enable_policy(policy) != 0)
 	{
 		Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";
--- a/submodules/qssb.h
+++ b/submodules/qssb.h
@ -1 +1 @@
-Subproject commit 0d7c5bd6d437ae95a4900aab6b7b6cc207acbd1b
+Subproject commit d847d0f996679c77741b85959988dd9e65d63b97
--- a/template/quitesimple/searchform
+++ b/template/quitesimple/searchform
@ -1,7 +1,6 @@
 {qswiki:include:general_header}
 <main id="content">
-<h2>Search</h2>
-
+<h2>Search</h2><br>
 Search content of pages:
 <form action="{qswiki:config:wikipath}" method="GET"><input type="hidden" name="action" value="search"/><input type="text" name="q" value="search here" onfocus="this.value=''"></form>
 </main>
--- a/template/quitesimple/style.css
+++ b/template/quitesimple/style.css
@ -23,6 +23,7 @@ h1, h2, h3
 {
 	margin: 0;
 	padding: 0;
+	display: inline;
 }

 nav
作者	SHA1	備註	日期
Albert S	5570154113	fscache: Fix starts_with() broken by `b41a5f4e5b`	2021-11-30 19:14:59 +01:00
Albert S	4f6bcd27b4	sandbox: Sync iwth qssb.h upstream: Use whitelisting and groups	2021-11-14 21:54:08 +01:00
Albert S	bbe74a2c50	handlers: HandlerSearch: Add missing call to setGeneralVars()	2021-11-14 21:54:08 +01:00
Albert S	5db9305408	template: display headers inline (backport from production)	2021-11-14 21:54:08 +01:00