makary/bookmarkfs
1
0
Fork 0
mirror of https://git.sr.ht/~cismonx/bookmarkfs synced 2025-06-07 19:58:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

backend_firefox: fix sandbox

Browse source 
- Allow fdatasync(), since it is used by SQLite when commiting.
- Move `PRAGMA quick_check` to backend_create(), since it sometimes
  calls stat() and cannot be sandboxed.
This commit is contained in:
CismonX 2025-01-25 21:15:57 +08:00
parent 10ad224b03
commit 35d4a93a41
No known key found for this signature in database
GPG key ID: 3094873E29A482FB
2 changed files with 6 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/backend_firefox.c
View file

@ -2601,11 +2601,7 @@ store_init (
uint64_t *bookmarks_root_id_ptr,
uint64_t *tags_root_id_ptr
) {
int status = db_check(db);
if (status < 0) {
return status;
}
status = -EIO;
int status = -EIO;
char const *sql = "SELECT `id` FROM `moz_bookmarks` WHERE `guid` = ?";
sqlite3_stmt *stmt = db_prepare(db, sql, strlen(sql), false);
@ -2719,9 +2715,12 @@ backend_create (
if (0 != db_pragma(db, pragmas, DB_PRAGMA_ITEMS_CNT(pragmas))) {
goto close_db;
}
if (0 != db_check(db)) {
goto close_db;
}
uint64_t bookmarks_root_id = UINT64_MAX;
uint64_t tags_root_id = UINT64_MAX;
uint64_t tags_root_id = UINT64_MAX;
if (conf->flags & BOOKMARKFS_BACKEND_NO_SANDBOX) {
// Defer initialization in sandbox mode, so that
// user-provided data is only read after entering sandbox.

1
src/sandbox.c
View file

@ -200,6 +200,7 @@ sandbox_enter (
SCMP_RULE_NOARG(close, 20),
SCMP_RULE_NOARG(fallocate, 30),
SCMP_RULE_NOARG(fcntl, 100),
SCMP_RULE_NOARG(fdatasync, 30),
SCMP_RULE_NOARG(flock, 20),
SCMP_RULE_NOARG(fstat, 100),
SCMP_RULE_NOARG(fstat64, 100),