diff --git a/src/backend.h b/src/backend.h index ef128ab..82934dc 100644 --- a/src/backend.h +++ b/src/backend.h @@ -117,7 +117,6 @@ typedef int (bookmarkfs_backend_mkfs_func) ( typedef int (bookmarkfs_backend_sandbox_func) ( void *backend_ctx, - int fusefd, struct bookmarkfs_backend_init_resp *resp ); diff --git a/src/backend_chromium.c b/src/backend_chromium.c index 2171fbf..aabbf7d 100644 --- a/src/backend_chromium.c +++ b/src/backend_chromium.c @@ -1820,7 +1820,6 @@ backend_init ( static int backend_sandbox ( void *backend_ctx, - int fusefd, struct bookmarkfs_backend_init_resp *UNUSED_VAR(resp) ) { struct backend_ctx *ctx = backend_ctx; @@ -1853,7 +1852,7 @@ backend_sandbox ( if (ctx->flags & BOOKMARKFS_BACKEND_NO_LANDLOCK) { sandbox_flags |= SANDBOX_NO_LANDLOCK; } - return sandbox_enter(fusefd, ctx->dirfd, sandbox_flags); + return sandbox_enter(ctx->dirfd, sandbox_flags); } static int diff --git a/src/backend_firefox.c b/src/backend_firefox.c index 2cfe9fd..ac0a23f 100644 --- a/src/backend_firefox.c +++ b/src/backend_firefox.c @@ -2841,7 +2841,6 @@ backend_init ( static int backend_sandbox ( void *backend_ctx, - int fusefd, struct bookmarkfs_backend_init_resp *resp ) { struct backend_ctx *ctx = backend_ctx; @@ -2853,7 +2852,7 @@ backend_sandbox ( // Currently there is no way to retrieve the file descriptors of the // open database/-wal/-shm/... files using the SQLite3 public API, // thus we're unable to exert fine-grained control over their capabilities. - if (unlikely(0 != sandbox_enter(fusefd, -1, 0))) { + if (unlikely(0 != sandbox_enter(-1, 0))) { return -1; } diff --git a/src/fsck_offline.c b/src/fsck_offline.c index 2adf5e2..e5b9156 100644 --- a/src/fsck_offline.c +++ b/src/fsck_offline.c @@ -440,7 +440,7 @@ fsck_sandbox ( struct bookmarkfs_backend_init_resp info = { .bookmarks_root_id = UINT64_MAX, }; - if (0 != BACKEND_CALL(ctx, backend_sandbox, -1, &info)) { + if (0 != BACKEND_CALL(ctx, backend_sandbox, &info)) { return -1; } diff --git a/src/fsck_online.c b/src/fsck_online.c index ad82bbd..75ea02d 100644 --- a/src/fsck_online.c +++ b/src/fsck_online.c @@ -423,7 +423,7 @@ fsck_sandbox ( if (ctx->flags & BOOKMARKFS_BACKEND_NO_LANDLOCK) { flags |= SANDBOX_NO_LANDLOCK; } - return sandbox_enter(-1, ctx->dir_stack[0].fd, flags); + return sandbox_enter(ctx->dir_stack[0].fd, flags); } struct bookmarkfs_fsck_ops const fsck_online_ops = { diff --git a/src/mount.c b/src/mount.c index bae0d32..aa649eb 100644 --- a/src/mount.c +++ b/src/mount.c @@ -115,13 +115,11 @@ enter_sandbox ( return 0; } - void *backend_ctx = ctx->backend_ctx; - int fusefd = fuse_session_fd(ctx->session); struct bookmarkfs_backend_init_resp resp = { .bookmarks_root_id = UINT64_MAX, .tags_root_id = UINT64_MAX, }; - if (0 != ctx->backend_impl->backend_sandbox(backend_ctx, fusefd, &resp)) { + if (0 != ctx->backend_impl->backend_sandbox(ctx->backend_ctx, &resp)) { return -1; } debug_puts("sandbox entered"); diff --git a/src/sandbox.c b/src/sandbox.c index 0f27b0c..994c7d9 100644 --- a/src/sandbox.c +++ b/src/sandbox.c @@ -149,7 +149,6 @@ landlock_restrict_self ( int sandbox_enter ( - int UNUSED_VAR(fusefd), int dirfd, uint32_t flags ) { @@ -354,7 +353,6 @@ sandbox_enter ( int sandbox_enter ( - int fusefd, int dirfd, uint32_t flags ) { @@ -373,16 +371,6 @@ sandbox_enter ( return -1; } - if (fusefd >= 0) { - cap_rights_t rights; - cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_EVENT); - - if (unlikely(0 != cap_rights_limit(fusefd, &rights))) { - log_printf("cap_rights_limit(): %s", xstrerror(errno)); - return -1; - } - } - if (dirfd >= 0) { cap_rights_t rights; cap_rights_init(&rights, CAP_LOOKUP, CAP_READ, CAP_FSTAT, CAP_FLOCK, diff --git a/src/sandbox.h b/src/sandbox.h index 1412e7a..76a0c14 100644 --- a/src/sandbox.h +++ b/src/sandbox.h @@ -31,7 +31,6 @@ int sandbox_enter ( - int fusefd, int dirfd, uint32_t flags ); diff --git a/src/watcher.c b/src/watcher.c index b5d342a..872d298 100644 --- a/src/watcher.c +++ b/src/watcher.c @@ -303,7 +303,7 @@ worker_loop ( uint32_t sandbox_flags = w->flags >> WATCHER_SANDBOX_FLAGS_OFFSET; if (!(sandbox_flags & SANDBOX_NOOP)) { sandbox_flags |= SANDBOX_READONLY; - if (unlikely(0 != sandbox_enter(-1, w->dirfd, sandbox_flags))) { + if (unlikely(0 != sandbox_enter(w->dirfd, sandbox_flags))) { goto end; } debug_puts("worker thread enters sandbox");