makary/bookmarkfs
1
0
Fork 0
mirror of https://git.sr.ht/~cismonx/bookmarkfs synced 2025-06-07 19:58:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

backend_chromium: improve sandboxing

Browse source 
- Always lazy-init watcher when possible.
- Add a check in `backend_create()` that fails when the bookmark
  storage does not exist, so that function behavior is more
  consistent on different platforms with and without sandboxing.
- Only check Landlock flags on Linux.
This commit is contained in:
CismonX 2025-02-24 17:45:52 +08:00
parent 8a0070833a
commit 3e5c800de8
No known key found for this signature in database
GPG key ID: 3094873E29A482FB
2 changed files with 22 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
src/backend_chromium.c
View file

@ -1710,6 +1710,11 @@ backend_create (
if (dirfd < 0) {
return -1;
}
if (0 != faccessat(dirfd, name, R_OK, AT_EACCESS)) {
log_printf("faccessat(): %s: %s", name, xstrerror(errno));
close(dirfd);
return -1;
}
uint32_t sandbox_flags = 0;
#if defined(__linux__)
@ -1837,20 +1842,24 @@ backend_sandbox (
}
#endif
// Watcher cannot be lazy-initialized in sandbox mode.
// Neither can it be initialized in backend_create(),
// since the calling process may fork per fuse_daemonize().
#ifndef WATCHER_CAN_CREATE_IN_SANDBOX
// The watcher cannot be initialized in backend_create(),
// since the caller may fork() in fuse_daemonize() and terminate,
// and fork() does not inherit threads other than the calling one.
if (unlikely(0 != init_watcher(ctx))) {
return -1;
}
#endif
uint32_t sandbox_flags = 0;
if (ctx->flags & BOOKMARKFS_BACKEND_READONLY) {
sandbox_flags |= SANDBOX_READONLY;
}
#ifdef __Linux__
if (ctx->flags & BOOKMARKFS_BACKEND_NO_LANDLOCK) {
sandbox_flags |= SANDBOX_NO_LANDLOCK;
}
#endif
return sandbox_enter(ctx->dirfd, sandbox_flags);
}

10
src/watcher.h
View file

@ -25,6 +25,16 @@
#include <stdint.h>
// If we want this on Linux, we have to whitelist a bunch of syscalls
// like clone(), fanotify_init(), etc., which are generally okay,
// but not used anywhere else in the BookmarkFS codebase.
//
// The list should be kept short, since anything added there may
// introduce extra syscall filtering overhead.
#ifdef __FreeBSD__
# define WATCHER_CAN_CREATE_IN_SANDBOX
#endif
/**
* A watcher_poll() call returning WATCHER_POLL_ERR
* most likely means that the file being watched has gone.