mirrors/serenity
1
0
Fork 0
mirror of https://github.com/SerenityOS/serenity.git synced 2025-01-22 09:21:57 -05:00
Code Issues Projects Releases Packages Wiki Activity

Userland: Always enter jail mode in Browser and Assistant

Browse source 
These programs are capable of running other programs, so we should
restrict them from potentially running SUID programs, which was never a
functionality we supported for those programs anyway.
This commit is contained in:
Liav A. 2024-04-29 10:18:23 +03:00 committed by Tim Schumacher
parent dd59fe35c7
commit 816f2efb4e
2 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Userland/Applications/Assistant/main.cpp
View file

@ -148,6 +148,8 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
{
TRY(Core::System::pledge("stdio recvfd sendfd rpath cpath unix proc exec thread map_fixed"));
TRY(Core::System::enter_jail_mode());
Core::LockFile lockfile("/tmp/lock/assistant.lock");
if (!lockfile.is_held()) {

2
Userland/Applications/Browser/main.cpp
View file

@ -180,6 +180,8 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
TRY(Core::System::unveil("/bin/Browser", "x"));
TRY(Core::System::unveil(nullptr, nullptr));
TRY(Core::System::enter_jail_mode());
WebView::ChromeProcess chrome_process;
if (TRY(chrome_process.connect(specified_urls, new_window)) == WebView::ChromeProcess::ProcessDisposition::ExitProcess) {
outln("Opening in existing process");