GMLPlayground: Restrict filesystem access using `unveil()`

author: Karol Kosek <krkk@serenityos.org> 2022-10-23 19:13:14 +0200
committer: Linus Groh <mail@linusgroh.de> 2022-10-24 23:09:30 +0100
commit: 37729f5b9123e878f1af24c4e859a332aa7147f7 (patch)
tree: 3c8d79841c6ec77eab2b4d6bc6e54b883f27323f /Userland
parent: 25104a30c1c5d29d43d4f15a7fe967411c9359e0 (diff)
download: serenity-37729f5b9123e878f1af24c4e859a332aa7147f7.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/Userland/DevTools/GMLPlayground/main.cpp b/Userland/DevTools/GMLPlayground/main.cpp
index 5f3ffcd82c..f95867fac2 100644
--- a/Userland/DevTools/GMLPlayground/main.cpp
+++ b/Userland/DevTools/GMLPlayground/main.cpp
@@ -67,6 +67,12 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
     TRY(Core::System::pledge("stdio thread recvfd sendfd cpath rpath wpath unix"));
     auto app = TRY(GUI::Application::try_create(arguments));
 
+    TRY(Core::System::unveil("/proc/all", "r"));
+    TRY(Core::System::unveil("/res", "r"));
+    TRY(Core::System::unveil("/tmp/session/%sid/portal/launch", "rw"));
+    TRY(Core::System::unveil("/tmp/session/%sid/portal/filesystemaccess", "rw"));
+    TRY(Core::System::unveil(nullptr, nullptr));
+
     TRY(Desktop::Launcher::add_allowed_handler_with_only_specific_urls("/bin/Help", { URL::create_with_file_scheme("/usr/share/man/man1/GMLPlayground.md") }));
     TRY(Desktop::Launcher::seal_allowlist());
author	Karol Kosek <krkk@serenityos.org>	2022-10-23 19:13:14 +0200
committer	Linus Groh <mail@linusgroh.de>	2022-10-24 23:09:30 +0100
commit	37729f5b9123e878f1af24c4e859a332aa7147f7 (patch)
tree	3c8d79841c6ec77eab2b4d6bc6e54b883f27323f /Userland
parent	25104a30c1c5d29d43d4f15a7fe967411c9359e0 (diff)
download	serenity-37729f5b9123e878f1af24c4e859a332aa7147f7.zip