OFApplication: Disallow using a different sandbox

While the active sandbox can be changed, a different sandbox must not be activated. The reason for this is that allowing to activate a different sandbox makes it impossible to track which paths have already been unveiled.
ObjFW · Nov 11, 2018 · 3db2552 · 3db2552
1 parent 7f666a8
commit 3db2552
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 12 deletions.
diff --git a/src/OFApplication.h b/src/OFApplication.h
@@ -238,6 +238,9 @@ OF_ASSUME_NONNULL_BEGIN
  * @ref activateSandboxForExecdProcesses, an `exec()`'d process does not have
  * its permissions restricted!
  *
+ * @note Once a sandbox has been activated, you cannot activate a different
+ *	 sandbox. You can however change the active sandbox and reactivate it.
+ *
  * @param sandbox The sandbox to activate
  */
 + (void)activateSandbox: (OFSandbox *)sandbox;
@@ -251,6 +254,9 @@ OF_ASSUME_NONNULL_BEGIN
  * `unveiledPaths` on the sandbox must *not* be empty, otherwise an
  * @ref OFInvalidArgumentException is raised.
  *
+ * @note Once a sandbox has been activated, you cannot activate a different
+ *	 sandbox. You can however change the active sandbox and reactivate it.
+ *
  * @param sandbox The sandbox to activate
  */
 + (void)activateSandboxForExecdProcesses: (OFSandbox *)sandbox;
@@ -289,6 +295,9 @@ OF_ASSUME_NONNULL_BEGIN
  * @ref activateSandboxForExecdProcesses, an `exec()`'d process does not have
  * its permissions restricted!
  *
+ * @note Once a sandbox has been activated, you cannot activate a different
+ *	 sandbox. You can however change the active sandbox and reactivate it.
+ *
  * @param sandbox The sandbox to activate
  */
 - (void)activateSandbox: (OFSandbox *)sandbox;
@@ -302,6 +311,9 @@ OF_ASSUME_NONNULL_BEGIN
  * `unveiledPaths` on the sandbox must *not* be empty, otherwise an
  * @ref OFInvalidArgumentException is raised.
  *
+ * @note Once a sandbox has been activated, you cannot activate a different
+ *	 sandbox. You can however change the active sandbox and reactivate it.
+ *
  * @param sandbox The sandbox to activate
  */
 - (void)activateSandboxForExecdProcesses: (OFSandbox *)sandbox;

diff --git a/src/OFApplication.m b/src/OFApplication.m
@@ -595,11 +595,12 @@ - (void)activateSandbox: (OFSandbox *)sandbox
 # ifdef OF_HAVE_PLEDGE
 	void *pool = objc_autoreleasePoolPush();
 	of_string_encoding_t encoding = [OFLocale encoding];
-	const char *promises = [[sandbox pledgeString]
-	    cStringWithEncoding: encoding];
 	OFArray OF_GENERIC(of_sandbox_unveil_path_t) *unveiledPaths;
 	size_t unveiledPathsCount;
-	OFSandbox *oldSandbox;
+	const char *promises;
+
+	if (_activeSandbox != nil && sandbox != _activeSandbox)
+		@throw [OFInvalidArgumentException exception];
 
 	unveiledPaths = [sandbox unveiledPaths];
 	unveiledPathsCount = [unveiledPaths count];
@@ -620,40 +621,44 @@ - (void)activateSandbox: (OFSandbox *)sandbox
 
 	sandbox->_unveiledPathsIndex = unveiledPathsCount;
 
+	promises = [[sandbox pledgeString] cStringWithEncoding: encoding];
+
 	if (pledge(promises, NULL) != 0)
 		@throw [OFSandboxActivationFailedException
 		    exceptionWithSandbox: sandbox
 				   errNo: errno];
 
 	objc_autoreleasePoolPop(pool);
 
-	oldSandbox = _activeSandbox;
-	_activeSandbox = [sandbox retain];
-	[oldSandbox release];
+	if (_activeSandbox == nil)
+		_activeSandbox = [sandbox retain];
 # endif
 }
 
 - (void)activateSandboxForExecdProcesses: (OFSandbox *)sandbox
 {
 # ifdef OF_HAVE_PLEDGE
 	void *pool = objc_autoreleasePoolPush();
-	const char *promises = [[sandbox pledgeString]
-	    cStringWithEncoding: [OFLocale encoding]];
-	OFSandbox *oldSandbox;
+	const char *promises;
+
+	if (_activeExecSandbox != nil && sandbox != _activeExecSandbox)
+		@throw [OFInvalidArgumentException exception];
 
 	if ([[sandbox unveiledPaths] count] != 0)
 		@throw [OFInvalidArgumentException exception];
 
+	promises = [[sandbox pledgeString]
+	    cStringWithEncoding: [OFLocale encoding]];
+
 	if (pledge(NULL, promises) != 0)
 		@throw [OFSandboxActivationFailedException
 		    exceptionWithSandbox: sandbox
 				   errNo: errno];
 
 	objc_autoreleasePoolPop(pool);
 
-	oldSandbox = _activeExecSandbox;
-	_activeExecSandbox = [sandbox retain];
-	[oldSandbox release];
+	if (_activeExecSandbox == nil)
+		_activeExecSandbox = [sandbox retain];
 # endif
 }
 #endif