diff --git a/unblob/processing.py b/unblob/processing.py index a77f1a1bdf..1d1c3b9fe3 100644 --- a/unblob/processing.py +++ b/unblob/processing.py @@ -9,6 +9,7 @@ import plotext as plt from structlog import get_logger from unblob_native import math_tools as mt +from unblob_native.sandbox import FSAccess, restrict_access from unblob.handlers import BUILTIN_DIR_HANDLERS, BUILTIN_HANDLERS, Handlers @@ -127,6 +128,19 @@ def process_file( ) return ProcessResult() + restrictions = [ + FSAccess.read("/"), + FSAccess.read_write("/dev/shm"), # noqa: S108 + FSAccess.read_write(extract_dir.as_posix()), + FSAccess.create_directory(extract_dir.parent.as_posix()), + ] + if report_file: + restrictions += [ + FSAccess.read_write(report_file), + FSAccess.create_file(report_file.parent), + ] + restrict_access(*restrictions) + process_result = _process_task(config, task) # ensure that the root extraction directory is created even for empty extractions