From 02331eac4762ad99bf449a92bb1681ee74bd42b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A1szl=C3=B3=20Vask=C3=B3?=
 <1771332+vlaci@users.noreply.github.com>
Date: Tue, 6 Jun 2023 16:54:08 +0200
Subject: [PATCH] feat: WIP landlock based sandboxing

---
 unblob/processing.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/unblob/processing.py b/unblob/processing.py
index a77f1a1bdf..1d1c3b9fe3 100644
--- a/unblob/processing.py
+++ b/unblob/processing.py
@@ -9,6 +9,7 @@
 import plotext as plt
 from structlog import get_logger
 from unblob_native import math_tools as mt
+from unblob_native.sandbox import FSAccess, restrict_access
 
 from unblob.handlers import BUILTIN_DIR_HANDLERS, BUILTIN_HANDLERS, Handlers
 
@@ -127,6 +128,19 @@ def process_file(
         )
         return ProcessResult()
 
+    restrictions = [
+        FSAccess.read("/"),
+        FSAccess.read_write("/dev/shm"),  # noqa: S108
+        FSAccess.read_write(extract_dir.as_posix()),
+        FSAccess.create_directory(extract_dir.parent.as_posix()),
+    ]
+    if report_file:
+        restrictions += [
+            FSAccess.read_write(report_file),
+            FSAccess.create_file(report_file.parent),
+        ]
+    restrict_access(*restrictions)
+
     process_result = _process_task(config, task)
 
     # ensure that the root extraction directory is created even for empty extractions