Merge bitcoin/bitcoin#24758: Disable the syscall sandbox for bitcoin-qt and remove gui-related syscalls

fabdf9f870 Remove gui-only syscalls (MarcoFalke) fa0c2aa826 init: Disable syscall sandbox in the bitcoin-qt process (MarcoFalke) Pull request description: It is basically impossible (and a bit out of scope) for us to maintain a sandbox for the qt library. I am not sure if it is possible to only sandbox a few threads in a process, but I doubt this will add no practical benefit anyway, so I am disabling the sandbox for the whole bitcoin-qt process. See also https://github.com/bitcoin/bitcoin/pull/24690#issuecomment-1084372400 ACKs for top commit: laanwj: Code review ACK fabdf9f870 Tree-SHA512: 944ded03ee25f7dfd0bfeea9c3f97f575f2d470aa03b387b07f3e3bec5cb886e4aaa17e4a9fb359d3e670e6da69adc9111673d13e6561ec55b3161bb67dfe760
2025-11-10 22:18:54 +01:00 · 2022-04-06 11:51:05 +02:00
parent f3e3563369 fabdf9f870
commit c5c4fb3182
5 changed files with 6 additions and 9 deletions
--- a/src/init.cpp
+++ b/src/init.cpp
@@ -792,7 +792,7 @@ bool AppInitBasicSetup(const ArgsManager& args)
    return true;
 }

-bool AppInitParameterInteraction(const ArgsManager& args)
+bool AppInitParameterInteraction(const ArgsManager& args, bool use_syscall_sandbox)
 {
    const CChainParams& chainparams = Params();
    // ********************************************************* Step 2: parameter interactions
@@ -1058,6 +1058,9 @@ bool AppInitParameterInteraction(const ArgsManager& args)
        if (!SetupSyscallSandbox(log_syscall_violation_before_terminating)) {
            return InitError(Untranslated("Installation of the syscall sandbox failed."));
        }
+        if (use_syscall_sandbox) {
+            SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION);
+        }
        LogPrintf("Experimental syscall sandbox enabled (-sandbox=%s): bitcoind will terminate if an unexpected (not allowlisted) syscall is invoked.\n", sandbox_arg);
    }
 #endif // USE_SYSCALL_SANDBOX