From 37729f5b9123e878f1af24c4e859a332aa7147f7 Mon Sep 17 00:00:00 2001
From: Karol Kosek <krkk@serenityos.org>
Date: Sun, 23 Oct 2022 19:13:14 +0200
Subject: [PATCH] GMLPlayground: Restrict filesystem access using `unveil()`

---
 Userland/DevTools/GMLPlayground/main.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Userland/DevTools/GMLPlayground/main.cpp b/Userland/DevTools/GMLPlayground/main.cpp
index 5f3ffcd82c..f95867fac2 100644
--- a/Userland/DevTools/GMLPlayground/main.cpp
+++ b/Userland/DevTools/GMLPlayground/main.cpp
@@ -67,6 +67,12 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
     TRY(Core::System::pledge("stdio thread recvfd sendfd cpath rpath wpath unix"));
     auto app = TRY(GUI::Application::try_create(arguments));
 
+    TRY(Core::System::unveil("/proc/all", "r"));
+    TRY(Core::System::unveil("/res", "r"));
+    TRY(Core::System::unveil("/tmp/session/%sid/portal/launch", "rw"));
+    TRY(Core::System::unveil("/tmp/session/%sid/portal/filesystemaccess", "rw"));
+    TRY(Core::System::unveil(nullptr, nullptr));
+
     TRY(Desktop::Launcher::add_allowed_handler_with_only_specific_urls("/bin/Help", { URL::create_with_file_scheme("/usr/share/man/man1/GMLPlayground.md") }));
     TRY(Desktop::Launcher::seal_allowlist());