2 files changed, 36 insertions, 0 deletions

diff --git a/src/main.c b/src/main.c
index 5b3b8cf..45149e6 100644
--- a/src/main.c
+++ b/src/main.c
@@ -29,6 +29,10 @@
 #include <glib/gprintf.h>
 #include <glib/gstdio.h>
 
+#ifdef HAVE_SYS_CAPSICUM_H
+#include <sys/capsicum.h>
+#endif
+
 #include "sciteco.h"
 #include "file-utils.h"
 #include "cmdline.h"
@@ -106,6 +110,7 @@ static gchar *teco_eval_macro = NULL;
 static gboolean teco_mung_file = FALSE;
 static gboolean teco_mung_profile = TRUE;
 static gchar *teco_fake_cmdline = NULL;
+static gboolean teco_sandbox = FALSE;
 static gboolean teco_8bit_clean = FALSE;
 
 static gchar *
@@ -125,6 +130,9 @@ teco_process_options(gchar ***argv)
 		{"fake-cmdline", 0, G_OPTION_FLAG_HIDDEN,
 		 G_OPTION_ARG_STRING, &teco_fake_cmdline,
 		 "Emulate key presses in batch mode (for debugging)", "keys"},
+		{"sandbox", 0, G_OPTION_FLAG_HIDDEN,
+		 G_OPTION_ARG_NONE, &teco_sandbox,
+		 "Sandbox application (for debugging)"},
 		{"8bit", '8', 0, G_OPTION_ARG_NONE, &teco_8bit_clean,
 		 "Use ANSI encoding by default and disable automatic EOL conversion"},
 		{NULL}
@@ -336,6 +344,16 @@ main(int argc, char **argv)
 	 * to the macro or munged file.
 	 */
 
+#ifdef HAVE_CAP_ENTER
+	/*
+	 * In the sandbox, we cannot access files or execute external processes.
+	 * Effectively, munging won't work, so you can pass macros only via
+	 * --eval or --fake-cmdline.
+	 */
+	if (G_UNLIKELY(teco_sandbox))
+		cap_enter();
+#endif
+
 	if (teco_8bit_clean)
 		/* equivalent to 16,4ED but executed earlier */
 		teco_ed = (teco_ed & ~TECO_ED_AUTOEOL) | TECO_ED_DEFAULT_ANSI;
diff --git a/src/spawn.c b/src/spawn.c
index 7a5736c..9816975 100644
--- a/src/spawn.c
+++ b/src/spawn.c
@@ -30,6 +30,10 @@
 #include <windows.h>
 #endif
 
+#ifdef HAVE_SYS_CAPSICUM_H
+#include <sys/capsicum.h>
+#endif
+
 #include "sciteco.h"
 #include "interface.h"
 #include "undo.h"
@@ -268,6 +272,20 @@ teco_state_execute_done(teco_machine_main_t *ctx, const teco_string_t *str, GErr
 	g_autoptr(GIOChannel) stdin_chan = NULL, stdout_chan = NULL;
 	g_auto(GStrv) argv = NULL, envp = NULL;
 
+#ifdef HAVE_CAP_GETMODE
+	/*
+	 * If we don't explicitly check for sandboxing, glib could assert
+	 * internally and we want to detect all unexpected assertions
+	 * in "infinite monkey"-style tests.
+	 */
+	u_int sandbox_mode;
+	if (G_UNLIKELY(cap_getmode(&sandbox_mode) || sandbox_mode)) {
+		g_set_error(error, TECO_ERROR, TECO_ERROR_FAILED,
+		            "Forbidden in Capsicum sandbox");
+		goto gerror;
+	}
+#endif
+
 	if (!str->len || teco_string_contains(str, '\0')) {
 		g_set_error(error, TECO_ERROR, TECO_ERROR_FAILED,
 		            "Command line must not be empty or contain null-bytes");