feat(permissions): add "--deny-*" flags (#19070)

This commit adds new "--deny-*" permission flags. These are complimentary to "--allow-*" flags. These flags can be used to restrict access to certain resources, even if they were granted using "--allow-*" flags or the "--allow-all" ("-A") flag. Eg. specifying "--allow-read --deny-read" will result in a permission error, while "--allow-read --deny-read=/etc" will allow read access to all FS but the "/etc" directory. Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly by adding, a new "PermissionStatus.partial" field. This field denotes that while permission might be granted to requested resource, it's only partial (ie. a "--deny-*" flag was specified that excludes some of the requested resources). Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for permissions like "Deno.permissions.query({ name: "read", path: "foo/" })" will return "PermissionStatus { state: "granted", onchange: null, partial: true }", denoting that some of the subpaths don't have read access. Closes #18804. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
author: Asher Gomez <ashersaupingomez@gmail.com> 2023-08-03 21:19:19 +1000
committer: GitHub <noreply@github.com> 2023-08-03 13:19:19 +0200
commit: 6fb7e8d93bb9fd8cdd81130a394ae6061930c4f6 (patch)
tree: 2ec6dc2be234ef5a42023c1d75f1fc1316d80f06 /ext/ffi/repr.rs
parent: db287e216dd752bfcb3484cbfd93225e8463c363 (diff)
1 files changed, 20 insertions, 20 deletions
diff --git a/ext/ffi/repr.rs b/ext/ffi/repr.rs
index 0e2f88084..665e37186 100644
--- a/ext/ffi/repr.rs
+++ b/ext/ffi/repr.rs
@@ -24,7 +24,7 @@ where
 {
   check_unstable(state, "Deno.UnsafePointer#create");
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   Ok(ptr_number as *mut c_void)
 }
@@ -40,7 +40,7 @@ where
 {
   check_unstable(state, "Deno.UnsafePointer#equals");
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   Ok(a == b)
 }
@@ -55,7 +55,7 @@ where
 {
   check_unstable(state, "Deno.UnsafePointer#of");
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   Ok(buf as *mut c_void)
 }
@@ -71,7 +71,7 @@ where
 {
   check_unstable(state, "Deno.UnsafePointer#offset");
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   if ptr.is_null() {
     return Err(type_error("Invalid pointer to offset, pointer is null"));
@@ -99,7 +99,7 @@ where
 {
   check_unstable(state, "Deno.UnsafePointer#value");
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   let outptr = out.as_ptr() as *mut usize;
   let length = out.len();
@@ -129,7 +129,7 @@ where
   check_unstable(state, "Deno.UnsafePointerView#getArrayBuffer");
 
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   if ptr.is_null() {
     return Err(type_error("Invalid ArrayBuffer pointer, pointer is null"));
@@ -164,7 +164,7 @@ where
   check_unstable(state, "Deno.UnsafePointerView#copyInto");
 
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   if src.is_null() {
     Err(type_error("Invalid ArrayBuffer pointer, pointer is null"))
@@ -197,7 +197,7 @@ where
   check_unstable(state, "Deno.UnsafePointerView#getCString");
 
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   if ptr.is_null() {
     return Err(type_error("Invalid CString pointer, pointer is null"));
@@ -227,7 +227,7 @@ where
   check_unstable(state, "Deno.UnsafePointerView#getBool");
 
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   if ptr.is_null() {
     return Err(type_error("Invalid bool pointer, pointer is null"));
@@ -249,7 +249,7 @@ where
   check_unstable(state, "Deno.UnsafePointerView#getUint8");
 
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   if ptr.is_null() {
     return Err(type_error("Invalid u8 pointer, pointer is null"));
@@ -273,7 +273,7 @@ where
   check_unstable(state, "Deno.UnsafePointerView#getInt8");
 
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   if ptr.is_null() {
     return Err(type_error("Invalid i8 pointer, pointer is null"));
@@ -297,7 +297,7 @@ where
   check_unstable(state, "Deno.UnsafePointerView#getUint16");
 
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   if ptr.is_null() {
     return Err(type_error("Invalid u16 pointer, pointer is null"));
@@ -321,7 +321,7 @@ where
   check_unstable(state, "Deno.UnsafePointerView#getInt16");
 
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   if ptr.is_null() {
     return Err(type_error("Invalid i16 pointer, pointer is null"));
@@ -345,7 +345,7 @@ where
   check_unstable(state, "Deno.UnsafePointerView#getUint32");
 
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   if ptr.is_null() {
     return Err(type_error("Invalid u32 pointer, pointer is null"));
@@ -367,7 +367,7 @@ where
   check_unstable(state, "Deno.UnsafePointerView#getInt32");
 
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   if ptr.is_null() {
     return Err(type_error("Invalid i32 pointer, pointer is null"));
@@ -390,7 +390,7 @@ where
   check_unstable(state, "Deno.UnsafePointerView#getBigUint64");
 
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   let outptr = out.as_mut_ptr() as *mut u64;
 
@@ -425,7 +425,7 @@ where
   check_unstable(state, "Deno.UnsafePointerView#getBigUint64");
 
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   let outptr = out.as_mut_ptr() as *mut i64;
 
@@ -458,7 +458,7 @@ where
   check_unstable(state, "Deno.UnsafePointerView#getFloat32");
 
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   if ptr.is_null() {
     return Err(type_error("Invalid f32 pointer, pointer is null"));
@@ -480,7 +480,7 @@ where
   check_unstable(state, "Deno.UnsafePointerView#getFloat64");
 
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   if ptr.is_null() {
     return Err(type_error("Invalid f64 pointer, pointer is null"));
@@ -502,7 +502,7 @@ where
   check_unstable(state, "Deno.UnsafePointerView#getPointer");
 
   let permissions = state.borrow_mut::<FP>();
-  permissions.check(None)?;
+  permissions.check_partial(None)?;
 
   if ptr.is_null() {
     return Err(type_error("Invalid pointer pointer, pointer is null"));
author	Asher Gomez <ashersaupingomez@gmail.com>	2023-08-03 21:19:19 +1000
committer	GitHub <noreply@github.com>	2023-08-03 13:19:19 +0200
commit	6fb7e8d93bb9fd8cdd81130a394ae6061930c4f6 (patch)
tree	2ec6dc2be234ef5a42023c1d75f1fc1316d80f06 /ext/ffi/repr.rs
parent	db287e216dd752bfcb3484cbfd93225e8463c363 (diff)