diff options
| author | David Sherret <dsherret@users.noreply.github.com> | 2024-08-19 16:21:27 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-08-19 16:21:27 -0400 |
| commit | bf510544ef26b89d4c2ae935893eaf62995ed903 (patch) | |
| tree | b4cbe166e239f5e95f9a17f9d93f025f394e85a7 /runtime/permissions/lib.rs | |
| parent | ee2b6899a1e6a3108bad43443f130ca2dd86a697 (diff) | |
chore: improve accessing special file test (#25099)
Diffstat (limited to 'runtime/permissions/lib.rs')
| -rw-r--r-- | runtime/permissions/lib.rs | 46 |
1 files changed, 43 insertions, 3 deletions
diff --git a/runtime/permissions/lib.rs b/runtime/permissions/lib.rs index 0d9d37a36..b0fa9eb10 100644 --- a/runtime/permissions/lib.rs +++ b/runtime/permissions/lib.rs @@ -2241,7 +2241,50 @@ pub fn create_child_permissions( main_perms: &mut Permissions, child_permissions_arg: ChildPermissionsArg, ) -> Result<Permissions, AnyError> { + fn is_granted_unary(arg: &ChildUnaryPermissionArg) -> bool { + match arg { + ChildUnaryPermissionArg::Inherit | ChildUnaryPermissionArg::Granted => { + true + } + ChildUnaryPermissionArg::NotGranted + | ChildUnaryPermissionArg::GrantedList(_) => false, + } + } + + fn is_granted_unit(arg: &ChildUnitPermissionArg) -> bool { + match arg { + ChildUnitPermissionArg::Inherit | ChildUnitPermissionArg::Granted => true, + ChildUnitPermissionArg::NotGranted => false, + } + } + let mut worker_perms = Permissions::none_without_prompt(); + + worker_perms.all = main_perms + .all + .create_child_permissions(ChildUnitPermissionArg::Inherit)?; + + // downgrade the `worker_perms.all` based on the other values + if worker_perms.all.query() == PermissionState::Granted { + let unary_perms = [ + &child_permissions_arg.read, + &child_permissions_arg.write, + &child_permissions_arg.net, + &child_permissions_arg.env, + &child_permissions_arg.sys, + &child_permissions_arg.run, + &child_permissions_arg.ffi, + ]; + let unit_perms = [&child_permissions_arg.hrtime]; + let allow_all = unary_perms.into_iter().all(is_granted_unary) + && unit_perms.into_iter().all(is_granted_unit); + if !allow_all { + worker_perms.all.revoke(); + } + } + + // WARNING: When adding a permission here, ensure it is handled + // in the worker_perms.all block above worker_perms.read = main_perms .read .create_child_permissions(child_permissions_arg.read)?; @@ -2266,9 +2309,6 @@ pub fn create_child_permissions( worker_perms.hrtime = main_perms .hrtime .create_child_permissions(child_permissions_arg.hrtime)?; - worker_perms.all = main_perms - .all - .create_child_permissions(ChildUnitPermissionArg::Inherit)?; Ok(worker_perms) } |