diff options
| author | David Sherret <dsherret@users.noreply.github.com> | 2024-10-04 20:55:41 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-10-04 20:55:41 +0100 |
| commit | 2de4faa483982478e9a36ad4ab891a887b4779f1 (patch) | |
| tree | 5ee8512e5dc380759054900943074d5b6ee8c65c /runtime/permissions | |
| parent | f288730c38bd4f13b464a9bd67eb901a8c790bc4 (diff) | |
refactor: improve node permission checks (#26028)
Does less work when requesting permissions with `-A`
Diffstat (limited to 'runtime/permissions')
| -rw-r--r-- | runtime/permissions/lib.rs | 54 |
1 files changed, 47 insertions, 7 deletions
diff --git a/runtime/permissions/lib.rs b/runtime/permissions/lib.rs index efabd0b17..2904242da 100644 --- a/runtime/permissions/lib.rs +++ b/runtime/permissions/lib.rs @@ -2285,6 +2285,11 @@ impl PermissionsContainer { self.inner.lock().read.check_all(Some(api_name)) } + #[inline(always)] + pub fn query_read_all(&self) -> bool { + self.inner.lock().read.query(None) == PermissionState::Granted + } + #[must_use = "the resolved return value to mitigate time-of-check to time-of-use issues"] #[inline(always)] pub fn check_write( @@ -2614,8 +2619,13 @@ impl PermissionsContainer { &self, path: Option<&str>, ) -> Result<PermissionState, AnyError> { + let inner = self.inner.lock(); + let permission = &inner.read; + if permission.is_allow_all() { + return Ok(PermissionState::Granted); + } Ok( - self.inner.lock().read.query( + permission.query( path .map(|path| { Result::<_, AnyError>::Ok( @@ -2633,8 +2643,13 @@ impl PermissionsContainer { &self, path: Option<&str>, ) -> Result<PermissionState, AnyError> { + let inner = self.inner.lock(); + let permission = &inner.write; + if permission.is_allow_all() { + return Ok(PermissionState::Granted); + } Ok( - self.inner.lock().write.query( + permission.query( path .map(|path| { Result::<_, AnyError>::Ok( @@ -2652,8 +2667,13 @@ impl PermissionsContainer { &self, host: Option<&str>, ) -> Result<PermissionState, AnyError> { + let inner = self.inner.lock(); + let permission = &inner.net; + if permission.is_allow_all() { + return Ok(PermissionState::Granted); + } Ok( - self.inner.lock().net.query( + permission.query( match host { None => None, Some(h) => Some(self.descriptor_parser.parse_net_descriptor(h)?), @@ -2665,7 +2685,12 @@ impl PermissionsContainer { #[inline(always)] pub fn query_env(&self, var: Option<&str>) -> PermissionState { - self.inner.lock().env.query(var) + let inner = self.inner.lock(); + let permission = &inner.env; + if permission.is_allow_all() { + return PermissionState::Granted; + } + permission.query(var) } #[inline(always)] @@ -2673,8 +2698,13 @@ impl PermissionsContainer { &self, kind: Option<&str>, ) -> Result<PermissionState, AnyError> { + let inner = self.inner.lock(); + let permission = &inner.sys; + if permission.is_allow_all() { + return Ok(PermissionState::Granted); + } Ok( - self.inner.lock().sys.query( + permission.query( kind .map(|kind| self.descriptor_parser.parse_sys_descriptor(kind)) .transpose()? @@ -2688,8 +2718,13 @@ impl PermissionsContainer { &self, cmd: Option<&str>, ) -> Result<PermissionState, AnyError> { + let inner = self.inner.lock(); + let permission = &inner.run; + if permission.is_allow_all() { + return Ok(PermissionState::Granted); + } Ok( - self.inner.lock().run.query( + permission.query( cmd .map(|request| self.descriptor_parser.parse_run_query(request)) .transpose()? @@ -2703,8 +2738,13 @@ impl PermissionsContainer { &self, path: Option<&str>, ) -> Result<PermissionState, AnyError> { + let inner = self.inner.lock(); + let permission = &inner.ffi; + if permission.is_allow_all() { + return Ok(PermissionState::Granted); + } Ok( - self.inner.lock().ffi.query( + permission.query( path .map(|path| { Result::<_, AnyError>::Ok( |