mirror of
https://github.com/genodelabs/genode.git
synced 2024-12-22 06:57:51 +00:00
chroot: enforce writeable policy decision
The writeable decision given in the policy will always override the decision made by the client. Fixes #2643
This commit is contained in:
parent
7bee21a4fd
commit
2e9a19d5b0
@ -31,3 +31,7 @@ file system session from "X" would be rooted to the directory
|
|||||||
! </route>
|
! </route>
|
||||||
! ...
|
! ...
|
||||||
! </start>
|
! </start>
|
||||||
|
|
||||||
|
In addition, the 'chroot' component will intercept the 'writeable' session
|
||||||
|
argument and only if its own policy allows it (i.e. the 'writeable' attribute
|
||||||
|
is to 'yes') the child is permitted to create a writeable connection.
|
||||||
|
@ -170,6 +170,24 @@ struct Chroot::Main
|
|||||||
/* sacrifice the label to make space for the root argument */
|
/* sacrifice the label to make space for the root argument */
|
||||||
Arg_string::remove_arg(new_args, "label");
|
Arg_string::remove_arg(new_args, "label");
|
||||||
|
|
||||||
|
/* enforce writeable policy decision */
|
||||||
|
{
|
||||||
|
enum { WRITEABLE_ARG_MAX_LEN = 4, };
|
||||||
|
char tmp[WRITEABLE_ARG_MAX_LEN];
|
||||||
|
Arg_string::find_arg(new_args, "writeable").string(tmp, sizeof(tmp), "no");
|
||||||
|
|
||||||
|
/* session argument */
|
||||||
|
bool const writeable_arg =
|
||||||
|
Arg_string::find_arg(new_args, "writeable").bool_value(false);
|
||||||
|
|
||||||
|
/* label-based session policy */
|
||||||
|
bool const writeable_policy =
|
||||||
|
policy.attribute_value("writeable", false);
|
||||||
|
|
||||||
|
bool const writeable = writeable_arg && writeable_policy;
|
||||||
|
Arg_string::set_arg(new_args, ARGS_MAX_LEN, "writeable", writeable);
|
||||||
|
}
|
||||||
|
|
||||||
Arg_string::set_arg_string(new_args, ARGS_MAX_LEN, "root", new_root);
|
Arg_string::set_arg_string(new_args, ARGS_MAX_LEN, "root", new_root);
|
||||||
|
|
||||||
Affinity affinity;
|
Affinity affinity;
|
||||||
|
Loading…
Reference in New Issue
Block a user