mirror of
https://github.com/genodelabs/genode.git
synced 2024-12-19 05:37:54 +00:00
Chroot: change root to explicit prefix and label sub-dirs
Change the root of a session request into an explicit path and apply the label-to-path conversion using the "path_prefix" policy attribute. This is in addition to only applying a root change with a "path" attribute. Ref #3031 Fix #3056
This commit is contained in:
parent
74f2954013
commit
447329eaee
@ -6,8 +6,10 @@ hierarchy of directories.
|
|||||||
Sessions matching policies with _path_ attributes will be "chrooted" to the
|
Sessions matching policies with _path_ attributes will be "chrooted" to the
|
||||||
configured policy path, sessions not matching policies with _path_ attributes
|
configured policy path, sessions not matching policies with _path_ attributes
|
||||||
will be chrooted into paths formed from each session label element. Sessions
|
will be chrooted into paths formed from each session label element. Sessions
|
||||||
requests are downgraded to read-only requests unless matched by polices
|
matching polices with a _path_prefix_ attribute are both rooted at the
|
||||||
with an affirmative _writeable_ attribute. Sessions not matching any
|
attribute path and in sub-directories formed by the session label.
|
||||||
|
Sessions requests are downgraded to read-only requests unless matched by
|
||||||
|
polices with an affirmative _writeable_ attribute. Sessions not matching any
|
||||||
policy are rejected.
|
policy are rejected.
|
||||||
|
|
||||||
Please note that this server is only effective for File_system servers that
|
Please note that this server is only effective for File_system servers that
|
||||||
|
@ -112,8 +112,13 @@ struct Chroot::Main
|
|||||||
Session_label const label = label_from_args(args.string());
|
Session_label const label = label_from_args(args.string());
|
||||||
Session_policy const policy(label, config_rom.xml());
|
Session_policy const policy(label, config_rom.xml());
|
||||||
|
|
||||||
|
if (policy.has_attribute("path_prefix")) {
|
||||||
|
/* Use a chroot path from policy and label sub-directories */
|
||||||
|
policy.attribute("path_prefix").value(tmp, sizeof(tmp));
|
||||||
|
root_path.import(tmp);
|
||||||
|
root_path.append(path_from_label<Path>(label.string()).string());
|
||||||
|
} else if (policy.has_attribute("path")) {
|
||||||
/* Use a chroot path from policy */
|
/* Use a chroot path from policy */
|
||||||
if (policy.has_attribute("path")) {
|
|
||||||
policy.attribute("path").value(tmp, sizeof(tmp));
|
policy.attribute("path").value(tmp, sizeof(tmp));
|
||||||
root_path.import(tmp);
|
root_path.import(tmp);
|
||||||
} else {
|
} else {
|
||||||
|
Loading…
Reference in New Issue
Block a user