mirror of
https://github.com/genodelabs/genode.git
synced 2024-12-20 22:23:16 +00:00
Chroot: change root to explicit prefix and label sub-dirs
Change the root of a session request into an explicit path and apply the label-to-path conversion using the "path_prefix" policy attribute. This is in addition to only applying a root change with a "path" attribute. Ref #3031 Fix #3056
This commit is contained in:
parent
74f2954013
commit
447329eaee
@ -6,8 +6,10 @@ hierarchy of directories.
|
||||
Sessions matching policies with _path_ attributes will be "chrooted" to the
|
||||
configured policy path, sessions not matching policies with _path_ attributes
|
||||
will be chrooted into paths formed from each session label element. Sessions
|
||||
requests are downgraded to read-only requests unless matched by polices
|
||||
with an affirmative _writeable_ attribute. Sessions not matching any
|
||||
matching polices with a _path_prefix_ attribute are both rooted at the
|
||||
attribute path and in sub-directories formed by the session label.
|
||||
Sessions requests are downgraded to read-only requests unless matched by
|
||||
polices with an affirmative _writeable_ attribute. Sessions not matching any
|
||||
policy are rejected.
|
||||
|
||||
Please note that this server is only effective for File_system servers that
|
||||
|
@ -112,8 +112,13 @@ struct Chroot::Main
|
||||
Session_label const label = label_from_args(args.string());
|
||||
Session_policy const policy(label, config_rom.xml());
|
||||
|
||||
if (policy.has_attribute("path_prefix")) {
|
||||
/* Use a chroot path from policy and label sub-directories */
|
||||
policy.attribute("path_prefix").value(tmp, sizeof(tmp));
|
||||
root_path.import(tmp);
|
||||
root_path.append(path_from_label<Path>(label.string()).string());
|
||||
} else if (policy.has_attribute("path")) {
|
||||
/* Use a chroot path from policy */
|
||||
if (policy.has_attribute("path")) {
|
||||
policy.attribute("path").value(tmp, sizeof(tmp));
|
||||
root_path.import(tmp);
|
||||
} else {
|
||||
|
Loading…
Reference in New Issue
Block a user