internal/app: hold path hiding in op
All checks were successful
Test / Create distribution (push) Successful in 35s
Test / Sandbox (push) Successful in 2m20s
Test / Hakurei (push) Successful in 3m8s
Test / Hpkg (push) Successful in 4m12s
Test / Sandbox (race detector) (push) Successful in 4m37s
Test / Hakurei (race detector) (push) Successful in 5m21s
Test / Flake checks (push) Successful in 1m34s
All checks were successful
Test / Create distribution (push) Successful in 35s
Test / Sandbox (push) Successful in 2m20s
Test / Hakurei (push) Successful in 3m8s
Test / Hpkg (push) Successful in 4m12s
Test / Sandbox (race detector) (push) Successful in 4m37s
Test / Hakurei (race detector) (push) Successful in 5m21s
Test / Flake checks (push) Successful in 1m34s
This makes no sense to be part of the global state. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
parent
776650af01
commit
f6dd9dab6a
SSH Key Fingerprint:
SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
@ -57,9 +57,6 @@ type outcomeState struct {
|
|||||||
sc hst.Paths
|
sc hst.Paths
|
||||||
*EnvPaths
|
*EnvPaths
|
||||||
|
|
||||||
// Matched paths to cover. Populated by spFilesystemOp.
|
|
||||||
HidePaths []*check.Absolute
|
|
||||||
|
|
||||||
// Copied via populateLocal.
|
// Copied via populateLocal.
|
||||||
k syscallDispatcher
|
k syscallDispatcher
|
||||||
// Copied via populateLocal.
|
// Copied via populateLocal.
|
||||||
@ -154,7 +151,7 @@ type outcomeStateSys struct {
|
|||||||
directWayland bool
|
directWayland bool
|
||||||
// Copied header from [hst.Config]. Safe for read by spFinalOp.toSystem only.
|
// Copied header from [hst.Config]. Safe for read by spFinalOp.toSystem only.
|
||||||
extraPerms []*hst.ExtraPermConfig
|
extraPerms []*hst.ExtraPermConfig
|
||||||
// Copied address from [hst.Config. Safe for read by spDBusOp.toSystem only.
|
// Copied address from [hst.Config]. Safe for read by spDBusOp.toSystem only.
|
||||||
sessionBus, systemBus *hst.BusConfig
|
sessionBus, systemBus *hst.BusConfig
|
||||||
|
|
||||||
sys *system.I
|
sys *system.I
|
||||||
@ -255,7 +252,7 @@ func (state *outcomeStateSys) toSystem() error {
|
|||||||
&spParamsOp{},
|
&spParamsOp{},
|
||||||
|
|
||||||
// TODO(ophestra): move this late for #8 and #9
|
// TODO(ophestra): move this late for #8 and #9
|
||||||
spFilesystemOp{},
|
&spFilesystemOp{},
|
||||||
|
|
||||||
spRuntimeOp{},
|
spRuntimeOp{},
|
||||||
spTmpdirOp{},
|
spTmpdirOp{},
|
||||||
|
|||||||
@ -117,12 +117,15 @@ func (s *spParamsOp) toContainer(state *outcomeStateParams) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func init() { gob.Register(spFilesystemOp{}) }
|
func init() { gob.Register(new(spFilesystemOp)) }
|
||||||
|
|
||||||
// spFilesystemOp applies configured filesystems to [container.Params], excluding the optional root filesystem.
|
// spFilesystemOp applies configured filesystems to [container.Params], excluding the optional root filesystem.
|
||||||
type spFilesystemOp struct{}
|
type spFilesystemOp struct {
|
||||||
|
// Matched paths to cover. Stored during toSystem.
|
||||||
|
HidePaths []*check.Absolute
|
||||||
|
}
|
||||||
|
|
||||||
func (s spFilesystemOp) toSystem(state *outcomeStateSys) error {
|
func (s *spFilesystemOp) toSystem(state *outcomeStateSys) error {
|
||||||
/* retrieve paths and hide them if they're made available in the sandbox;
|
/* retrieve paths and hide them if they're made available in the sandbox;
|
||||||
|
|
||||||
this feature tries to improve user experience of permissive defaults, and
|
this feature tries to improve user experience of permissive defaults, and
|
||||||
@ -253,7 +256,7 @@ func (s spFilesystemOp) toSystem(state *outcomeStateSys) error {
|
|||||||
}
|
}
|
||||||
return newWithMessage("invalid path hiding candidate " + strconv.Quote(absoluteError.Pathname))
|
return newWithMessage("invalid path hiding candidate " + strconv.Quote(absoluteError.Pathname))
|
||||||
} else {
|
} else {
|
||||||
state.HidePaths = append(state.HidePaths, a)
|
s.HidePaths = append(s.HidePaths, a)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -261,7 +264,7 @@ func (s spFilesystemOp) toSystem(state *outcomeStateSys) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s spFilesystemOp) toContainer(state *outcomeStateParams) error {
|
func (s *spFilesystemOp) toContainer(state *outcomeStateParams) error {
|
||||||
for i, c := range state.filesystem {
|
for i, c := range state.filesystem {
|
||||||
if !c.Valid() {
|
if !c.Valid() {
|
||||||
return newWithMessage("invalid filesystem at index " + strconv.Itoa(i))
|
return newWithMessage("invalid filesystem at index " + strconv.Itoa(i))
|
||||||
@ -269,7 +272,7 @@ func (s spFilesystemOp) toContainer(state *outcomeStateParams) error {
|
|||||||
c.Apply(&state.as)
|
c.Apply(&state.as)
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, a := range state.HidePaths {
|
for _, a := range s.HidePaths {
|
||||||
state.params.Tmpfs(a, 1<<13, 0755)
|
state.params.Tmpfs(a, 1<<13, 0755)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user