From 21642e7edcb632f679a839d2d9ba6afc34d319c8 Mon Sep 17 00:00:00 2001 From: Daeyeon Jeong Date: Fri, 5 May 2023 04:09:17 +0900 Subject: [PATCH 1/3] src: clarify the parameter name in `Permission::Apply` This fixes confusing parameter names. They are references to set allow-permission. Signed-off-by: Daeyeon Jeong --- src/permission/child_process_permission.cc | 2 +- src/permission/child_process_permission.h | 2 +- src/permission/fs_permission.h | 2 +- src/permission/permission.h | 2 +- src/permission/permission_base.h | 2 +- src/permission/worker_permission.cc | 2 +- src/permission/worker_permission.h | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/permission/child_process_permission.cc b/src/permission/child_process_permission.cc index 1c2c5860a6c45d..7151eb15f90da2 100644 --- a/src/permission/child_process_permission.cc +++ b/src/permission/child_process_permission.cc @@ -9,7 +9,7 @@ namespace permission { // Currently, ChildProcess manage a single state // Once denied, it's always denied -void ChildProcessPermission::Apply(const std::string& deny, +void ChildProcessPermission::Apply(const std::string& allow, PermissionScope scope) { deny_all_ = true; } diff --git a/src/permission/child_process_permission.h b/src/permission/child_process_permission.h index 4a170478eee4a7..b67169f1c4e180 100644 --- a/src/permission/child_process_permission.h +++ b/src/permission/child_process_permission.h @@ -12,7 +12,7 @@ namespace permission { class ChildProcessPermission final : public PermissionBase { public: - void Apply(const std::string& deny, PermissionScope scope) override; + void Apply(const std::string& allow, PermissionScope scope) override; bool is_granted(PermissionScope perm, const std::string_view& param = "") override; diff --git a/src/permission/fs_permission.h b/src/permission/fs_permission.h index f393c6a042e662..7ac987c7118ca1 100644 --- a/src/permission/fs_permission.h +++ b/src/permission/fs_permission.h @@ -16,7 +16,7 @@ namespace permission { class FSPermission final : public PermissionBase { public: - void Apply(const std::string& deny, PermissionScope scope) override; + void Apply(const std::string& allow, PermissionScope scope) override; bool is_granted(PermissionScope perm, const std::string_view& param) override; // For debugging purposes, use the gist function to print the whole tree diff --git a/src/permission/permission.h b/src/permission/permission.h index 72928f853c4b87..61341ab29134f2 100644 --- a/src/permission/permission.h +++ b/src/permission/permission.h @@ -46,7 +46,7 @@ class Permission { const std::string_view& res); // CLI Call - void Apply(const std::string& deny, PermissionScope scope); + void Apply(const std::string& allow, PermissionScope scope); void EnablePermissions(); private: diff --git a/src/permission/permission_base.h b/src/permission/permission_base.h index c02b1917a6faab..86fefa06e65c57 100644 --- a/src/permission/permission_base.h +++ b/src/permission/permission_base.h @@ -36,7 +36,7 @@ enum class PermissionScope { class PermissionBase { public: - virtual void Apply(const std::string& deny, PermissionScope scope) = 0; + virtual void Apply(const std::string& allow, PermissionScope scope) = 0; virtual bool is_granted(PermissionScope perm, const std::string_view& param = "") = 0; }; diff --git a/src/permission/worker_permission.cc b/src/permission/worker_permission.cc index 16356be17b39e9..69c89a4a4fea87 100644 --- a/src/permission/worker_permission.cc +++ b/src/permission/worker_permission.cc @@ -9,7 +9,7 @@ namespace permission { // Currently, PolicyDenyWorker manage a single state // Once denied, it's always denied -void WorkerPermission::Apply(const std::string& deny, PermissionScope scope) { +void WorkerPermission::Apply(const std::string& allow, PermissionScope scope) { deny_all_ = true; } diff --git a/src/permission/worker_permission.h b/src/permission/worker_permission.h index 4d714cfb5d718b..71681a4485a82f 100644 --- a/src/permission/worker_permission.h +++ b/src/permission/worker_permission.h @@ -12,7 +12,7 @@ namespace permission { class WorkerPermission final : public PermissionBase { public: - void Apply(const std::string& deny, PermissionScope scope) override; + void Apply(const std::string& allow, PermissionScope scope) override; bool is_granted(PermissionScope perm, const std::string_view& param = "") override; From 72cab6703fee5d0a43084a64e6d85cd2b4cc7d8a Mon Sep 17 00:00:00 2001 From: Daeyeon Jeong Date: Fri, 5 May 2023 23:11:40 +0900 Subject: [PATCH 2/3] src: rename the variable storing permission for child_process and worker Signed-off-by: Daeyeon Jeong --- src/env.cc | 4 ++-- src/permission/child_process_permission.cc | 4 ++-- src/permission/child_process_permission.h | 2 +- src/permission/worker_permission.cc | 4 ++-- src/permission/worker_permission.h | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/env.cc b/src/env.cc index ff8d3952cf20a3..93d3b6b2302c2c 100644 --- a/src/env.cc +++ b/src/env.cc @@ -796,10 +796,10 @@ Environment::Environment(IsolateData* isolate_data, // spawn/worker nor use addons unless explicitly allowed by the user if (!options_->allow_fs_read.empty() || !options_->allow_fs_write.empty()) { options_->allow_native_addons = false; - if (!options_->allow_child_process) { + if (options_->allow_child_process) { permission()->Apply("*", permission::PermissionScope::kChildProcess); } - if (!options_->allow_worker_threads) { + if (options_->allow_worker_threads) { permission()->Apply("*", permission::PermissionScope::kWorkerThreads); } } diff --git a/src/permission/child_process_permission.cc b/src/permission/child_process_permission.cc index 7151eb15f90da2..e231dbd3785a97 100644 --- a/src/permission/child_process_permission.cc +++ b/src/permission/child_process_permission.cc @@ -11,12 +11,12 @@ namespace permission { // Once denied, it's always denied void ChildProcessPermission::Apply(const std::string& allow, PermissionScope scope) { - deny_all_ = true; + is_all_allowed_ = true; } bool ChildProcessPermission::is_granted(PermissionScope perm, const std::string_view& param) { - return deny_all_ == false; + return is_all_allowed_; } } // namespace permission diff --git a/src/permission/child_process_permission.h b/src/permission/child_process_permission.h index b67169f1c4e180..561708d211253b 100644 --- a/src/permission/child_process_permission.h +++ b/src/permission/child_process_permission.h @@ -17,7 +17,7 @@ class ChildProcessPermission final : public PermissionBase { const std::string_view& param = "") override; private: - bool deny_all_; + bool is_all_allowed_{false}; }; } // namespace permission diff --git a/src/permission/worker_permission.cc b/src/permission/worker_permission.cc index 69c89a4a4fea87..de3e1b949dfe87 100644 --- a/src/permission/worker_permission.cc +++ b/src/permission/worker_permission.cc @@ -10,12 +10,12 @@ namespace permission { // Currently, PolicyDenyWorker manage a single state // Once denied, it's always denied void WorkerPermission::Apply(const std::string& allow, PermissionScope scope) { - deny_all_ = true; + is_all_allowed_ = true; } bool WorkerPermission::is_granted(PermissionScope perm, const std::string_view& param) { - return deny_all_ == false; + return is_all_allowed_; } } // namespace permission diff --git a/src/permission/worker_permission.h b/src/permission/worker_permission.h index 71681a4485a82f..ed03ffc42e49ca 100644 --- a/src/permission/worker_permission.h +++ b/src/permission/worker_permission.h @@ -17,7 +17,7 @@ class WorkerPermission final : public PermissionBase { const std::string_view& param = "") override; private: - bool deny_all_; + bool is_all_allowed_{false}; }; } // namespace permission From 27ecc9f3b4d90ae311b3a7791e4f2b6656963ee8 Mon Sep 17 00:00:00 2001 From: Daeyeon Jeong Date: Sat, 6 May 2023 01:16:21 +0900 Subject: [PATCH 3/3] Revert "src: rename the variable storing permission for child_process and worker" This reverts commit 72cab6703fee5d0a43084a64e6d85cd2b4cc7d8a. Signed-off-by: Daeyeon Jeong --- src/env.cc | 4 ++-- src/permission/child_process_permission.cc | 4 ++-- src/permission/child_process_permission.h | 2 +- src/permission/worker_permission.cc | 4 ++-- src/permission/worker_permission.h | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/env.cc b/src/env.cc index 93d3b6b2302c2c..ff8d3952cf20a3 100644 --- a/src/env.cc +++ b/src/env.cc @@ -796,10 +796,10 @@ Environment::Environment(IsolateData* isolate_data, // spawn/worker nor use addons unless explicitly allowed by the user if (!options_->allow_fs_read.empty() || !options_->allow_fs_write.empty()) { options_->allow_native_addons = false; - if (options_->allow_child_process) { + if (!options_->allow_child_process) { permission()->Apply("*", permission::PermissionScope::kChildProcess); } - if (options_->allow_worker_threads) { + if (!options_->allow_worker_threads) { permission()->Apply("*", permission::PermissionScope::kWorkerThreads); } } diff --git a/src/permission/child_process_permission.cc b/src/permission/child_process_permission.cc index e231dbd3785a97..7151eb15f90da2 100644 --- a/src/permission/child_process_permission.cc +++ b/src/permission/child_process_permission.cc @@ -11,12 +11,12 @@ namespace permission { // Once denied, it's always denied void ChildProcessPermission::Apply(const std::string& allow, PermissionScope scope) { - is_all_allowed_ = true; + deny_all_ = true; } bool ChildProcessPermission::is_granted(PermissionScope perm, const std::string_view& param) { - return is_all_allowed_; + return deny_all_ == false; } } // namespace permission diff --git a/src/permission/child_process_permission.h b/src/permission/child_process_permission.h index 561708d211253b..b67169f1c4e180 100644 --- a/src/permission/child_process_permission.h +++ b/src/permission/child_process_permission.h @@ -17,7 +17,7 @@ class ChildProcessPermission final : public PermissionBase { const std::string_view& param = "") override; private: - bool is_all_allowed_{false}; + bool deny_all_; }; } // namespace permission diff --git a/src/permission/worker_permission.cc b/src/permission/worker_permission.cc index de3e1b949dfe87..69c89a4a4fea87 100644 --- a/src/permission/worker_permission.cc +++ b/src/permission/worker_permission.cc @@ -10,12 +10,12 @@ namespace permission { // Currently, PolicyDenyWorker manage a single state // Once denied, it's always denied void WorkerPermission::Apply(const std::string& allow, PermissionScope scope) { - is_all_allowed_ = true; + deny_all_ = true; } bool WorkerPermission::is_granted(PermissionScope perm, const std::string_view& param) { - return is_all_allowed_; + return deny_all_ == false; } } // namespace permission diff --git a/src/permission/worker_permission.h b/src/permission/worker_permission.h index ed03ffc42e49ca..71681a4485a82f 100644 --- a/src/permission/worker_permission.h +++ b/src/permission/worker_permission.h @@ -17,7 +17,7 @@ class WorkerPermission final : public PermissionBase { const std::string_view& param = "") override; private: - bool is_all_allowed_{false}; + bool deny_all_; }; } // namespace permission