Shell: Limit the access of processes spawned for autocompletion

This commit limits the autocomplete processes to effectively have readonly access to the fs, and only enough pledges to get the dynamic loader working.
2025-07-25 15:07:45 +00:00 · 2022-03-25 01:19:48 +04:30 · 2022-03-25 01:19:48 +04:30 · f12d81ddf5
commit f12d81ddf5
parent 8233da3398
2 changed files with 51 additions and 0 deletions
--- a/Userland/Shell/Shell.h
+++ b/Userland/Shell/Shell.h
@ -159,6 +159,41 @@ public:
    [[nodiscard]] Frame push_frame(String name);
    void pop_frame();

+    struct Promise {
+        struct Data {
+            struct Unveil {
+                String path;
+                String access;
+            };
+            String exec_promises;
+            Vector<Unveil> unveils;
+        } data;
+
+        IntrusiveListNode<Promise> node;
+        using List = IntrusiveList<&Promise::node>;
+    };
+
+    struct ScopedPromise {
+        ScopedPromise(Promise::List& promises, Promise&& promise)
+            : promises(promises)
+            , promise(move(promise))
+        {
+            promises.append(this->promise);
+        }
+
+        ~ScopedPromise()
+        {
+            promises.remove(promise);
+        }
+
+        Promise::List& promises;
+        Promise promise;
+    };
+    [[nodiscard]] ScopedPromise promise(Promise::Data data)
+    {
+        return { m_active_promises, { move(data), {} } };
+    }
+
    enum class EscapeMode {
        Bareword,
        SingleQuotedString,
@ -362,6 +397,7 @@ private:

    HashMap<String, ShellFunction> m_functions;
    NonnullOwnPtrVector<LocalFrame> m_local_frames;
+    Promise::List m_active_promises;
    NonnullRefPtrVector<AST::Redirection> m_global_redirections;

    HashMap<String, String> m_aliases;