mirror of
https://github.com/RGBCube/serenity
synced 2025-05-31 12:08:12 +00:00
718ae68621
To accomplish this, we add another VeilState which is called LockedInherited. The idea is to apply exec unveil data, similar to execpromises of the pledge syscall, on the current exec'ed program during the execve sequence. When applying the forced unveil data, the veil state is set to be locked but the special state of LockedInherited ensures that if the new program tries to unveil paths, the request will silently be ignored, so the program will continue running without receiving an error, but is still can only use the paths that were unveiled before the exec syscall. This in turn, allows us to use the unveil syscall with a special utility to sandbox other userland programs in terms of what is visible to them on the filesystem, and is usable on both programs that use or don't use the unveil syscall in their code. |
||
|---|---|---|
| .. | ||
| Subsystems | ||
| Component.cpp | ||
| Component.h | ||
| DirectoryInode.cpp | ||
| DirectoryInode.h | ||
| FileSystem.cpp | ||
| FileSystem.h | ||
| Inode.cpp | ||
| Inode.h | ||
| LinkInode.cpp | ||
| LinkInode.h | ||
| Registry.cpp | ||
| Registry.h | ||
| RootDirectory.cpp | ||
| RootDirectory.h | ||