Loading crates/fs-mistrust/Cargo.toml +3 −1 Original line number Diff line number Diff line Loading @@ -23,9 +23,11 @@ walkdir = { version = "2", optional = true } [target.'cfg(unix)'.dependencies] libc = "0.2" users = "0.11" once_cell = "1" [target.'cfg(all(unix, not(target_os="ios")))'.dependencies] users = "0.11" [dev-dependencies] anyhow = "1.0.23" serde_json = "1.0.50" Loading crates/fs-mistrust/semver.md +1 −0 Original line number Diff line number Diff line MODIFIED: New facilities to configure how we look at the environment. BREAKING: Some functions and types were remove when targeting iOS. crates/fs-mistrust/src/imp.rs +18 −3 Original line number Diff line number Diff line Loading @@ -166,6 +166,8 @@ impl<'a> super::Verifier<'a> { /// Check whether a given file has the correct ownership and permissions, /// and push errors into `errors` if not. Other inputs are as for /// `check_one`. /// /// On iOS, check permissions but assumes the owner is the current user. #[cfg(target_family = "unix")] fn check_permissions( &self, Loading @@ -178,10 +180,14 @@ impl<'a> super::Verifier<'a> { // always change the permissions of the object. (If we're talking // about a directory, the owner cah change the permissions and owner // of anything in the directory.) #[cfg(not(target_os = "ios"))] { let uid = meta.uid(); if uid != 0 && Some(uid) != self.mistrust.trust_user { errors.push(Error::BadOwner(path.into(), uid)); } } // On Unix-like platforms, symlink permissions are ignored (and usually // not settable). Theoretically, the symlink owner shouldn't matter, but Loading Loading @@ -219,9 +225,18 @@ impl<'a> super::Verifier<'a> { } }; // If we trust the GID, then we allow even more bits to be set. #[cfg(not(target_os = "ios"))] if self.mistrust.trust_group == Some(meta.gid()) { forbidden_bits &= !0o070; } // rational: on iOS the platform already protect user data, and not setting this poses // issue with the default application data folder. #[cfg(target_os = "ios")] { forbidden_bits &= !0o070; } let bad_bits = meta.mode() & forbidden_bits; if bad_bits != 0 { errors.push(Error::BadPermission( Loading crates/fs-mistrust/src/lib.rs +6 −6 Original line number Diff line number Diff line Loading @@ -283,7 +283,7 @@ mod dir; mod disable; mod err; mod imp; #[cfg(target_family = "unix")] #[cfg(all(target_family = "unix", not(target_os = "ios")))] mod user; #[cfg(test)] Loading @@ -305,7 +305,7 @@ pub use err::Error; /// A result type as returned by this crate pub type Result<T> = std::result::Result<T, Error>; #[cfg(target_family = "unix")] #[cfg(all(target_family = "unix", not(target_os = "ios")))] pub use user::{TrustedGroup, TrustedUser}; /// Configuration for verifying that a file or directory is really "private". Loading Loading @@ -361,7 +361,7 @@ pub struct Mistrust { status: disable::Status, /// What user ID do we trust by default (if any?) #[cfg(target_family = "unix")] #[cfg(all(target_family = "unix", not(target_os = "ios")))] #[builder( setter(into), field(type = "TrustedUser", build = "self.trust_user.get_uid()?") Loading @@ -369,7 +369,7 @@ pub struct Mistrust { trust_user: Option<u32>, /// What group ID do we trust by default (if any?) #[cfg(target_family = "unix")] #[cfg(all(target_family = "unix", not(target_os = "ios")))] #[builder( setter(into), field(type = "TrustedGroup", build = "self.trust_group.get_gid()?") Loading Loading @@ -400,7 +400,7 @@ impl MistrustBuilder { /// trusted. /// /// This option disables the default group-trust behavior as well. #[cfg(target_family = "unix")] #[cfg(all(target_family = "unix", not(target_os = "ios")))] pub fn trust_admin_only(&mut self) -> &mut Self { self.trust_user = TrustedUser::None; self.trust_group = TrustedGroup::None; Loading @@ -415,7 +415,7 @@ impl MistrustBuilder { /// With this option set, no group is trusted, and and any group-readable or /// group-writable objects are treated the same as world-readable and /// world-writable objects respectively. #[cfg(target_family = "unix")] #[cfg(all(target_family = "unix", not(target_os = "ios")))] pub fn trust_no_group_id(&mut self) -> &mut Self { self.trust_group = TrustedGroup::None; self Loading crates/tor-circmgr/src/mgr.rs +6 −4 Original line number Diff line number Diff line Loading @@ -1325,17 +1325,19 @@ impl<B: AbstractCircBuilder + 'static, R: Runtime> AbstractCircMgr<B, R> { /// no longer be given out for new circuits. pub(crate) fn expire_circs(&self, now: Instant) { let mut list = self.circs.lock().expect("poisoned lock"); let dirty_cutoff = now - self.circuit_timing().max_dirtiness; if let Some(dirty_cutoff) = now.checked_sub(self.circuit_timing().max_dirtiness) { list.expire_circs(now, dirty_cutoff); } } /// Consider expiring the circuit with given circuit `id`, /// according to the rules in `config` and the current time `now`. pub(crate) fn expire_circ(&self, circ_id: &<B::Circ as AbstractCirc>::Id, now: Instant) { let mut list = self.circs.lock().expect("poisoned lock"); let dirty_cutoff = now - self.circuit_timing().max_dirtiness; if let Some(dirty_cutoff) = now.checked_sub(self.circuit_timing().max_dirtiness) { list.expire_circ(circ_id, now, dirty_cutoff); } } /// Return the number of open circuits held by this circuit manager. pub(crate) fn n_circs(&self) -> usize { Loading Loading
crates/fs-mistrust/Cargo.toml +3 −1 Original line number Diff line number Diff line Loading @@ -23,9 +23,11 @@ walkdir = { version = "2", optional = true } [target.'cfg(unix)'.dependencies] libc = "0.2" users = "0.11" once_cell = "1" [target.'cfg(all(unix, not(target_os="ios")))'.dependencies] users = "0.11" [dev-dependencies] anyhow = "1.0.23" serde_json = "1.0.50" Loading
crates/fs-mistrust/semver.md +1 −0 Original line number Diff line number Diff line MODIFIED: New facilities to configure how we look at the environment. BREAKING: Some functions and types were remove when targeting iOS.
crates/fs-mistrust/src/imp.rs +18 −3 Original line number Diff line number Diff line Loading @@ -166,6 +166,8 @@ impl<'a> super::Verifier<'a> { /// Check whether a given file has the correct ownership and permissions, /// and push errors into `errors` if not. Other inputs are as for /// `check_one`. /// /// On iOS, check permissions but assumes the owner is the current user. #[cfg(target_family = "unix")] fn check_permissions( &self, Loading @@ -178,10 +180,14 @@ impl<'a> super::Verifier<'a> { // always change the permissions of the object. (If we're talking // about a directory, the owner cah change the permissions and owner // of anything in the directory.) #[cfg(not(target_os = "ios"))] { let uid = meta.uid(); if uid != 0 && Some(uid) != self.mistrust.trust_user { errors.push(Error::BadOwner(path.into(), uid)); } } // On Unix-like platforms, symlink permissions are ignored (and usually // not settable). Theoretically, the symlink owner shouldn't matter, but Loading Loading @@ -219,9 +225,18 @@ impl<'a> super::Verifier<'a> { } }; // If we trust the GID, then we allow even more bits to be set. #[cfg(not(target_os = "ios"))] if self.mistrust.trust_group == Some(meta.gid()) { forbidden_bits &= !0o070; } // rational: on iOS the platform already protect user data, and not setting this poses // issue with the default application data folder. #[cfg(target_os = "ios")] { forbidden_bits &= !0o070; } let bad_bits = meta.mode() & forbidden_bits; if bad_bits != 0 { errors.push(Error::BadPermission( Loading
crates/fs-mistrust/src/lib.rs +6 −6 Original line number Diff line number Diff line Loading @@ -283,7 +283,7 @@ mod dir; mod disable; mod err; mod imp; #[cfg(target_family = "unix")] #[cfg(all(target_family = "unix", not(target_os = "ios")))] mod user; #[cfg(test)] Loading @@ -305,7 +305,7 @@ pub use err::Error; /// A result type as returned by this crate pub type Result<T> = std::result::Result<T, Error>; #[cfg(target_family = "unix")] #[cfg(all(target_family = "unix", not(target_os = "ios")))] pub use user::{TrustedGroup, TrustedUser}; /// Configuration for verifying that a file or directory is really "private". Loading Loading @@ -361,7 +361,7 @@ pub struct Mistrust { status: disable::Status, /// What user ID do we trust by default (if any?) #[cfg(target_family = "unix")] #[cfg(all(target_family = "unix", not(target_os = "ios")))] #[builder( setter(into), field(type = "TrustedUser", build = "self.trust_user.get_uid()?") Loading @@ -369,7 +369,7 @@ pub struct Mistrust { trust_user: Option<u32>, /// What group ID do we trust by default (if any?) #[cfg(target_family = "unix")] #[cfg(all(target_family = "unix", not(target_os = "ios")))] #[builder( setter(into), field(type = "TrustedGroup", build = "self.trust_group.get_gid()?") Loading Loading @@ -400,7 +400,7 @@ impl MistrustBuilder { /// trusted. /// /// This option disables the default group-trust behavior as well. #[cfg(target_family = "unix")] #[cfg(all(target_family = "unix", not(target_os = "ios")))] pub fn trust_admin_only(&mut self) -> &mut Self { self.trust_user = TrustedUser::None; self.trust_group = TrustedGroup::None; Loading @@ -415,7 +415,7 @@ impl MistrustBuilder { /// With this option set, no group is trusted, and and any group-readable or /// group-writable objects are treated the same as world-readable and /// world-writable objects respectively. #[cfg(target_family = "unix")] #[cfg(all(target_family = "unix", not(target_os = "ios")))] pub fn trust_no_group_id(&mut self) -> &mut Self { self.trust_group = TrustedGroup::None; self Loading
crates/tor-circmgr/src/mgr.rs +6 −4 Original line number Diff line number Diff line Loading @@ -1325,17 +1325,19 @@ impl<B: AbstractCircBuilder + 'static, R: Runtime> AbstractCircMgr<B, R> { /// no longer be given out for new circuits. pub(crate) fn expire_circs(&self, now: Instant) { let mut list = self.circs.lock().expect("poisoned lock"); let dirty_cutoff = now - self.circuit_timing().max_dirtiness; if let Some(dirty_cutoff) = now.checked_sub(self.circuit_timing().max_dirtiness) { list.expire_circs(now, dirty_cutoff); } } /// Consider expiring the circuit with given circuit `id`, /// according to the rules in `config` and the current time `now`. pub(crate) fn expire_circ(&self, circ_id: &<B::Circ as AbstractCirc>::Id, now: Instant) { let mut list = self.circs.lock().expect("poisoned lock"); let dirty_cutoff = now - self.circuit_timing().max_dirtiness; if let Some(dirty_cutoff) = now.checked_sub(self.circuit_timing().max_dirtiness) { list.expire_circ(circ_id, now, dirty_cutoff); } } /// Return the number of open circuits held by this circuit manager. pub(crate) fn n_circs(&self) -> usize { Loading