Apply fs-mistrust to logfile directories.

crates/arti-client/src/config.rs

@@ -145,6 +145,7 @@ impl BuilderExt for MistrustBuilder {
 #[derive(Debug, Clone, Builder, Eq, PartialEq)]
 #[builder(build_fn(error = "ConfigBuildError"))]
 #[builder(derive(Debug, Serialize, Deserialize))]
+#[non_exhaustive]
 pub struct StorageConfig {
     /// Location on disk for cached directory information.
     #[builder(setter(into), default = "default_cache_dir()")]
@@ -223,6 +224,7 @@ impl StorageConfig {
 #[derive(Clone, Builder, Debug, Eq, PartialEq, AsRef)]
 #[builder(build_fn(error = "ConfigBuildError"))]
 #[builder(derive(Serialize, Deserialize, Debug))]
+#[non_exhaustive]
 pub struct TorClientConfig {
     /// Information about the Tor network we want to connect to.
     #[builder(sub_builder)]
@@ -318,7 +320,25 @@ impl TorClientConfig {
             override_net_params: self.override_net_params.clone(),
             extensions:          Default::default(),
         })
+    }
 
+    /// Return a reference to the [`fs_mistrust::Mistrust`] object that we'll
+    /// use to check permissions on files and directories by default.
+    ///
+    /// # Usage notes
+    ///
+    /// In the future, specific files or directories may have stricter or looser
+    /// permissions checks applied to them than this default.  Callers shouldn't
+    /// use this [`Mistrust`] to predict what Arti will accept for a specific
+    /// file or directory.  Rather, you should use this if you have some file or
+    /// directory of your own on which you'd like to enforce the same rules as
+    /// Arti uses.
+    //
+    // NOTE: The presence of this accessor is _NOT_ in any form a commitment to
+    // expose every field from the configuration as an accessor.  We explicitly
+    // reject that slippery slope argument.
+    pub fn fs_mistrust(&self) -> &Mistrust {
+        self.storage.permissions()
     }
 }
 

crates/arti/src/cfg.rs

@@ -115,7 +115,7 @@ pub struct ArtiConfig {
     /// Configuration of the actual Tor client
     #[builder(sub_builder)]
     #[builder_field_attr(serde(flatten))]
-    tor: TorClientConfig,
+    pub(crate) tor: TorClientConfig,
 }
 impl_standard_builder! { ArtiConfig }
 

crates/arti/src/lib.rs

@@ -374,7 +374,16 @@ pub fn main_main() -> Result<()> {
 
     let config: ArtiConfig = cfg.try_into().context("read configuration")?;
 
-    let _log_guards = logging::setup_logging(config.logging(), matches.value_of("loglevel"))?;
+    let log_mistrust = if fs_mistrust_disabled {
+        fs_mistrust::Mistrust::new_dangerously_trust_everyone()
+    } else {
+        config.tor.fs_mistrust().clone()
+    };
+    let _log_guards = logging::setup_logging(
+        config.logging(),
+        &log_mistrust,
+        matches.value_of("loglevel"),
+    )?;
 
     if let Some(proxy_matches) = matches.subcommand_matches("proxy") {
         let socks_port = match (

crates/arti/src/logging.rs

@@ -2,6 +2,7 @@
 
 use anyhow::{anyhow, Context, Result};
 use derive_builder::Builder;
+use fs_mistrust::Mistrust;
 use serde::{Deserialize, Serialize};
 use std::path::Path;
 use std::str::FromStr;
@@ -197,6 +198,7 @@ where
 /// dropped when the program exits, to flush buffered messages.
 fn logfile_layer<S>(
     config: &LogfileConfig,
+    mistrust: &Mistrust,
 ) -> Result<(impl Layer<S> + Send + Sync + Sized, WorkerGuard)>
 where
     S: Subscriber + for<'span> tracing_subscriber::registry::LookupSpan<'span> + Send + Sync,
@@ -214,6 +216,7 @@ where
     };
     let path = config.path.path()?;
     let directory = path.parent().unwrap_or_else(|| Path::new("."));
+    mistrust.make_directory(directory)?;
     let fname = path
         .file_name()
         .ok_or_else(|| anyhow!("No path for log file"))
@@ -229,7 +232,10 @@ where
 ///
 /// On success, return that layer along with a list of [`WorkerGuard`]s that
 /// need to be dropped when the program exits.
-fn logfile_layers<S>(config: &LoggingConfig) -> Result<(impl Layer<S>, Vec<WorkerGuard>)>
+fn logfile_layers<S>(
+    config: &LoggingConfig,
+    mistrust: &Mistrust,
+) -> Result<(impl Layer<S>, Vec<WorkerGuard>)>
 where
     S: Subscriber + for<'span> tracing_subscriber::registry::LookupSpan<'span> + Send + Sync,
 {
@@ -240,7 +246,7 @@ where
         return Ok((None, guards));
     }
 
-    let (layer, guard) = logfile_layer(&config.files[0])?;
+    let (layer, guard) = logfile_layer(&config.files[0], mistrust)?;
     guards.push(guard);
 
     // We have to use a dyn pointer here so we can build up linked list of
@@ -248,7 +254,7 @@ where
     let mut layer: Box<dyn Layer<S> + Send + Sync + 'static> = Box::new(layer);
 
     for logfile in &config.files[1..] {
-        let (new_layer, guard) = logfile_layer(logfile)?;
+        let (new_layer, guard) = logfile_layer(logfile, mistrust)?;
         layer = Box::new(layer.and_then(new_layer));
         guards.push(guard);
     }
@@ -272,7 +278,11 @@ pub struct LogGuards {
 ///
 /// Note that the returned LogGuard must be dropped precisely when the program
 /// quits; they're used to ensure that all the log messages are flushed.
-pub fn setup_logging(config: &LoggingConfig, cli: Option<&str>) -> Result<LogGuards> {
+pub fn setup_logging(
+    config: &LoggingConfig,
+    mistrust: &Mistrust,
+    cli: Option<&str>,
+) -> Result<LogGuards> {
     // Important: We have to make sure that the individual layers we add here
     // are not filters themselves.  That means, for example, that we can't add
     // an `EnvFilter` layer unless we want it to apply globally to _all_ layers.
@@ -286,7 +296,7 @@ pub fn setup_logging(config: &LoggingConfig, cli: Option<&str>) -> Result<LogGua
     #[cfg(feature = "journald")]
     let registry = registry.with(journald_layer(config)?);
 
-    let (layer, guards) = logfile_layers(config)?;
+    let (layer, guards) = logfile_layers(config, mistrust)?;
     let registry = registry.with(layer);
 
     registry.init();