/// Disqualify files that are accessible at all by anyone other than the current user (or root, which can accesss everything.)
/// Disqualify files that are accessible at all by anyone other than the current user (or root, which can accesss everything.)
constUSER_ACCESSIBLE_ONLY=1<<6;
constUSER_ACCESSIBLE_ONLY=1<<6;
/// Disallow *all* untrusted files.
/// Disallow *all* untrusted files.
@ -124,11 +126,60 @@ pub mod locations {
}
}
set!($name=>|_,_|_panic_with_msg())
set!($name=>|_,_|_panic_with_msg())
};
};
($name:ident: $($func_body:tt)+)=>{
/*FUCK THIS, I HATE ITERATON IN MACROS< WHY DOES IT HAVE TO BE SO RECURSIVELY LEAKILY RETARDED AAAA(@ compose ($f_name:ident, $f_file:ident) via $operator:tt $ignore:tt; $first:ident, $second:ident $($rest:tt)*)
//XXX: Should we use process's UID or EUID? It seems we should use EUID.
fngeteuid()-> u32;// uid_t
}
// SAFETY: This is a pure function for all that matters.
letuser_id=unsafe{geteuid()};
path.metadata()
path.metadata()
.map(move|meta|meta.uid()==user_id)
.map(move|meta|check_uid::<true>(meta.uid()))
.unwrap_or(false)
.unwrap_or(false)
});
});
set!(USER_ACCESSIBLE_ONLY=>|path,_|{
set!(USER_ACCESSIBLE_ONLY=>|path,_|{
@ -192,6 +238,19 @@ pub mod locations {
.map(|meta|!meta.permissions().mode()&OTHER_ACCESSORS==0)//XXX: Test this
.map(|meta|!meta.permissions().mode()&OTHER_ACCESSORS==0)//XXX: Test this
.unwrap_or(false)
.unwrap_or(false)
});
});
set!(USER_OR_ROOT_OWNED=>|path,_|{
usestd::os::unix::fs::MetadataExtas_;
//let user_id = get_uid::<USE_EFFECTIVE_UID>();
path.metadata()
.map(move|meta|matchmeta.uid(){
0=>true,
uidifcheck_uid::<true>(uid)=>true,
_=>false
})
.unwrap_or(false)
});
//set!(USER_OR_ROOT_OWNED; use || => USER_OWNED_ONLY, ROOT_OWNED_ONLY);
//TODO: Composition of functions should be done via OR, how to insert all possible compositions into table? We get confusing error messages when we try inside `set!()`
//TODO: Composition of functions should be done via OR, how to insert all possible compositions into table? We get confusing error messages when we try inside `set!()`