chore: improve accessing special file test (#25099)

2025-08-04 10:59:13 +00:00 · 2024-08-19 16:21:27 -04:00 · 2024-08-19 16:21:27 -04:00 · bf510544ef
commit bf510544ef
parent ee2b6899a1
4 changed files with 59 additions and 35 deletions
--- a/runtime/permissions/lib.rs
+++ b/runtime/permissions/lib.rs
@ -2241,7 +2241,50 @@ pub fn create_child_permissions(
  main_perms: &mut Permissions,
  child_permissions_arg: ChildPermissionsArg,
 ) -> Result<Permissions, AnyError> {
+  fn is_granted_unary(arg: &ChildUnaryPermissionArg) -> bool {
+    match arg {
+      ChildUnaryPermissionArg::Inherit | ChildUnaryPermissionArg::Granted => {
+        true
+      }
+      ChildUnaryPermissionArg::NotGranted
+      | ChildUnaryPermissionArg::GrantedList(_) => false,
+    }
+  }
+
+  fn is_granted_unit(arg: &ChildUnitPermissionArg) -> bool {
+    match arg {
+      ChildUnitPermissionArg::Inherit | ChildUnitPermissionArg::Granted => true,
+      ChildUnitPermissionArg::NotGranted => false,
+    }
+  }
+
  let mut worker_perms = Permissions::none_without_prompt();
+
+  worker_perms.all = main_perms
+    .all
+    .create_child_permissions(ChildUnitPermissionArg::Inherit)?;
+
+  // downgrade the `worker_perms.all` based on the other values
+  if worker_perms.all.query() == PermissionState::Granted {
+    let unary_perms = [
+      &child_permissions_arg.read,
+      &child_permissions_arg.write,
+      &child_permissions_arg.net,
+      &child_permissions_arg.env,
+      &child_permissions_arg.sys,
+      &child_permissions_arg.run,
+      &child_permissions_arg.ffi,
+    ];
+    let unit_perms = [&child_permissions_arg.hrtime];
+    let allow_all = unary_perms.into_iter().all(is_granted_unary)
+      && unit_perms.into_iter().all(is_granted_unit);
+    if !allow_all {
+      worker_perms.all.revoke();
+    }
+  }
+
+  // WARNING: When adding a permission here, ensure it is handled
+  // in the worker_perms.all block above
  worker_perms.read = main_perms
    .read
    .create_child_permissions(child_permissions_arg.read)?;
@ -2266,9 +2309,6 @@ pub fn create_child_permissions(
  worker_perms.hrtime = main_perms
    .hrtime
    .create_child_permissions(child_permissions_arg.hrtime)?;
-  worker_perms.all = main_perms
-    .all
-    .create_child_permissions(ChildUnitPermissionArg::Inherit)?;

  Ok(worker_perms)
 }