~alip/syd

72a1d7efc90a392df14f144c7605f9419247ec00 — Ali Polatel a month ago 6f3443b
hook,sandbox: do not hide memfds
2 files changed, 11 insertions(+), 1 deletions(-)

M src/hook.rs
M src/sandbox.rs
M src/hook.rs => src/hook.rs +6 -1
@@ 4638,7 4638,12 @@ fn sandbox_path_1(

    // Check if path is hidden for stat sandbox compat.
    // Do this only when we want to report the access violation.
    let hidden = if !filter && action == Action::Deny && !caps.contains(Capability::CAP_STAT) {
    // Do not do hidden check for memory fds.
    let hidden = if !filter
        && action == Action::Deny
        && !Capability::mem(syscall_name)
        && !caps.contains(Capability::CAP_STAT)
    {
        request.is_hidden(sandbox, path)
    } else {
        false

M src/sandbox.rs => src/sandbox.rs +5 -0
@@ 1016,6 1016,11 @@ impl Capability {
                | "inotify_add_watch"
        )
    }

    #[inline]
    pub(crate) fn mem(syscall_name: &str) -> bool {
        syscall_name == "memfd_create"
    }
}

bitflags! {