Merge 0049126 into a57028b

boustrophedon · Sep 15, 2023 · 84446cc · 84446cc
2 parents a57028b + 0049126
commit 84446cc
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 2 deletions.
diff --git a/examples/ipc_server_with_database.rs b/examples/ipc_server_with_database.rs
@@ -69,6 +69,7 @@ fn run_webserver(db_socket_path: &str) {
     // extrasafe context
     SafetyContext::new()
         .enable(Networking::nothing()
+            .allow_connect().yes_really()
             .allow_running_tcp_servers()).unwrap()
         .apply_to_current_thread()
         .unwrap();
@@ -154,6 +155,8 @@ fn run_db(socket_path: &str) {
     // after opening connection socket and db file, set extrasafe context
     SafetyContext::new()
         .enable(Networking::nothing()
+            .allow_connect()
+            .yes_really()
             .allow_running_unix_servers()
         ).unwrap()
         .enable(SystemIO::nothing()
@@ -230,6 +233,8 @@ fn run_client_write(msg: &str) {
     // Set up extrasafe context
     SafetyContext::new()
         .enable(Networking::nothing()
+            .allow_connect()
+            .yes_really()
             .allow_start_tcp_clients()).unwrap()
         .apply_to_current_thread()
         .unwrap();
@@ -272,6 +277,7 @@ fn run_client_read() {
     SafetyContext::new()
         .enable(Networking::nothing()
             // Necessary for DNS
+            .allow_connect().yes_really()
             .allow_start_udp_servers().yes_really()
             .allow_start_tcp_clients()).unwrap()
         // For some reason only if we make two requests with a client does it use multiple threads,

diff --git a/examples/network_server.rs b/examples/network_server.rs
@@ -88,6 +88,7 @@ fn main() {
     thread::sleep(std::time::Duration::from_millis(50));
     SafetyContext::new()
         .enable(Networking::nothing()
+            .allow_connect().yes_really()
             .allow_running_tcp_servers()
             .allow_start_tcp_clients()
         ).unwrap()

diff --git a/examples/server_with_database.rs b/examples/server_with_database.rs
@@ -184,6 +184,7 @@ fn run_client_write(msg: &str) {
     // Set up extrasafe context
     SafetyContext::new()
         .enable(Networking::nothing()
+            .allow_connect().yes_really()
             .allow_start_tcp_clients()).unwrap()
         .apply_to_current_thread()
         .unwrap();
@@ -224,6 +225,7 @@ fn run_client_read() {
     // enable extrasafe context
     SafetyContext::new()
         .enable(Networking::nothing()
+            .allow_connect().yes_really()
             // Necessary for DNS
             .allow_start_udp_servers().yes_really()
             .allow_start_tcp_clients()).unwrap()

diff --git a/src/builtins/network.rs b/src/builtins/network.rs
@@ -175,6 +175,12 @@ impl Networking {
         YesReally::new(self)
     }
 
+    /// Allow `connect` syscall
+    pub fn allow_connect(mut self) -> YesReally<Networking> {
+        self.allowed.extend(&[Sysno::connect]);
+        YesReally::new(self)
+    }
+
     /// Allow starting new TCP clients.
     ///
     /// # Security Notes
@@ -201,8 +207,7 @@ impl Networking {
         self.custom.entry(Sysno::socket)
             .or_insert_with(Vec::new)
             .push(rule);
-
-        self.allowed.extend(&[Sysno::connect]);
+
         self.allowed.extend(NET_IO_SYSCALLS);
         self.allowed.extend(NET_READ_SYSCALLS);
         self.allowed.extend(NET_WRITE_SYSCALLS);