getting full file system access

[Znerole]

I understand the idea of sandboxing file system access, but I'm working on a project where I fully trust the script I'm running inside LiquidCore and the virtual file system makes things quite difficult for me, i.e. I need to constantly map between paths of the environment and my script.

I would highly welcome an option to allow full access to the hosts file system. If there already is such an option, I'm afraid I haven't found it.

[ericwlange]

Hi @Znerole, as it currently stands, no such option exists. This was an intentional design decision, as the goal is to support multiple instances running simultaneously that can't interfere with the rest of the app. The idea is that eventually I would like this to be a general "micro app" development environment where app developers could drop third party micro-apps into their project without obvious security holes. But I am quite far from that vision at the moment.

There is a very simple way to hack this, but it requires you to build LiquidCore on your own (i.e. you can't use the published libraries).

For Android, change var access = 0; to var access = 3; in FileSystem.java: https://github.com/LiquidPlayer/LiquidCore/blob/bf9cdcdf5968f843860a253e55a13ac966b0b814/LiquidCore/src/main/java/org/liquidplayer/node/FileSystem.java#L377

For iOS, do the same in FileSystem.m: https://github.com/LiquidPlayer/LiquidCore/blob/0.7.2/LiquidCore/src/ios/API/FileSystem.m#L150

You will still have the virtual file system anchored at /home, but accesses outside the sandbox won't automatically throw ENOACES. Instead, if they resolve somewhere, they should work as expected.

I suppose I could expose this as an option when creating the MicroService, but I wonder how common this use case is.

[Znerole]

Hi Eric,

thanks for your help!

I know where you're coming from regarding the micro apps. In my case, I simply need to run a set of existing nodejs applications on Android/iOS and I turned to LiquidCore because it is by far the best available nodejs port (even though it is more).

That aside, an alternative to giving full file system access could be to allow configuring custom "symlinks". Full file access would be mapping "/" -> "/", but more restrictive patterns would be possible, like for the current "/home" links.

I might try to work on this, but perhaps not too soon. For now, I will try your suggestions to build a patched LiquidCore.

Best Regards Lorenz

[ericwlange]

Hi @Znerole - I have added this functionality which will get pushed with the next release.

Android Example

  android.content.Context context = ...;
  MicroService service = ...;

  final String dir = context.getFilesDir().getAbsolutePath();
  service.getProcess().exposeHostDirectory(dir, Process.kMediaAccessPermissionsRW);

Assuming dir is something like /data/data/0/org.foo.bar/blahblah, this directory will now be available to the micro service:

  const fs = require('fs')
  let content = String(fs.readFileSync('/data/data/0/org.foo.bar/blahblah/SomeFile.txt'))

iOS Example

  service.process.exposeHostDirectory(NSHomeDirectory(), mediaAccessMask:PermissionsRW)

[ericwlange]

This has been added to 0.7.4