Open tiller-tolbus opened 5 months ago
Rather than an explicit whitelist, ensuring that clay mountpoint names (ie, desks) conform to (sane %tas)
is probably the simplest way to accomplish this. That would need to be done in each of the desk-relevant effect handlers in unix.c
: u3_unix_ef_ergo()
, u3_unix_ef_ogre()
, u3_unix_ef_*()
...
Per convo with @joemfb,
unix.c
is not guaranteed to prevent disastrous outcomes from malformed%ergo
effects coming from Clay, such as attempts to write to.urb
or.run
.Desired case is that there is, at least, a hard-coded and unified list of paths that Vere will not write to as the result of a Clay effect.
Such a unified list of paths should also include a
.host
directory so that providers have a safe place to put pier-specific files that won't be touched by the runtime.