(platform/lua) prioritise APPL_TEMP over APPL

This fixes a regression caused by the namespace support from 0.6.2. File creation again gets its own mask that default prevents the APPL folder contents itself from being mutated, and the search order for _TEMP (if mapped) takes priority over APPL. This is to protect from leaking user data when hosting / sharing your applbase, and to have the option of stopping shared appls from having a 'packer/unpacker' like drm format where an obfuscated outer script generates polymorphic versions of itself that then get loaded back - while at the same time allowing for configurations where the user/admin can create patched overlay versions of the scripts in an appl for customisation while still tracking an upstream.
letoram · Sep 16, 2023 · d6fb042 · d6fb042
1 parent bf9861d
commit d6fb042
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 17 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@
  * input\_remap\_translation overloaded form for serializing backing keymap
  * clockreq no longer forwarded for frameserver event handler
  * image\_metadata added for annotating a vid used when streaming/sharing/scanout HDR contents
+ * functions creating files now apply a separate WRITEMASK (split from USERMASK)
 
 ## Core
  * respect border attribute in text rasteriser
@@ -42,6 +43,7 @@
  * Add interp=st for suckless terminal based state machine
 
 ## Platform
+ * paths: prioritise \_APPL_TEMP over \_APPL in load order
  * audio: engine audio split out into platform bit
  * audio: stub platform added
  * egl-dri: evict streams

diff --git a/src/engine/alt/support.h b/src/engine/alt/support.h
@@ -44,6 +44,11 @@
 	(RESOURCE_APPL | RESOURCE_APPL_SHARED | RESOURCE_APPL_TEMP | RESOURCE_NS_USER)
 #endif
 
+#ifndef CREATE_USERMASK
+#define CREATE_USERMASK \
+	(RESOURCE_APPL_TEMP | RESOURCE_APPL_SHARED | RESOURCE_NS_USER)
+#endif
+
 #ifndef CAREFUL_USERMASK
 #define CAREFUL_USERMASK \
 	(RESOURCE_APPL | RESOURCE_APPL_SHARED | RESOURCE_APPL_TEMP | RESOURCE_SYS_SCRIPTS)

diff --git a/src/engine/arcan_lua.c b/src/engine/arcan_lua.c
@@ -6802,7 +6802,7 @@ static int rawsurface(lua_State* ctx)
 	if (dumpstr){
 		int fd;
 		char* fname = arcan_find_resource(
-			dumpstr, RESOURCE_APPL_TEMP, ARES_FILE | ARES_CREATE, &fd);
+			dumpstr, CREATE_USERMASK, ARES_FILE | ARES_CREATE, &fd);
 		if (!fname){
 			arcan_warning(
 				"rawsurface() -- refusing to overwrite existing file (%s)\n", fname);
@@ -8461,10 +8461,7 @@ static int targetsnapshot(lua_State* ctx)
 
 /* verify that it is a safe namespace for writing */
 	if (ns != RESOURCE_APPL_STATE){
-		if (ns ==
-			RESOURCE_APPL_SHARED ||
-			ns == RESOURCE_APPL_TEMP ||
-			ns == RESOURCE_NS_USER){
+		if (ns && CREATE_USERMASK){
 			command = TARGET_COMMAND_BCHUNK_OUT;
 		}
 		else {
@@ -9959,7 +9956,7 @@ static int spawn_recfsrv(lua_State* ctx,
 		fd = open(NULFILE, O_WRONLY | O_CLOEXEC);
 	else {
 		char* fn = arcan_find_resource(resf,
-			RESOURCE_APPL_TEMP, ARES_FILE | ARES_CREATE, &fd);
+			CREATE_USERMASK, ARES_FILE | ARES_CREATE, &fd);
 
 /* it is currently allowed to "record over" an existing file without forcing
  * the caller to use zap_resource first, this should possibly be reconsidered*/
@@ -11447,7 +11444,7 @@ static int screenshot(lua_State* ctx)
 
 	int infd = -1;
 	char* fname = arcan_find_resource(
-		resstr, DEFAULT_USERMASK, ARES_FILE | ARES_CREATE, &infd);
+		resstr, CREATE_USERMASK, ARES_FILE | ARES_CREATE, &infd);
 	if (!fname){
 		arcan_warning(
 			"save_screeenshot() -- refusing to overwrite existing file.\n");

diff --git a/src/platform/platform_types.h b/src/platform/platform_types.h
@@ -389,22 +389,22 @@ enum resource_type {
  * exclusive(mask) = mask & (mask - 1) == 0
  */
 enum arcan_namespaces {
+/*
+ * like RESOURCE_APPL, but contents can potentially be
+ * reset on exit / reload.
+ */
+	RESOURCE_APPL_TEMP = 1,
+
 /* .lua parse/load/execute,
  * generic resource load
  * special resource save (screenshots, ...)
  * rawresource open/write */
-	RESOURCE_APPL = 1,
+	RESOURCE_APPL = 2,
 
 /*
  * shared resources between all appls.
  */
-	RESOURCE_APPL_SHARED = 2,
-
-/*
- * like RESOURCE_APPL, but contents can potentially be
- * reset on exit / reload.
- */
-	RESOURCE_APPL_TEMP = 4,
+	RESOURCE_APPL_SHARED = 4,
 
 /*
  * eligible recipients for target snapshot/restore

diff --git a/src/platform/posix/paths.c b/src/platform/posix/paths.c
@@ -50,9 +50,9 @@ bool arcan_isfile(const char* fn)
 }
 
 static char* pathks[] = {
+	"path_appltemp",
 	"path_appl",
 	"path_resource",
-	"path_appltemp",
 	"path_state",
 	"path_applbase",
 	"path_applstore",
@@ -65,9 +65,9 @@ static char* pathks[] = {
 };
 
 static char* pinks[] = {
+	"pin_appltemp",
 	"pin_appl",
 	"pin_resource",
-	"pin_appltemp",
 	"pin_state",
 	"pin_applbase",
 	"pin_applstore",