diff --git a/CHANGELOG.md b/CHANGELOG.md index c8c96cc..f1de3f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - (Linux) Sandbox exceptions for symbolic links - (macOS) Modifying exceptions for paths affected by existing exceptions +- (Linux) Symlink/Canonical path's exceptions overriding each other ## [v0.5.0] - 2023-10-13 diff --git a/Cargo.toml b/Cargo.toml index 570cbd8..719376b 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -49,11 +49,6 @@ name = "fs_readonly" path = "tests/fs_readonly.rs" harness = false -[[test]] -name = "fs_restrict_child" -path = "tests/fs_restrict_child.rs" -harness = false - [[test]] name = "fs_write_also_read" path = "tests/fs_write_also_read.rs" diff --git a/src/linux/namespaces.rs b/src/linux/namespaces.rs index f74bfee..2d62ac3 100644 --- a/src/linux/namespaces.rs +++ b/src/linux/namespaces.rs @@ -6,7 +6,7 @@ use std::fs::{self, File}; use std::io::Error as IoError; use std::os::unix::ffi::OsStrExt; use std::os::unix::fs as unixfs; -use std::path::{Path, PathBuf, Component}; +use std::path::{Component, Path, PathBuf}; use std::{env, mem, ptr}; use bitflags::bitflags; @@ -23,7 +23,7 @@ const NEW_ROOT: &str = "/tmp/birdcage-root"; /// /// Additionally it will isolate network access if `allow_networking` is /// `false`. -pub fn create_namespaces(allow_networking: bool, exceptions: PathExceptions) -> Result<()> { +pub(crate) fn create_namespaces(allow_networking: bool, exceptions: PathExceptions) -> Result<()> { // Get EUID/EGID outside of the namespace. let uid = unsafe { libc::geteuid() }; let gid = unsafe { libc::getegid() };