How does Chromium define a System File? - chromium
After enabling chrome://flags/#native-file-system-api in my chrome 83.0.4103.61, I tried to access a folder with this new API
handle = await window.chooseFileSystemEntries({type: 'open-directory'})
I get the following error message:
(Can't open this folder because it contains system files.)
Can anyone please tell me what "system files" means/how they are detected and how I could access all but these "system files"?
They hard code it in a source file.
This link will rot once they rename the file (has already happened a couple times) so the relevant contents as of this post are:
const struct {
// base::BasePathKey value (or one of the platform specific extensions to it)
// for a path that should be blocked. Specify kNoBasePathKey if |path| should
// be used instead.
int base_path_key;
// Explicit path to block instead of using |base_path_key|. Set to nullptr to
// use |base_path_key| on its own. If both |base_path_key| and |path| are set,
// |path| is treated relative to the path |base_path_key| resolves to.
const base::FilePath::CharType* path;
// If this is set to kDontBlockChildren, only the given path and its parents
// are blocked. If this is set to kBlockAllChildren, all children of the given
// path are blocked as well. Finally if this is set to kBlockNestedDirectories
// access is allowed to individual files in the directory, but nested
// directories are still blocked.
// The BlockType of the nearest ancestor of a path to check is what ultimately
// determines if a path is blocked or not. If a blocked path is a descendent
// of another blocked path, then it may override the child-blocking policy of
// its ancestor. For example, if /home blocks all children, but
// /home/downloads does not, then /home/downloads/file.ext will *not* be
// blocked.
BlockType type;
} kBlockedPaths[] = {
// Don't allow users to share their entire home directory, entire desktop or
// entire documents folder, but do allow sharing anything inside those
// directories not otherwise blocked.
{base::DIR_HOME, nullptr, kDontBlockChildren},
{base::DIR_USER_DESKTOP, nullptr, kDontBlockChildren},
{chrome::DIR_USER_DOCUMENTS, nullptr, kDontBlockChildren},
// Similar restrictions for the downloads directory.
{chrome::DIR_DEFAULT_DOWNLOADS, nullptr, kDontBlockChildren},
{chrome::DIR_DEFAULT_DOWNLOADS_SAFE, nullptr, kDontBlockChildren},
// The Chrome installation itself should not be modified by the web.
{chrome::DIR_APP, nullptr, kBlockAllChildren},
// And neither should the configuration of at least the currently running
// Chrome instance (note that this does not take --user-data-dir command
// line overrides into account).
{chrome::DIR_USER_DATA, nullptr, kBlockAllChildren},
// ~/.ssh is pretty sensitive on all platforms, so block access to that.
{base::DIR_HOME, FILE_PATH_LITERAL(".ssh"), kBlockAllChildren},
// And limit access to ~/.gnupg as well.
{base::DIR_HOME, FILE_PATH_LITERAL(".gnupg"), kBlockAllChildren},
#if defined(OS_WIN)
// Some Windows specific directories to block, basically all apps, the
// operating system itself, as well as configuration data for apps.
{base::DIR_PROGRAM_FILES, nullptr, kBlockAllChildren},
{base::DIR_PROGRAM_FILESX86, nullptr, kBlockAllChildren},
{base::DIR_PROGRAM_FILES6432, nullptr, kBlockAllChildren},
{base::DIR_WINDOWS, nullptr, kBlockAllChildren},
{base::DIR_APP_DATA, nullptr, kBlockAllChildren},
{base::DIR_LOCAL_APP_DATA, nullptr, kBlockAllChildren},
{base::DIR_COMMON_APP_DATA, nullptr, kBlockAllChildren},
// Opening a file from an MTP device, such as a smartphone or a camera, is
// implemented by Windows as opening a file in the temporary internet files
// directory. To support that, allow opening files in that directory, but
// not whole directories.
{base::DIR_IE_INTERNET_CACHE, nullptr, kBlockNestedDirectories},
#endif
#if defined(OS_MAC)
// Similar Mac specific blocks.
{base::DIR_APP_DATA, nullptr, kBlockAllChildren},
{base::DIR_HOME, FILE_PATH_LITERAL("Library"), kBlockAllChildren},
#endif
#if defined(OS_LINUX) || defined(OS_CHROMEOS)
// On Linux also block access to devices via /dev, as well as security
// sensitive data in /sys and /proc.
{kNoBasePathKey, FILE_PATH_LITERAL("/dev"), kBlockAllChildren},
{kNoBasePathKey, FILE_PATH_LITERAL("/sys"), kBlockAllChildren},
{kNoBasePathKey, FILE_PATH_LITERAL("/proc"), kBlockAllChildren},
// And block all of ~/.config, matching the similar restrictions on mac
// and windows.
{base::DIR_HOME, FILE_PATH_LITERAL(".config"), kBlockAllChildren},
// Block ~/.dbus as well, just in case, although there probably isn't much a
// website can do with access to that directory and its contents.
{base::DIR_HOME, FILE_PATH_LITERAL(".dbus"), kBlockAllChildren},
#endif
// TODO(https://crbug.com/984641): Refine this list, for example add
// XDG_CONFIG_HOME when it is not set ~/.config?
};
Note the bug url: https://crbug.com/984641
Related
What is the difference between static files and embedded application resources in Ktor?
I'm reading the ktor documentation on serving static content and it's not clear to me what the difference between files("css") and resources("css") is.
The static method is equivalent to the route method so it just creates a path route in the routing tree. The files method allows serving all static files from the provided path (directory) from a local filesystem. Relative paths will be resolved using the current working directory. The resources method does the same as the files method except that it allows serving static files from the classpath. Here is an example: // Assume that current working directory is /home/user/project embeddedServer(Netty, port = 8080) { routing { // This route will be resolved if a request path starts with /assets/ static("assets") { // For the request path /assets/style.css the file /home/user/project/css/style.css will be served files("./css") // It's the same as above files("css") // For the request path /assets/data.txt the file /absolute/path/to/data.txt will be served files("/absolute/path/to") // For the request path /assets/style.css the file <resources>/css/style.css will be served // where <resources> is the embedded resource directory resources("css") } } }.start(wait = true)
How to convert .ino file into .bin file with "sketch + WiFi settings" from arduinoIDE to upload in S3 ESP8266 by "ESP8266 download tool"?
I want to flash S3 ESP8266 module by "ESP8266 download tool". In arduinoIDE, when my setUp is like, tools->Erase Flash: only sketch. I can easily convert the blink.ino code into .bin and can flash it to my S3 ESP8266 module via "ESP8266 download tool", and can really see it's BuiltIn led blinking. But, when my setUp is like, tools->Erase Flash: sketch+WiFi settings. I can convert the blink.ino into .bin and can flash it to my S3 ESP8266 module via "ESP8266 download tool". But unfortunately it doesn't blink. My .ino code is simple. void setup() { pinMode(4, OUTPUT); } void loop() { digitalWrite(4, HIGH); delay(1000); digitalWrite(4, LOW); delay(1000); } Options selected in ArduinoIDE's Tools, Board : NodeMCU 1.0(ESP-12E Module) Flash Size : "4M (No SPIFFS)" I think this issue is because of "build options" changes, but I don't know about it's solution. Is there anyThing that I am missing out ? Please help.
How do I generate a file based on user input in MSI created using WixSharp?
I created an installation MSI package using WixSharp. I have a custom dialog with language, server, etc. options. I want to generate an application config file based on these options and deploy it next to the .exe file as part of an installation process. If it is possible, how should I do that?
You can subscribe on AfterInstall event (when files has been coppied) and modify your config file there. AfterInstall demostration project.AfterInstall += project_AfterInstall; ... static void project_AfterInstall(SetupEventArgs e) Installation directory you can find here: private void OnAfterInstall(SetupEventArgs e) { var installationPath = e.Session["INSTALLDIR"]; // Change your config file here // if you need to modify your file once time after installation // just add this one condition if (e.IsInstalled) { ... } }
Can't read files inside native service app - Gear Fit 2
I have very strange issue on Gear Fit 2. I have native service in hybrid app (web app + native service in one package) and can't access to files. I got error message: Permission denied. The code stops at getting folder attributes - line: if(stat(path,$st) == -1). I don't know what is wrong. The code read files without problem when it is inside UI app but doesn't want to work in hybrid native service. Are there any constraints about reading files from service app on Gear Fit 2? Of course I added privileges to tizen-manifes.xml. http://tizen.org/privilege/mediastorage http://tizen.org/privilege/externalstorage Code: char *path; storage_get_root_directory(STORAGE_TYPE_INTERNAL, &path); // works OK // path contains now: /opt/usr/media struct stat st; if (stat(path, &st) == -1) { // STOP HERE, stat() returns -1 return; // code enter here and ending } if (S_ISDIR(st.st_mode)) { ... // not enter here } ... after calling stat(path, &st); // it sets errno if fail strerror(errno) returns message: Permission denied.
Daemon - Client IPC with Unix sockets
I have a launch daemon which I want to ask for status information from a user app. I implemented a client-server model (with the daemon as server) using unix sockets as described here: OS X - Communication between launch daemon and launch agent In fact it works well, when I run the daemon as a user process (for debugging), but it will fail when it is actually launched as root. I have read the TN on Daemons and Agents and the Daemon & Services Programming Guide. However, I could not find decent information how the socket must be used in a launch daemon. I am confused by several things: Must I specify the socket in the launch daemon plist file? And how? If the socket is specified in the plist, does that change the way I need to create the socket in code? What path would be good for the unix socket? The Technical Note recommends /var/run but I guess a user process may not write there, or can it? Is there maybe a easier way to do IPC between daemon and client? What is the best way to log the daemon output. I tried NSLog but it seems not work... I am also unsure if my socket code is correct. Maybe someone more experienced can tell me if I'm on the right track here. I have the following code in the daemon to initialize the unix socket: #define SOCKETNAME "/var/run/com.company.myApp.socket" - (void) startServer { //remove any prev socket unlink(SOCKETNAME); CFSocketContext CTX = { 0, (__bridge void *)(self), NULL, NULL, NULL }; CFSocketRef unixSocket = CFSocketCreate(NULL, PF_UNIX, SOCK_STREAM, 0, kCFSocketAcceptCallBack, (CFSocketCallBack)AcceptCallBack, &CTX); if (unixSocket == NULL) {/*log and return*/} struct sockaddr_un addr; memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; strcpy(addr.sun_path, SOCKETNAME); addr.sun_len = strlen(addr.sun_path) + sizeof (addr.sun_family); NSData *address = [ NSData dataWithBytes: &addr length: sizeof(addr) ]; if (CFSocketSetAddress(unixSocket, (__bridge CFDataRef) address) != kCFSocketSuccess) { NSLog(#"CFSocketSetAddress() failed\n"); CFRelease(unixSocket); } CFRunLoopSourceRef sourceRef = CFSocketCreateRunLoopSource(kCFAllocatorDefault, unixSocket, 0); CFRunLoopAddSource(CFRunLoopGetCurrent(), sourceRef, kCFRunLoopCommonModes); CFRelease(sourceRef); CFRunLoopRun(); } void AcceptCallBack(CFSocketRef socket, CFSocketCallBackType type, CFDataRef address, const void *data, void *info) { CTServerController* selfServerController = (__bridge CTServerController*) info; //NSLog(#"acceptCallBack"); //... }
you should not specify the socket in the plist, you know the concrete place, the server knows, the client knows, that should be enought the socket specified in the plist is for launching the deamon/agent ondemand, you do not need that in a basic case you can use any path, if your daemon starts first (usually the case) it has all the privilege to set the correct rights on the socket to let anybody (or a given user, group) read, read and write or any given rights you wish, i'm sure you just forgot to let the client write/read the unix socket i think on OSX the unix socket IPC is a perfect, easy solution (you have many other choices too of course, xpc, mach messages, etc.) you can define where to go the stdout and stderr of a daemon in it's plist (StandardOutPath, StandardErrorPath keys)