bunpen: address a trivial todo

2025-01-06 03:11:16 +00:00
parent cce27f52fb
commit 5644dde395
2 changed files with 1 additions and 5 deletions
--- a/pkgs/by-name/bunpen/restrict/pasta.ha
+++ b/pkgs/by-name/bunpen/restrict/pasta.ha
@@ -29,10 +29,6 @@ fn pasta_restrict(net: resources::net_subset) void = {
  //
  // after that, P can continue on & exec into the user code

-  // unshare PID space here so that the fork'd child (pasta) is isolated.
-  // TODO: stronger isolation (mount namespace).
-  // errors::ext::check("[namespace/pasta] unshare PID", rt::ext::unshare(rt::ext::clone_flag::NEWPID));
-
  // grab a handle to the namespaces of the primary process.
  // then we can fork, unshare net (in parent) and refer to that unshared netns
  // in the child (pasta) via ${ns_fd}/net.
--- a/pkgs/by-name/bunpen/restrict/restrict.ha
+++ b/pkgs/by-name/bunpen/restrict/restrict.ha
@@ -31,7 +31,7 @@ export fn restrict(what: *resources::resources) void = {
        // on i can refer to it by path relative to that parent
        let session_parent = path::parent(&session)!;
        log::printfln("[restrict] attempting to open parent(DBUS_SESSION_BUS_ADDRESS={})={}", path::string(&session), session_parent);
-        yield match (rt::open(session_parent, rt::O_RDONLY | rt::O_CLOEXEC, 0o700)) { //< TODO: correct mode?
+        yield match (rt::open(session_parent, rt::O_RDONLY | rt::O_CLOEXEC, 0o400)) {
          case let outer_fd: int => yield dbus_details {
            outer_parent_fd = outer_fd,
            session_path = session,