core/go
8
0
Fork 0
generated from lthn/LEM
Code Issues 2 Pull requests 1 Projects Releases Packages Wiki Activity Actions
go/pkg/coredeno/permissions.go

43 lines
895 B
Go
Raw Normal View History

feat(coredeno): permission engine for I/O fortress CheckPath (prefix-based), CheckNet (exact match), CheckRun (exact match). Empty allowed list = deny all. Secure by default. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-17 20:54:02 +00:00
package coredeno
import (
"path/filepath"
"strings"
)
// CheckPath returns true if the given path is under any of the allowed prefixes.
// Empty allowed list means deny all (secure by default).
func CheckPath(path string, allowed []string) bool {
if len(allowed) == 0 {
return false
}
clean := filepath.Clean(path)
for _, prefix := range allowed {
cleanPrefix := filepath.Clean(prefix)
if strings.HasPrefix(clean, cleanPrefix) {
return true
}
}
return false
}
// CheckNet returns true if the given host:port is in the allowed list.
func CheckNet(addr string, allowed []string) bool {
for _, a := range allowed {
if a == addr {
return true
}
}
return false
}
// CheckRun returns true if the given command is in the allowed list.
func CheckRun(cmd string, allowed []string) bool {
for _, a := range allowed {
if a == cmd {
return true
}
}
return false
}
Reference in a new issue Copy permalink