Undo access changes on exit

FabricMC · Dec 12, 2024 · 52d67ca · 52d67ca
1 parent 3e14e5e
commit 52d67ca
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 7 deletions.
diff --git a/windows/Sources/FabricSandbox/FabricSandbox.swift b/windows/Sources/FabricSandbox/FabricSandbox.swift
@@ -82,6 +82,13 @@ class FabricSandbox {
       try! mountedDisk.unmount()
     }
 
+    let access = TemporaryAccess()
+    defer {
+      // Ensure that the lifetime of access extends past the lifetime of the sandbox
+      // Unlike c++ deinit is not guaranteed to run at the end of the scope
+      let _ = access
+    }
+
     // E.g S:\
     let sandboxRoot = File(mountedDisk.drivePath)
     // E.g S:\profileName or S:\
@@ -105,42 +112,42 @@ class FabricSandbox {
       // This is hard to do as mods commonly write outside of these directories.
 
       // Grant full access to the mounted disk
-      try grantAccess(
+      try access.grant(
         sandboxRoot, trustee: container,
         accessPermissions: [.genericAll])
 
       if let assetsDir = commandLine.getAssetsDir(), isDevEnv {
         // Grant read access to the assets dir in dev
-        try grantAccess(
+        try access.grant(
           assetsDir, trustee: container,
           accessPermissions: [.genericRead])
       }
 
       if let log4jConfig = commandLine.getJvmProp("log4j.configurationFile") {
         // Grant read access to the log4j configuration file
-        try grantAccess(
+        try access.grant(
           File(log4jConfig), trustee: container,
           accessPermissions: [.genericRead])
       }
     } else {
       logger.debug("Working directory is not root, granting access")
       // Grant read and execute to .minecraft
-      try grantAccess(
+      try access.grant(
         sandboxRoot, trustee: container,
         accessPermissions: [.genericRead, .genericExecute])
 
       // Grant full access to the working directory
-      try grantAccess(
+      try access.grant(
         sandboxWorkingDirectory, trustee: container,
         accessPermissions: [.genericAll])
 
-      try grantAccess(
+      try access.grant(
         tempDir, trustee: container,
         accessPermissions: [.genericAll])
     }
 
     // Grant read and execute to Java home
-    try grantAccess(
+    try access.grant(
       javaDirectory, trustee: container,
       accessPermissions: [.genericRead, .genericExecute])
 

diff --git a/windows/Sources/FabricSandbox/TemporaryAccess.swift b/windows/Sources/FabricSandbox/TemporaryAccess.swift
@@ -0,0 +1,30 @@
+import WindowsUtils
+
+class TemporaryAccess {
+    private var accessEntries: [AccessEntry] = []
+
+    deinit {
+        for entry in accessEntries {
+            do {
+                try clearAccess(entry.object, trustee: entry.trustee)
+            } catch {
+                logger.error("Failed to reset access for \(entry.object) for \(entry.trustee): \(error)")
+            }
+        }
+    }
+
+    public func grant(_ object: SecurityObject, trustee: Trustee, accessPermissions: [AccessPermissions]) throws {
+        accessEntries.append(AccessEntry(object: object, trustee: trustee))
+        try grantAccess(object, trustee: trustee, accessPermissions: accessPermissions)
+    }
+
+    public func deny(_ object: SecurityObject, trustee: Trustee, accessPermissions: [AccessPermissions]) throws {
+        accessEntries.append(AccessEntry(object: object, trustee: trustee))
+        try denyAccess(object, trustee: trustee, accessPermissions: accessPermissions)
+    }
+}
+
+fileprivate struct AccessEntry {
+    let object: SecurityObject
+    let trustee: Trustee
+}