@agenshield/daemon 0.6.0 → 0.6.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/acl.d.ts +15 -12
- package/acl.d.ts.map +1 -1
- package/command-sync.d.ts +1 -1
- package/command-sync.d.ts.map +1 -1
- package/index.js +711 -543
- package/main.js +737 -550
- package/package.json +4 -4
- package/routes/config.d.ts.map +1 -1
- package/routes/rpc.d.ts.map +1 -1
- package/server.d.ts.map +1 -1
- package/policy-sync.d.ts +0 -25
- package/policy-sync.d.ts.map +0 -1
package/acl.d.ts
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* macOS ACL utilities for filesystem policies.
|
|
3
3
|
*
|
|
4
|
-
* Uses `chmod +a / -a` to grant/revoke
|
|
4
|
+
* Uses `chmod +a / -a` to grant/revoke user-level ACLs on paths
|
|
5
5
|
* derived from policy patterns. Failures are logged but never thrown.
|
|
6
6
|
*/
|
|
7
7
|
import type { PolicyConfig } from '@agenshield/ipc';
|
|
@@ -21,24 +21,27 @@ export declare function stripGlobToBasePath(pattern: string): string;
|
|
|
21
21
|
*/
|
|
22
22
|
export declare function operationsToAclPerms(operations: string[]): string;
|
|
23
23
|
/**
|
|
24
|
-
* Add a
|
|
24
|
+
* Add a user ACL entry to a path.
|
|
25
25
|
*/
|
|
26
|
-
export declare function
|
|
26
|
+
export declare function addUserAcl(targetPath: string, userName: string, permissions: string, log?: Logger): void;
|
|
27
27
|
/**
|
|
28
|
-
* Remove all ACL entries for a
|
|
28
|
+
* Remove all ACL entries for a user from a path.
|
|
29
29
|
*
|
|
30
|
-
* Reads current ACL entries via `ls -le`, finds entries matching the
|
|
31
|
-
* and removes them by index (highest-first so indices
|
|
30
|
+
* Reads current ACL entries via `ls -le`, finds entries matching the user
|
|
31
|
+
* (both allow and deny), and removes them by index (highest-first so indices
|
|
32
|
+
* stay valid). This ensures a clean slate before reapplying permissions.
|
|
32
33
|
*/
|
|
33
|
-
export declare function
|
|
34
|
+
export declare function removeUserAcl(targetPath: string, userName: string, log?: Logger): void;
|
|
34
35
|
/**
|
|
35
36
|
* Synchronise filesystem policy ACLs after a config change.
|
|
36
37
|
*
|
|
37
|
-
*
|
|
38
|
-
*
|
|
39
|
-
*
|
|
40
|
-
*
|
|
38
|
+
* For every path in the union of old and new ACL maps:
|
|
39
|
+
* 1. Remove all existing user ACLs (clean slate)
|
|
40
|
+
* 2. Reapply permissions if the path is in the new map
|
|
41
|
+
*
|
|
42
|
+
* This "wipe then reapply" strategy avoids stale permission accumulation
|
|
43
|
+
* and the deny+allow conflict where layering ACLs produces wrong results.
|
|
41
44
|
*/
|
|
42
|
-
export declare function syncFilesystemPolicyAcls(oldPolicies: PolicyConfig[], newPolicies: PolicyConfig[],
|
|
45
|
+
export declare function syncFilesystemPolicyAcls(oldPolicies: PolicyConfig[], newPolicies: PolicyConfig[], userName: string, logger?: Logger): void;
|
|
43
46
|
export {};
|
|
44
47
|
//# sourceMappingURL=acl.d.ts.map
|
package/acl.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"acl.d.ts","sourceRoot":"","sources":["../src/acl.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD,UAAU,MAAM;IACd,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;CAC7C;AAoBD;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAe3D;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,MAAM,CASjE;AAED;;GAEG;AACH,wBAAgB,
|
|
1
|
+
{"version":3,"file":"acl.d.ts","sourceRoot":"","sources":["../src/acl.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD,UAAU,MAAM;IACd,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;CAC7C;AAoBD;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAe3D;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,MAAM,CASjE;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,GAAE,MAAa,GAAG,IAAI,CAa9G;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,GAAE,MAAa,GAAG,IAAI,CAqC5F;AAmED;;;;;;;;;GASG;AACH,wBAAgB,wBAAwB,CACtC,WAAW,EAAE,YAAY,EAAE,EAC3B,WAAW,EAAE,YAAY,EAAE,EAC3B,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM,GACd,IAAI,CAsBN"}
|
package/command-sync.d.ts
CHANGED
|
@@ -31,7 +31,7 @@ export declare function syncCommandPolicies(policies: PolicyConfig[], logger?: L
|
|
|
31
31
|
* - Agent user (type='agent') → homeDir/bin
|
|
32
32
|
* - If AGENSHIELD_AGENT_HOME is set, also use that
|
|
33
33
|
*/
|
|
34
|
-
export declare function ensureWrappersInstalled(state: SystemState, logger?: Logger): void;
|
|
34
|
+
export declare function ensureWrappersInstalled(state: SystemState, logger?: Logger, policyCommands?: Set<string>): void;
|
|
35
35
|
/**
|
|
36
36
|
* Full sync: update allowlist + ensure wrappers installed.
|
|
37
37
|
* Called from PUT /config when policies change.
|
package/command-sync.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"command-sync.d.ts","sourceRoot":"","sources":["../src/command-sync.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAKH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;
|
|
1
|
+
{"version":3,"file":"command-sync.d.ts","sourceRoot":"","sources":["../src/command-sync.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAKH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAGjE,UAAU,MAAM;IACd,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAC5C,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;CAC7C;AA4GD;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,YAAY,EAAE,EACxB,MAAM,CAAC,EAAE,MAAM,GACd,IAAI,CAoDN;AA6ID;;;;;;;GAOG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,WAAW,EAClB,MAAM,CAAC,EAAE,MAAM,EACf,cAAc,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC,GAC3B,IAAI,CA0BN;AAED;;;GAGG;AACH,wBAAgB,8BAA8B,CAC5C,QAAQ,EAAE,YAAY,EAAE,EACxB,KAAK,EAAE,WAAW,EAClB,MAAM,CAAC,EAAE,MAAM,GACd,IAAI,CAIN"}
|