From fa3604e7fbfd40b0b88428a5290d4932b586bd8c Mon Sep 17 00:00:00 2001
From: Marcel Bindseil <marcelbindseil@gmail.com>
Date: Wed, 22 Jan 2025 08:25:51 +0100
Subject: [PATCH] Update discovery-handlers/udev/src/discovery_handler.rs

Co-authored-by: Kate Goldenring <kate.goldenring@gmail.com>
---
 .../udev/src/discovery_handler.rs             | 22 ++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/discovery-handlers/udev/src/discovery_handler.rs b/discovery-handlers/udev/src/discovery_handler.rs
index d25ce6b60..1e868cfb6 100644
--- a/discovery-handlers/udev/src/discovery_handler.rs
+++ b/discovery-handlers/udev/src/discovery_handler.rs
@@ -31,10 +31,30 @@ pub struct UdevDiscoveryDetails {
     #[serde(default)]
     pub group_recursive: bool,
 
-    #[serde(default = "default_permissions")]
+    #[serde(default = "default_permissions", )]
+    #[serde(deserialize_with = "validate_permissions")]
     pub permissions: String,
 }
 
+// Validate the permissible set of cgroups `permissions`
+fn validate_permissions<'de, D>(deserializer: D) -> Result<String, D::Error>
+where
+    D: Deserializer<'de>,
+{
+    let value: String = Deserialize::deserialize(deserializer)?;
+
+    // Validating that the string only contains allowed combinations of 'r', 'w', 'm'
+    let valid_permissions = ["r", "w", "m", "rw", "rm", "rwm", "mw"];
+    if valid_permissions.contains(&value.as_str()) {
+        Ok(value)
+    } else {
+        Err(de::Error::invalid_value(
+            de::Unexpected::Str(&value),
+            &"a valid permission combination ('r', 'w', 'm', 'rw', 'rm', 'rwm', 'mw')",
+        ))
+    }
+}
+
 /// Default permissions for devices
 fn default_permissions() -> String {
     "rwm".to_string()