From f1068f90a0b315e3ba0b62e7c7bc8a3ba87be273 Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Mon, 24 Jul 2023 15:09:07 -0300
Subject: [PATCH] src,permission: restrict by default when pm enabled

---
 src/env.cc                                 | 20 +++++++++-----------
 test/parallel/test-permission-inspector.js | 16 +++++++++++++++-
 2 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/src/env.cc b/src/env.cc
index 0452766b806062..fe50fe22cb0938 100644
--- a/src/env.cc
+++ b/src/env.cc
@@ -850,19 +850,17 @@ Environment::Environment(IsolateData* isolate_data,
 
   if (options_->experimental_permission) {
     permission()->EnablePermissions();
-    // If any permission is set the process shouldn't be able to neither
+    // The process shouldn't be able to neither
     // spawn/worker nor use addons or enable inspector
     // unless explicitly allowed by the user
-    if (!options_->allow_fs_read.empty() || !options_->allow_fs_write.empty()) {
-      options_->allow_native_addons = false;
-      flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
-      permission()->Apply("*", permission::PermissionScope::kInspector);
-      if (!options_->allow_child_process) {
-        permission()->Apply("*", permission::PermissionScope::kChildProcess);
-      }
-      if (!options_->allow_worker_threads) {
-        permission()->Apply("*", permission::PermissionScope::kWorkerThreads);
-      }
+    options_->allow_native_addons = false;
+    flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
+    permission()->Apply("*", permission::PermissionScope::kInspector);
+    if (!options_->allow_child_process) {
+      permission()->Apply("*", permission::PermissionScope::kChildProcess);
+    }
+    if (!options_->allow_worker_threads) {
+      permission()->Apply("*", permission::PermissionScope::kWorkerThreads);
     }
 
     if (!options_->allow_fs_read.empty()) {
diff --git a/test/parallel/test-permission-inspector.js b/test/parallel/test-permission-inspector.js
index f9d2ce53639945..3b4ad3d910db52 100644
--- a/test/parallel/test-permission-inspector.js
+++ b/test/parallel/test-permission-inspector.js
@@ -1,4 +1,4 @@
-// Flags: --experimental-permission --allow-fs-read=*
+// Flags: --experimental-permission --allow-fs-read=* --allow-child-process
 'use strict';
 
 const common = require('../common');
@@ -7,6 +7,7 @@ common.skipIfInspectorDisabled();
 
 const { Session } = require('inspector');
 const assert = require('assert');
+const { spawnSync } = require('child_process');
 
 if (!common.hasCrypto)
   common.skip('no crypto');
@@ -20,3 +21,16 @@ if (!common.hasCrypto)
     permission: 'Inspector',
   }));
 }
+
+{
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--experimental-permission',
+      '-p',
+      '(new (require("inspector")).Session()).connect()'
+    ],
+  );
+  assert.strictEqual(status, 1);
+  assert.match(stderr.toString(), /Error: Access to this API has been restricted/);
+}