lib,permission: fix addon permission drop

mawalu · mawalu · commit d7036c116391 · 2026-06-19T15:43:21.000Z
Signed-off-by: Martin &lt;martin@asymmetric.re&gt;
diff --git a/src/node_binding.cc b/src/node_binding.cc
@@ -5,6 +5,7 @@
 #include "node_errors.h"
 #include "node_external_reference.h"
 #include "node_url_pattern.h"
+#include "permission/permission.h"
 #include "util.h"
 
 #include <string>
@@ -450,6 +451,8 @@ void DLOpen(const FunctionCallbackInfo<Value>& args) {
     return THROW_ERR_DLOPEN_DISABLED(
       env, "Cannot load native addon because loading addons is disabled.");
   }
+  THROW_IF_INSUFFICIENT_PERMISSIONS(
+      env, permission::PermissionScope::kAddon, "");
 
   auto context = env->context();
 
diff --git a/test/parallel/test-permission-drop-addons.js b/test/parallel/test-permission-drop-addons.js
@@ -0,0 +1,38 @@
+// Flags: --permission --allow-addons --allow-fs-read=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+
+let bindingPath;
+try {
+  bindingPath = require.resolve(
+    `../addons/hello-world/build/${common.buildType}/binding`);
+} catch (err) {
+  if (err.code !== 'MODULE_NOT_FOUND') {
+    throw err;
+  }
+  common.skip('addon not found');
+}
+
+function openAddon() {
+  process.dlopen({ exports: {} }, bindingPath);
+}
+
+assert.ok(process.permission.has('addon'));
+openAddon();
+
+process.permission.drop('addon');
+assert.ok(!process.permission.has('addon'));
+assert.throws(() => {
+  openAddon();
+}, common.expectsError({
+  code: 'ERR_ACCESS_DENIED',
+  permission: 'Addon',
+}));
