WIP SLOP use descriptors to avoid TOCTOU for canonicalising file system meta data#15120
Draft
Ericson2314 wants to merge 3 commits intoNixOS:masterfrom
Draft
WIP SLOP use descriptors to avoid TOCTOU for canonicalising file system meta data#15120Ericson2314 wants to merge 3 commits intoNixOS:masterfrom
Ericson2314 wants to merge 3 commits intoNixOS:masterfrom
Conversation
github-actions
bot
added
new-cli
Ericson2314
force-pushed
the
canonicalize-toctou
branch
from
2b4af0a to
288b77e
Compare
Ericson2314
force-pushed
the
canonicalize-toctou
branch
2 times, most recently
from
7fd06b1 to
0ed6078
Compare
- FD-based creating symlinks on Unix and Windows with wrapper (`createSymlinkAt`, `createDirectoryAt`). - Big cleanup of `fs-sink.cc` to take advantage of new stuff and reduce CPP. - Reimplement `lstat` and `maybeLstat` from first principles on Windows, so they work with symlinks. Properly define `S_IFLNK` and `S_ISLNK`. - Start fixing bugs in Windows now that we can run the tests locally with wine decently well enough. - Make `descriptorToPath` cross-platform (renamed from `windows::handleToPath`). Uses `/proc/self/fd` on Linux and `F_GETPATH` on macOS. Add `HAVE_F_GETPATH` meson check. This is based on 7226a11, which was removed in 479c356, but is now introduced more judiciously. - Unix error messages in `readFull`, `writeFull`, `readLine` now include file paths via `descriptorToPath`. - Refactor `fsync` to be a standalone function that `AutoCloseFD::fsync()` calls. - Change `writeFile(AutoCloseFD &, ...)` to take a `Descriptor` with optional `origPath` parameter (uses `descriptorToPath` if not provided).
Ericson2314
force-pushed
the
canonicalize-toctou
branch
from
0ed6078 to
52c9247
Compare
- Implement wrappers for the descriptor-based ones too. - Do the `maybe*` ones in terms of the others via try-catch, portably.
…em meta data This should not happen now, but instead happen after - NixOS#15119 - NixOS#15060 - Sergei's upcoming new `Descriptor`-based `SourceAccessor` I suspect what we'll want to do is expose that source accessor after all, so we can have some extra methods to get at the underlying file descriptors. (Or, conversely, maybe this won't be necessary, because enough of the underlying logic will be factored into `file-descriptor.hh` functions that the `SourceAccessor` itself will be a small wrapper.) Either way, at that point we'll not be duplicating stuff here, nor will be lacking a foundation on Windows, and we can then finish the job.
Ericson2314
force-pushed
the
canonicalize-toctou
branch
from
52c9247 to
207bd50
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
I suppose we should have a big issue for all the no TOCTOU, yes
Descriptorwork, to link here.Context
This should not happen now, but instead happen after
CanonicalizePathMetadataOptionsforcanonicalisePathMetaData#15119readLinkAtandopenFileEnsureBeneathNoSymlinkson Windows too #15060Descriptor-basedSourceAccessorI suspect what we'll want to do is expose that source accessor after
all, so we can have some extra methods to get at the underlying file
descriptors. (Or, conversely, maybe this won't be necessary, because enough of the
underlying logic will be factored into
file-descriptor.hhfunctionsthat the
SourceAccessoritself will be a small wrapper.)Either way, at that point we'll not be duplicating stuff here, nor will
be lacking a foundation on Windows, and we can then finish the job.
Add 👍 to pull requests you find important.
The Nix maintainer team uses a GitHub project board to schedule and track reviews.