pathrs

func CreateInRoot ¶

func CreateInRoot(root, subpath string, flags int, fileMode uint32) (*os.File, error)

CreateInRoot creates a new file inside a root (as well as any missing parent directories) and returns a handle to said file. This effectively has open(O_CREAT|O_NOFOLLOW) semantics. If you want the creation to use O_EXCL, include it in the passed flags. The fileMode argument uses unix.* mode bits, *not* os.FileMode.

func IsLexicallyInRoot ¶

func IsLexicallyInRoot(root, path string) bool

IsLexicallyInRoot is shorthand for strings.HasPrefix(path+"/", root+"/"), but properly handling the case where path or root have a "/" suffix.

NOTE: The return value only make sense if the path is already mostly cleaned (i.e., doesn't contain "..", ".", nor unneeded "/"s).

func LexicallyCleanPath ¶ added in v1.4.0

func LexicallyCleanPath(path string) string

LexicallyCleanPath makes a path safe for use with filepath.Join. This is done by not only cleaning the path, but also (if the path is relative) adding a leading '/' and cleaning it (then removing the leading '/'). This ensures that a path resulting from prepending another path will always resolve to lexically be a subdirectory of the prefixed path. This is all done lexically, so paths that include symlinks won't be safe as a result of using CleanPath.

func LexicallyStripRoot ¶ added in v1.4.0

func LexicallyStripRoot(root, path string) string

LexicallyStripRoot returns the passed path, stripping the root path if it was (lexicially) inside it. Note that both passed paths will always be treated as absolute, and the returned path will also always be absolute. In addition, the paths are cleaned before stripping the root.

func MkdirAllInRoot ¶

func MkdirAllInRoot(root, unsafePath string, mode os.FileMode) (*os.File, error)

MkdirAllInRoot attempts to make

path, _ := securejoin.SecureJoin(root, unsafePath)
os.MkdirAll(path, mode)
os.Open(path)

safer against attacks where components in the path are changed between SecureJoin returning and MkdirAll (or Open) being called. In particular, we try to detect any symlink components in the path while we are doing the MkdirAll.

NOTE: If unsafePath is a subpath of root, we assume that you have already called SecureJoin and so we use the provided path verbatim without resolving any symlinks (this is done in a way that avoids symlink-exchange races). This means that the path also must not contain ".." elements, otherwise an error will occur.

This uses (pathrs-lite).MkdirAllHandle under the hood, but it has special handling if unsafePath has already been scoped within the rootfs (this is needed for a lot of runc callers and fixing this would require reworking a lot of path logic).

func MkdirAllParentInRoot ¶ added in v1.4.0

func MkdirAllParentInRoot(root, unsafePath string, mode os.FileMode) (*os.File, string, error)

MkdirAllParentInRoot is like MkdirAllInRoot except that it only creates the parent directory of the target path, returning the trailing component so the caller has more flexibility around constructing the final inode.

Callers need to be very careful operating on the trailing path, as trivial mistakes like following symlinks can cause security bugs. Most people should probably just use MkdirAllInRoot or CreateInRoot.

func OpenInRoot ¶

func OpenInRoot(root, subpath string, flags int) (*os.File, error)

OpenInRoot opens the given path inside the root with the provided flags. It is effectively shorthand for securejoin.OpenInRoot followed by securejoin.Reopen.

func ProcPidOpen ¶

func ProcPidOpen(pid int, subpath string, flags int) (*os.File, error)

ProcPidOpen is a wrapper around procfs.Handle.OpenPid and pathrs.Reopen, to let you one-shot open a procfs file with the given flags.

func ProcSelfOpen ¶

func ProcSelfOpen(subpath string, flags int) (*os.File, error)

ProcSelfOpen is a wrapper around procfs.Handle.OpenSelf and pathrs.Reopen, to let you one-shot open a procfs file with the given flags.

func ProcThreadSelfOpen ¶

func ProcThreadSelfOpen(subpath string, flags int) (_ *os.File, _ procfs.ProcThreadSelfCloser, Err error)

ProcThreadSelfOpen is a wrapper around procfs.Handle.OpenThreadSelf and pathrs.Reopen, to let you one-shot open a procfs file with the given flags. The returned procfs.ProcThreadSelfCloser needs the same handling as when using pathrs-lite.

func Reopen ¶

func Reopen(file *os.File, flags int) (*os.File, error)

Reopen is a wrapper around pathrs.Reopen.