FreeBSD RESOLVE_BENEATH support (#296)

* Update FreeBSD versions in Cirrus CI

* Enable O_PATH usage on FreeBSD

(Available since 13.0)

* tests/fs_additional: fix incorrect FreeBSD specifics

These do not apply (anymore?)

* Use AT_/O_RESOLVE_BENEATH on FreeBSD >= 13.0, fixes #180

Author: valpackett

.cirrus.yml

@@ -4,7 +4,7 @@
 task:
   name: stable x86_64-unknown-freebsd-13
   freebsd_instance:
-    image_family: freebsd-13-0-snap
+    image_family: freebsd-13-2
   setup_script:
     - pkg install -y curl
     - curl https://sh.rustup.rs -sSf --output rustup.sh
@@ -18,7 +18,7 @@ task:
 task:
   name: stable x86_64-unknown-freebsd-12
   freebsd_instance:
-    image_family: freebsd-12-1
+    image_family: freebsd-12-4
   setup_script:
     - pkg install -y curl
     - curl https://sh.rustup.rs -sSf --output rustup.sh

README.md

@@ -168,6 +168,11 @@ utilize [`openat2`], [`O_PATH`], and [`/proc/self/fd`] (though only when /proc
 is mounted, it's really `procfs`, and there are no mounts on top of it) for
 fast path resolution as well.
 
+On FreeBSD 13.0 and newer, `cap-std` uses [`openat(O_RESOLVE_BENEATH)`] to
+implement `Dir::open` with a single system call in common cases.
+Several other operations internally utilize `AT_RESOLVE_BENEATH` and `O_PATH` for
+fast path resolution as well.
+
 Otherwise, `cap-std` opens each component of a path individually, in order to
 specially handle `..` and symlinks. The algorithm is carefully designed to
 minimize system calls, so opening `red/green/blue` performs just 5 system
@@ -177,6 +182,7 @@ and `green`.
 [`openat2`]: https://lwn.net/Articles/796868/
 [`O_PATH`]: https://man7.org/linux/man-pages/man2/open.2.html
 [`/proc/self/fd`]: https://man7.org/linux/man-pages/man5/proc.5.html
+[`openat(O_RESOLVE_BENEATH)`]: https://man.freebsd.org/cgi/man.cgi?openat
 
 ## What about networking?
 

cap-primitives/src/fs/manually/mod.rs

@@ -5,7 +5,7 @@ mod canonical_path;
 mod canonicalize;
 mod cow_component;
 mod open;
-#[cfg(not(windows))]
+#[cfg(not(any(windows, target_os = "freebsd")))]
 mod open_entry;
 mod read_link_one;
 
@@ -19,5 +19,5 @@ pub(super) use canonicalize::canonicalize_with;
 
 pub(crate) use canonicalize::canonicalize;
 pub(crate) use open::{open, stat};
-#[cfg(not(windows))]
+#[cfg(not(any(windows, target_os = "freebsd")))]
 pub(crate) use open_entry::open_entry;

cap-primitives/src/fs/manually/open.rs

@@ -6,7 +6,7 @@ use crate::fs::{
     dir_options, errors, open_unchecked, path_has_trailing_dot, path_has_trailing_slash,
     stat_unchecked, FollowSymlinks, MaybeOwnedFile, Metadata, OpenOptions, OpenUncheckedError,
 };
-#[cfg(any(target_os = "android", target_os = "linux"))]
+#[cfg(any(target_os = "android", target_os = "linux", target_os = "freebsd"))]
 use rustix::fs::OFlags;
 use std::borrow::Cow;
 use std::ffi::OsStr;
@@ -247,7 +247,7 @@ impl<'start> Context<'start> {
             Ok(file) => {
                 // Emulate `O_PATH` + `FollowSymlinks::Yes` on Linux. If `file`
                 // is a symlink, follow it.
-                #[cfg(any(target_os = "android", target_os = "linux"))]
+                #[cfg(any(target_os = "android", target_os = "linux", target_os = "freebsd"))]
                 if should_emulate_o_path(&use_options) {
                     match read_link_one(
                         &file,
@@ -527,7 +527,7 @@ pub(crate) fn stat(start: &fs::File, path: &Path, follow: FollowSymlinks) -> io:
 
 /// Test whether the given options imply that we should treat an open file as
 /// potentially being a symlink we need to follow, due to use of `O_PATH`.
-#[cfg(any(target_os = "android", target_os = "linux"))]
+#[cfg(any(target_os = "android", target_os = "linux", target_os = "freebsd"))]
 fn should_emulate_o_path(use_options: &OpenOptions) -> bool {
     (use_options.ext.custom_flags & (OFlags::PATH.bits() as i32)) == (OFlags::PATH.bits() as i32)
         && use_options.follow == FollowSymlinks::Yes

cap-primitives/src/fs/maybe_owned_file.rs

@@ -120,7 +120,7 @@ impl<'borrow> MaybeOwnedFile<'borrow> {
     }
 
     /// Assuming `self` holds an owned `File`, return it.
-    #[cfg_attr(windows, allow(dead_code))]
+    #[cfg_attr(any(windows, target_os = "freebsd"), allow(dead_code))]
     pub(super) fn unwrap_owned(self) -> fs::File {
         match self.inner {
             MaybeOwned::Owned(file) => file,

cap-primitives/src/rustix/freebsd/fs/check.rs

@@ -0,0 +1,26 @@
+use rustix::fs::{statat, AtFlags};
+use std::fs;
+use std::sync::atomic::{AtomicBool, Ordering::Relaxed};
+
+static WORKING: AtomicBool = AtomicBool::new(false);
+static CHECKED: AtomicBool = AtomicBool::new(false);
+
+#[inline]
+pub(crate) fn beneath_supported(start: &fs::File) -> bool {
+    if WORKING.load(Relaxed) {
+        return true;
+    }
+    if CHECKED.load(Relaxed) {
+        return false;
+    }
+    // Unknown O_ flags get ignored but AT_ flags have strict checks, so we use that.
+    if let Err(rustix::io::Errno::INVAL) =
+        statat(start, "", AtFlags::EMPTY_PATH | AtFlags::RESOLVE_BENEATH)
+    {
+        CHECKED.store(true, Relaxed);
+        false
+    } else {
+        WORKING.store(true, Relaxed);
+        true
+    }
+}

cap-primitives/src/rustix/freebsd/fs/mod.rs

@@ -0,0 +1,18 @@
+mod check;
+mod open_entry_impl;
+mod open_impl;
+mod remove_dir_impl;
+mod remove_file_impl;
+mod set_permissions_impl;
+mod set_times_impl;
+mod stat_impl;
+
+pub(crate) use crate::fs::manually::canonicalize as canonicalize_impl;
+pub(crate) use check::beneath_supported;
+pub(crate) use open_entry_impl::open_entry_impl;
+pub(crate) use open_impl::open_impl;
+pub(crate) use remove_dir_impl::remove_dir_impl;
+pub(crate) use remove_file_impl::remove_file_impl;
+pub(crate) use set_permissions_impl::set_permissions_impl;
+pub(crate) use set_times_impl::{set_times_impl, set_times_nofollow_impl};
+pub(crate) use stat_impl::stat_impl;

cap-primitives/src/rustix/freebsd/fs/open_entry_impl.rs

@@ -0,0 +1,12 @@
+use crate::fs::{open_impl, OpenOptions};
+use std::ffi::OsStr;
+use std::{fs, io};
+
+#[inline(always)]
+pub(crate) fn open_entry_impl(
+    start: &fs::File,
+    path: &OsStr,
+    options: &OpenOptions,
+) -> io::Result<fs::File> {
+    open_impl(start, path.as_ref(), options)
+}

cap-primitives/src/rustix/freebsd/fs/open_impl.rs

@@ -0,0 +1,30 @@
+use super::super::super::fs::compute_oflags;
+use crate::fs::{errors, manually, OpenOptions};
+use io_lifetimes::FromFd;
+use rustix::fs::{openat, Mode, OFlags, RawMode};
+use std::path::Path;
+use std::{fs, io};
+
+pub(crate) fn open_impl(
+    start: &fs::File,
+    path: &Path,
+    options: &OpenOptions,
+) -> io::Result<fs::File> {
+    if !super::beneath_supported(start) {
+        return manually::open(start, path, options);
+    }
+
+    let oflags = compute_oflags(options)? | OFlags::RESOLVE_BENEATH;
+
+    let mode = if oflags.contains(OFlags::CREATE) {
+        Mode::from_bits((options.ext.mode & 0o7777) as RawMode).unwrap()
+    } else {
+        Mode::empty()
+    };
+
+    match openat(start, path, oflags, mode) {
+        Ok(file) => Ok(fs::File::from_into_fd(file)),
+        Err(rustix::io::Errno::NOTCAPABLE) => Err(errors::escape_attempt()),
+        Err(err) => Err(err.into()),
+    }
+}

cap-primitives/src/rustix/freebsd/fs/remove_dir_impl.rs

@@ -0,0 +1,16 @@
+use crate::fs::via_parent;
+use rustix::fs::{unlinkat, AtFlags};
+use std::path::Path;
+use std::{fs, io};
+
+pub(crate) fn remove_dir_impl(start: &fs::File, path: &Path) -> io::Result<()> {
+    if !super::beneath_supported(start) {
+        return via_parent::remove_dir(start, path);
+    }
+
+    Ok(unlinkat(
+        start,
+        path,
+        AtFlags::RESOLVE_BENEATH | AtFlags::REMOVEDIR,
+    )?)
+}