dirext: Add xattr wrappers

There's a lot of subtleties to these APIs. First,
unlike the `xattrs` crate, we operate on cap-std `Dir`
objects. As part of that, we also explicitly error
out on absolute paths, as well as paths containing
any uplinks (`../`) at all.

- Always use `/proc/self/fd` with `lgetxattr`
  because this is the only way to get/set xattrs on
  symlinks.
- Return a `Result<Option<>>` with getxattr for
  consistency with our other APIs to handle the
  common case of looking for a nonexistent xattr.
- The `getxattr` and `listxattr` APIs are also higher level than
  what Rustix offers to be maximally convenient;
  we always return an owned buffer, and handle
  resizing it.

Signed-off-by: Colin Walters <[email protected]>

Author: cgwalters

src/dirext.rs

@@ -226,6 +226,24 @@ pub trait CapStdExtDirExt {
     /// to determine, and `None` will be returned in those cases.
     fn is_mountpoint(&self, path: impl AsRef<Path>) -> Result<Option<bool>>;
 
+    #[cfg(not(windows))]
+    /// Get the value of an extended attribute. If the attribute is not present,
+    /// this function will return `Ok(None)`.
+    fn getxattr(&self, path: impl AsRef<Path>, key: impl AsRef<OsStr>) -> Result<Option<Vec<u8>>>;
+
+    #[cfg(not(windows))]
+    /// List all extended attribute keys for this path.
+    fn listxattrs(&self, path: impl AsRef<Path>) -> Result<crate::XattrList>;
+
+    #[cfg(not(windows))]
+    /// Set the value of an extended attribute.
+    fn setxattr(
+        &self,
+        path: impl AsRef<Path>,
+        key: impl AsRef<OsStr>,
+        value: impl AsRef<[u8]>,
+    ) -> Result<()>;
+
     /// Recursively walk a directory. If the function returns [`std::ops::ControlFlow::Break`]
     /// while inspecting a directory, traversal of that directory is skipped. If
     /// [`std::ops::ControlFlow::Break`] is returned when inspecting a non-directory,
@@ -562,6 +580,20 @@ where
     Ok(())
 }
 
+// Ensure that the target path isn't absolute, and doesn't
+// have any parent references.
+pub(crate) fn validate_relpath_no_uplinks(path: &Path) -> Result<&Path> {
+    let is_absolute = path.is_absolute();
+    let contains_uplinks = path
+        .components()
+        .any(|e| e == std::path::Component::ParentDir);
+    if is_absolute || contains_uplinks {
+        Err(crate::escape_attempt())
+    } else {
+        Ok(path)
+    }
+}
+
 impl CapStdExtDirExt for Dir {
     fn open_optional(&self, path: impl AsRef<Path>) -> Result<Option<File>> {
         map_optional(self.open(path.as_ref()))
@@ -738,6 +770,26 @@ impl CapStdExtDirExt for Dir {
         is_mountpoint_impl_statx(self, path.as_ref()).map_err(Into::into)
     }
 
+    #[cfg(not(windows))]
+    fn getxattr(&self, path: impl AsRef<Path>, key: impl AsRef<OsStr>) -> Result<Option<Vec<u8>>> {
+        crate::xattrs::impl_getxattr(self, path.as_ref(), key.as_ref())
+    }
+
+    #[cfg(not(windows))]
+    fn listxattrs(&self, path: impl AsRef<Path>) -> Result<crate::XattrList> {
+        crate::xattrs::impl_listxattrs(self, path.as_ref())
+    }
+
+    #[cfg(not(windows))]
+    fn setxattr(
+        &self,
+        path: impl AsRef<Path>,
+        key: impl AsRef<OsStr>,
+        value: impl AsRef<[u8]>,
+    ) -> Result<()> {
+        crate::xattrs::impl_setxattr(self, path.as_ref(), key.as_ref(), value.as_ref())
+    }
+
     fn walk<C, E>(&self, config: &WalkConfiguration, mut callback: C) -> std::result::Result<(), E>
     where
         C: FnMut(&WalkComponent) -> WalkResult<E>,
@@ -851,3 +903,23 @@ impl CapStdExtDirExtUtf8 for cap_std::fs_utf8::Dir {
         Ok(r)
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use std::path::Path;
+
+    use super::*;
+
+    #[test]
+    fn test_validate_relpath_no_uplinks() {
+        let ok_cases = ["foo", "foo/bar", "foo/bar/"];
+        let err_cases = ["/foo", "/", "../foo", "foo/../bar"];
+
+        for case in ok_cases {
+            assert!(validate_relpath_no_uplinks(Path::new(case)).is_ok());
+        }
+        for case in err_cases {
+            assert!(validate_relpath_no_uplinks(Path::new(case)).is_err());
+        }
+    }
+}

src/lib.rs

@@ -6,6 +6,8 @@
 #![deny(unsafe_code)]
 #![cfg_attr(feature = "dox", feature(doc_cfg))]
 
+use std::io;
+
 // Re-export our dependencies
 pub use cap_primitives;
 #[cfg(feature = "fs_utf8")]
@@ -19,7 +21,20 @@ pub mod dirext;
 
 #[cfg(any(target_os = "android", target_os = "linux"))]
 mod rootdir;
+#[cfg(any(target_os = "android", target_os = "linux"))]
 pub use rootdir::*;
+#[cfg(not(windows))]
+mod xattrs;
+#[cfg(not(windows))]
+pub use xattrs::XattrList;
+
+#[cold]
+pub(crate) fn escape_attempt() -> io::Error {
+    io::Error::new(
+        io::ErrorKind::PermissionDenied,
+        "a path led outside of the filesystem",
+    )
+}
 
 /// Prelude, intended for glob import.
 pub mod prelude {

src/xattrs.rs

@@ -0,0 +1,108 @@
+use std::io::Result;
+use std::{
+    ffi::OsStr,
+    os::unix::ffi::OsStrExt,
+    path::{Path, PathBuf},
+};
+
+use cap_tempfile::cap_std::fs::Dir;
+use rustix::buffer::spare_capacity;
+
+use crate::dirext::validate_relpath_no_uplinks;
+
+/// Convert the directory and path pair into a /proc/self/fd path
+/// which is useful for xattr functions in particular to be able
+/// to operate on symlinks.
+///
+/// Absolute paths as well as paths with uplinks (`..`) are an error.
+fn proc_self_path(d: &Dir, path: &Path) -> Result<PathBuf> {
+    use rustix::path::DecInt;
+    use std::os::fd::{AsFd, AsRawFd};
+
+    // Require relative paths here.
+    let path = validate_relpath_no_uplinks(path)?;
+
+    let mut pathbuf = PathBuf::from("/proc/self/fd");
+    pathbuf.push(DecInt::new(d.as_fd().as_raw_fd()));
+    pathbuf.push(path);
+    Ok(pathbuf)
+}
+
+pub(crate) fn impl_getxattr(d: &Dir, path: &Path, key: &OsStr) -> Result<Option<Vec<u8>>> {
+    let path = &proc_self_path(d, path)?;
+
+    // In my experience few extended attributes exceed this
+    let mut buf = Vec::with_capacity(256);
+
+    loop {
+        match rustix::fs::lgetxattr(path, key, spare_capacity(&mut buf)) {
+            Ok(_) => {
+                return Ok(Some(buf));
+            }
+            Err(rustix::io::Errno::NODATA) => {
+                return Ok(None);
+            }
+            Err(rustix::io::Errno::RANGE) => {
+                buf.reserve(buf.capacity().saturating_mul(2));
+            }
+            Err(e) => {
+                return Err(e.into());
+            }
+        }
+    }
+}
+
+/// A list of extended attribute value names
+#[derive(Debug)]
+#[cfg(any(target_os = "android", target_os = "linux"))]
+pub struct XattrList {
+    /// Contents of the return value from the llistxattr system call;
+    /// effectively Vec<OsStr> with an empty value as terminator.
+    /// Not public - we expect callers to invoke the `iter()` method.
+    /// When Rust has lending iterators then we could implement IntoIterator
+    /// in a way that borrows from this value.
+    buf: Vec<u8>,
+}
+
+#[cfg(any(target_os = "android", target_os = "linux"))]
+impl XattrList {
+    /// Return an iterator over the elements of this extended attribute list.
+    pub fn iter(&self) -> impl Iterator<Item = &'_ std::ffi::OsStr> {
+        self.buf.split(|&v| v == 0).filter_map(|v| {
+            // Note this case should only happen once at the end
+            if v.is_empty() {
+                None
+            } else {
+                Some(OsStr::from_bytes(v))
+            }
+        })
+    }
+}
+
+#[cfg(any(target_os = "android", target_os = "linux"))]
+pub(crate) fn impl_listxattrs(d: &Dir, path: &Path) -> Result<XattrList> {
+    let path = &proc_self_path(d, path)?;
+
+    let mut buf = Vec::with_capacity(512);
+
+    loop {
+        match rustix::fs::llistxattr(path, spare_capacity(&mut buf)) {
+            Ok(_) => {
+                return Ok(XattrList { buf });
+            }
+            Err(rustix::io::Errno::RANGE) => {
+                buf.reserve(buf.capacity().saturating_mul(2));
+            }
+            Err(e) => {
+                return Err(e.into());
+            }
+        }
+    }
+}
+
+#[cfg(any(target_os = "android", target_os = "linux"))]
+pub(crate) fn impl_setxattr(d: &Dir, path: &Path, key: &OsStr, value: &[u8]) -> Result<()> {
+    let path = &proc_self_path(d, path)?;
+    rustix::fs::lsetxattr(path, key, value, rustix::fs::XattrFlags::empty())?;
+    Ok(())
+}

tests/it/main.rs

@@ -568,3 +568,78 @@ fn test_walk_noxdev() -> Result<()> {
 
     Ok(())
 }
+
+#[test]
+#[cfg(not(windows))]
+fn test_xattrs() -> Result<()> {
+    use std::os::unix::ffi::OsStrExt;
+
+    let td = &cap_tempfile::TempDir::new(cap_std::ambient_authority())?;
+
+    assert!(td.getxattr(".", "user.test").unwrap().is_none());
+    td.setxattr(".", "user.test", "somevalue").unwrap();
+    assert_eq!(
+        td.getxattr(".", "user.test").unwrap().unwrap(),
+        b"somevalue"
+    );
+    // Helper fn to list only user. xattrs - filter out especially
+    // system xattrs like security.selinux which may be synthesized by the OS
+    fn list_user_xattrs(d: &Dir, p: impl AsRef<Path>) -> Vec<std::ffi::OsString> {
+        let attrs = d.listxattrs(p).unwrap();
+        attrs
+            .iter()
+            .filter(|k| {
+                let Some(k) = k.to_str() else {
+                    return false;
+                };
+                k.split_once('.').unwrap().0 == "user"
+            })
+            .map(ToOwned::to_owned)
+            .collect::<Vec<_>>()
+    }
+    match list_user_xattrs(td, ".").as_slice() {
+        [] => unreachable!(),
+        [v] => assert_eq!(v.as_bytes(), b"user.test"),
+        _ => unreachable!(),
+    };
+
+    // Test multiple xattrs
+    td.setxattr(".", "user.othertest", b"anothervalue").unwrap();
+    assert_eq!(list_user_xattrs(td, ".").len(), 2);
+
+    // Test operating on a subdirectory file
+    td.create_dir_all("foo/bar/baz")?;
+    let p = "foo/bar/baz/subfile";
+    td.write(p, "afile")?;
+    td.setxattr(p, "user.filetest", b"filexattr").unwrap();
+    assert_eq!(
+        td.getxattr(p, "user.filetest").unwrap().unwrap(),
+        b"filexattr"
+    );
+    match list_user_xattrs(td, p).as_slice() {
+        [v] => assert_eq!(v.as_bytes(), b"user.filetest"),
+        _ => unreachable!(),
+    };
+
+    // Test listing xattrs on a broken symlink. We can't set user.
+    // xattrs on a symlink, so we don't test that in unit tests.
+    let p = "foo/bar/baz/somelink";
+    td.symlink("enoent", p)?;
+    assert!(list_user_xattrs(td, p).is_empty());
+
+    Ok(())
+}
+
+#[test]
+#[cfg(not(windows))]
+fn test_big_xattr() -> Result<()> {
+    let td = &cap_tempfile::TempDir::new(cap_std::ambient_authority())?;
+
+    let bigbuf = b"x".repeat(4000);
+    td.setxattr(".", "user.test", &bigbuf).unwrap();
+    let v = td.getxattr(".", "user.test").unwrap().unwrap();
+    assert_eq!(bigbuf.len(), v.len());
+    assert_eq!(bigbuf, v);
+
+    Ok(())
+}