merge #72 into cyphar/filepath-securejoin:main

Aleksa Sarai (2):
  ci: add test run for libpathrs
  pathrs-lite: add libpathrs backend support

LGTMs: cyphar

Author: cyphar

.github/workflows/ci.yml

@@ -24,6 +24,34 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
+
+      # We need libpathrs so that golangci-lint can typecheck
+      # "cyphar.com/go-pathrs" (the package needs to be buildable).
+      - uses: dtolnay/rust-toolchain@stable
+      - name: find latest libpathrs release
+        uses: actions/github-script@v8
+        id: libpathrs-release-tarball
+        with:
+          result-encoding: string
+          script: |-
+            const latest_release = await github.rest.repos.getLatestRelease({
+              owner: "cyphar",
+              repo: "libpathrs",
+            });
+            console.log(latest_release);
+            return latest_release.data.tarball_url;
+      - name: install libpathrs
+        run: |-
+          mkdir -p /tmp/libpathrs
+          cd /tmp/libpathrs
+
+          wget -O latest.tar.gz "${{ steps.libpathrs-release-tarball.outputs.result }}"
+          tar xvf latest.tar.gz
+
+          cd *libpathrs-*/
+          make release
+          sudo ./install.sh --libdir=/usr/lib
+
       - uses: actions/setup-go@v6
         with:
           go-version: '^1'
@@ -189,6 +217,88 @@ jobs:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: cyphar/filepath-securejoin
 
+  test-libpathrs:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-22.04
+          - ubuntu-latest
+        go-version:
+          - "1.18"
+          - "oldstable"
+          - "stable"
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v5
+
+      - uses: dtolnay/rust-toolchain@stable
+      - name: find latest libpathrs release
+        uses: actions/github-script@v8
+        id: libpathrs-release-tarball
+        with:
+          result-encoding: string
+          script: |-
+            const latest_release = await github.rest.repos.getLatestRelease({
+              owner: "cyphar",
+              repo: "libpathrs",
+            });
+            console.log(latest_release);
+            return latest_release.data.tarball_url;
+      - name: install libpathrs
+        run: |-
+          mkdir -p /tmp/libpathrs
+          cd /tmp/libpathrs
+
+          wget -O latest.tar.gz "${{ steps.libpathrs-release-tarball.outputs.result }}"
+          tar xvf latest.tar.gz
+
+          cd *libpathrs-*/
+          make release
+          sudo ./install.sh --libdir=/usr/lib
+
+      - uses: actions/setup-go@v6
+        with:
+          go-version: ${{ matrix.go-version }}
+          check-latest: true
+      - name: mkdir gocoverdir
+        # We can only use -test.gocoverdir for Go >= 1.20.
+        if: ${{ matrix.go-version != '1.18' && matrix.go-version != '1.19' }}
+        run: |
+          GOCOVERDIR="$(mktemp --tmpdir -d gocoverdir.XXXXXXXX)"
+          echo "GOCOVERDIR=$GOCOVERDIR" >>"$GITHUB_ENV"
+      - name: go test
+        run: |-
+          pkgs=("./pathrs-lite" "./pathrs-lite/procfs")
+          if [ -n "${GOCOVERDIR:-}" ]; then
+            go test -v -timeout=30m -cover -coverpkg=./... "${pkgs[@]}" -args -test.gocoverdir="$GOCOVERDIR"
+          else
+            go test -v -timeout=30m -cover -coverpkg=./... -coverprofile codecov-coverage.txt "${pkgs[@]}"
+          fi
+      - name: sudo go test
+        run: |-
+          pkgs=("./pathrs-lite" "./pathrs-lite/procfs")
+          if [ -n "${GOCOVERDIR:-}" ]; then
+            sudo go test -v -timeout=30m -cover -coverpkg=./... "${pkgs[@]}" -args -test.gocoverdir="$GOCOVERDIR"
+          else
+            sudo go test -v -timeout=30m -cover -coverpkg=./... -coverprofile codecov-coverage-sudo.txt "${pkgs[@]}"
+          fi
+      - name: upload coverage artefact
+        # We can only use -test.gocoverdir for Go >= 1.20.
+        if: ${{ matrix.go-version != '1.18' && matrix.go-version != '1.19' }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-${{ runner.os }}-${{ github.job }}-${{ strategy.job-index }}
+          path: ${{ env.GOCOVERDIR }}
+      - name: collate coverage data
+        if: ${{ env.GOCOVERDIR != '' }}
+        run: go tool covdata textfmt -i "$GOCOVERDIR" -o "codecov-coverage.txt"
+      - name: upload coverage to codecov
+        uses: codecov/codecov-action@v5
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          slug: cyphar/filepath-securejoin
+
   coverage:
     runs-on: ubuntu-latest
     needs:
@@ -244,6 +354,7 @@ jobs:
       - test-build
       - test-windows
       - test-unix
+      - test-libpathrs
       - coverage
       - codespell
     steps:

.golangci.yml

@@ -9,6 +9,10 @@
 
 version: "2"
 
+run:
+  build-tags:
+    - libpathrs
+
 linters:
   enable:
     - asasalint

CHANGELOG.md

@@ -11,6 +11,14 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
   `Reopen` wrappers have been removed. Please switch to using `pathrs-lite`
   directly.
 
+### Added ###
+- `pathrs-lite` now has support for using libpathrs as a backend. This is
+  opt-in and can be enabled at build time with the `libpathrs` build tag. The
+  intention is to allow for downstream libraries and other projects to make use
+  of the pure-Go `github.com/cyphar/filepath-securejoin/pathrs-lite` package
+  and distributors can then opt-in to using `libpathrs` for the entire binary
+  if they wish.
+
 ## [0.5.0] - 2025-09-26 ##
 
 > Let the past die. Kill it if you have to.

go.mod

@@ -3,8 +3,9 @@ module github.com/cyphar/filepath-securejoin
 go 1.18
 
 require (
+	cyphar.com/go-pathrs v0.2.1-0.20251018101956-15cb2100ac4a
 	github.com/stretchr/testify v1.11.1
-	golang.org/x/sys v0.18.0
+	golang.org/x/sys v0.26.0
 )
 
 require (

go.sum

@@ -1,11 +1,13 @@
+cyphar.com/go-pathrs v0.2.1-0.20251018101956-15cb2100ac4a h1:WHrOWFQrQ0eB7FedSqcJdAvlbE2gDxfPjecCtW6aJVU=
+cyphar.com/go-pathrs v0.2.1-0.20251018101956-15cb2100ac4a/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
-golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

hack/test.sh

@@ -18,7 +18,8 @@ GO="${GO:-go}"
 silent=
 verbose=
 long=
-while getopts "svL" opt; do
+libpathrs=
+while getopts "svLl" opt; do
 	case "$opt" in
 		s)
 			silent=1
@@ -29,6 +30,9 @@ while getopts "svL" opt; do
 		L)
 			long=1
 			;;
+		l)
+			libpathrs=1
+			;;
 		*)
 			echo "$0 [-s(ilent)]"
 			exit 1
@@ -41,6 +45,7 @@ trap 'rm -rf $gocoverdir' EXIT
 test_args=("-count=1" "-cover" "-coverpkg=./...")
 [ -n "$verbose" ] && test_args+=("-v")
 [ -z "$long" ] && test_args+=("-short")
+[ -n "$libpathrs" ] && test_args+=("-tags" "libpathrs")
 
 "$GO" test "${test_args[@]}" ./... -args -test.gocoverdir="$gocoverdir"
 sudo "$GO" test "${test_args[@]}" ./... -args -test.gocoverdir="$gocoverdir"

pathrs-lite/mkdir_libpathrs.go

@@ -0,0 +1,52 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build libpathrs
+
+// Copyright (C) 2024-2025 Aleksa Sarai <[email protected]>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package pathrs
+
+import (
+	"os"
+
+	"cyphar.com/go-pathrs"
+)
+
+// MkdirAllHandle is equivalent to [MkdirAll], except that it is safer to use
+// in two respects:
+//
+//   - The caller provides the root directory as an *[os.File] (preferably O_PATH)
+//     handle. This means that the caller can be sure which root directory is
+//     being used. Note that this can be emulated by using /proc/self/fd/... as
+//     the root path with [os.MkdirAll].
+//
+//   - Once all of the directories have been created, an *[os.File] O_PATH handle
+//     to the directory at unsafePath is returned to the caller. This is done in
+//     an effectively-race-free way (an attacker would only be able to swap the
+//     final directory component), which is not possible to emulate with
+//     [MkdirAll].
+//
+// In addition, the returned handle is obtained far more efficiently than doing
+// a brand new lookup of unsafePath (such as with [SecureJoin] or openat2) after
+// doing [MkdirAll]. If you intend to open the directory after creating it, you
+// should use MkdirAllHandle.
+//
+// [SecureJoin]: https://pkg.go.dev/github.com/cyphar/filepath-securejoin#SecureJoin
+func MkdirAllHandle(root *os.File, unsafePath string, mode os.FileMode) (*os.File, error) {
+	rootRef, err := pathrs.RootFromFile(root)
+	if err != nil {
+		return nil, err
+	}
+	defer rootRef.Close() //nolint:errcheck // close failures aren't critical here
+
+	handle, err := rootRef.MkdirAll(unsafePath, mode)
+	if err != nil {
+		return nil, err
+	}
+	return handle.IntoFile(), nil
+}

pathrs-lite/mkdir_purego.go

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: MPL-2.0
 
-//go:build linux
+//go:build linux && !libpathrs
 
 // Copyright (C) 2024-2025 Aleksa Sarai <[email protected]>
 // Copyright (C) 2024-2025 SUSE LLC

pathrs-lite/open_libpathrs.go

@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build libpathrs
+
+// Copyright (C) 2024-2025 Aleksa Sarai <[email protected]>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package pathrs
+
+import (
+	"os"
+
+	"cyphar.com/go-pathrs"
+)
+
+// OpenatInRoot is equivalent to [OpenInRoot], except that the root is provided
+// using an *[os.File] handle, to ensure that the correct root directory is used.
+func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error) {
+	rootRef, err := pathrs.RootFromFile(root)
+	if err != nil {
+		return nil, err
+	}
+	defer rootRef.Close() //nolint:errcheck // close failures aren't critical here
+
+	handle, err := rootRef.Resolve(unsafePath)
+	if err != nil {
+		return nil, err
+	}
+	return handle.IntoFile(), nil
+}
+
+// Reopen takes an *[os.File] handle and re-opens it through /proc/self/fd.
+// Reopen(file, flags) is effectively equivalent to
+//
+//	fdPath := fmt.Sprintf("/proc/self/fd/%d", file.Fd())
+//	os.OpenFile(fdPath, flags|unix.O_CLOEXEC)
+//
+// But with some extra hardenings to ensure that we are not tricked by a
+// maliciously-configured /proc mount. While this attack scenario is not
+// common, in container runtimes it is possible for higher-level runtimes to be
+// tricked into configuring an unsafe /proc that can be used to attack file
+// operations. See [CVE-2019-19921] for more details.
+//
+// [CVE-2019-19921]: https://github.com/advisories/GHSA-fh74-hm69-rqjw
+func Reopen(file *os.File, flags int) (*os.File, error) {
+	handle, err := pathrs.HandleFromFile(file)
+	if err != nil {
+		return nil, err
+	}
+	defer handle.Close() //nolint:errcheck // close failures aren't critical here
+
+	return handle.OpenFile(flags)
+}

pathrs-lite/open_purego.go

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: MPL-2.0
 
-//go:build linux
+//go:build linux && !libpathrs
 
 // Copyright (C) 2024-2025 Aleksa Sarai <[email protected]>
 // Copyright (C) 2024-2025 SUSE LLC