This is primarily necessary because Go users expect to be able to use
os.MkdirAll (which is not safe to use with an active attacker). We could
try to implement this just for Go within the bindings code, but it turns
out that you need to have a fairly intricate resolve_partial()
implementation for this to be efficient (especially for the opath
resolver).
This implementation is based on filepath-securejoin's safe MkdirAll
implementation.
[ ] The extra "is this the directory we expect" code we have when doing the mkdir-openat loop. Still not entirely sure how useful it is but it wouldn't hurt (unfortunately we need to do readdir which isn't nicely supported by the Rust stdlib...)
[x] uid/gid/mode checks.
[x] "is the directory empty" checks.
[ ] dead inode checks?
[x] Maybe some tests to make sure bad modes aren't silently accepted?
This is primarily necessary because Go users expect to be able to use os.MkdirAll (which is not safe to use with an active attacker). We could try to implement this just for Go within the bindings code, but it turns out that you need to have a fairly intricate resolve_partial() implementation for this to be efficient (especially for the opath resolver).
This implementation is based on filepath-securejoin's safe MkdirAll implementation.
Fixes #10 Signed-off-by: Aleksa Sarai cyphar@cyphar.com
This still needs:
mkdir-openatloop. Still not entirely sure how useful it is but it wouldn't hurt (unfortunately we need to doreaddirwhich isn't nicely supported by the Rust stdlib...)uid/gid/modechecks.