Description
Feature gate: #![feature(dirfd)]
This is a tracking issue for directory handles. Such handles provide a stable reference to an underlying filesystem object (typically directories) that are less vulnerable to TOCTOU attacks and similar races. These security properties will be platform-dependent. Platforms that don't provide the necessary primitives will fall back to operations on absolute paths.
Additionally they may also provide performance benefits by avoiding repeated path lookups when performing many operations on a directory.
Sandboxing is a non-goal. If a platform supports upwards path traversal via .. or symlinks then directory handles will not prevent that. Providing O_BENEATH-style traversal is left to 3rd-party crates or future extensions.
Public API
impl Dir {
pub fn open<P: AsRef<Path>>(&self, path: P) -> Result<File>
/// This could be put on OpenOptions instead
pub fn open_with<P: AsRef<Path>>(&self, path: P, options: &OpenOptions) -> Result<File>
pub fn create_dir<P: AsRef<Path>>(&self, path: P) -> Result<()>
pub fn rename<P: AsRef<Path>, Q: AsRef<Path>>(&self, from: P, to_dir: &Self, to: Q) -> Result<()>
pub fn remove_file<P: AsRef<Path>>(&self, path: P) -> Result<()>
pub fn remove_dir<P: AsRef<Path>>(&self, path: P) -> Result<()>
pub fn symlink<P: AsRef<Path>, Q: AsRef<Path>>(&self, original: P, link: Q)
/// ... more convenience methods
}
impl DirEntry {
pub fn open(&self) -> Result<File>
/// This could be put on OpenOptions instead
pub fn open_with(&self, options: &OpenOptions) -> Result<File>
pub fn remove_file(&self) -> Result<()>
pub fn remove_dir(&self) -> Result<()>
}Steps / History
- ACP: Add openat/unlinkat/etc. abstractions to ReadDir/DirEntry/OpenOptions libs-team#259
- portable, insecure
openatemulation based onPaths - real impls for various platforms
-
getdentsto get free conversion between dirfds andReadDir - add more
*atcalls - Final comment period (FCP)1
- Stabilization PR
Unresolved Questions
- None yet.