Skip to content

Releases: openSUSE/libpathrs

libpathrs v0.1.3 -- "自動化って物は試しとすればいい物だ"

09 Oct 12:05
v0.1.3
82e8ba3
Compare
Choose a tag to compare

This is the third patch release of the 0.1.z branch of libpathrs. This
only includes a few small fixes, but is mainly intended to just test
that our automated release GitHub Actions correctly work on a real
release in the main repo.

  • gha: our Rust crate and Python bindings are now uploaded automatically from a
    GitHub action when a tag is pushed.
  • syscalls: the pretty-printing of openat2 errors now gives a string
    description of the flags passed rather that just a hex value (to match other
    syscalls).

  • python bindings: restrict how our methods and functions can be called using
    / and * to reduce the possibility of future breakages if we rename or
    re-order some of our arguments.

Thanks to the following people who made this release possible:

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

libpathrs v0.1.2 -- "蛇のように賢く、鳩のように素直でありなさい"

09 Oct 04:32
v0.1.2
ebada5e
Compare
Choose a tag to compare

This is the second patch release of the 0.1.z branch of libpathrs. The
primary fixes are related to the Python libpathrs bindings.

  • python bindings: add a minimal README for PyPI.
  • python bindings: actually export PROC_ROOT.
  • python bindings: add type annotations and py.typed to allow for downstream
    users to get proper type annotations for the API.

Thanks to the following people who made this release possible:

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

libpathrs v0.1.1 -- "頒布と聞いたら蛇に睨まれた蛙になるよ"

02 Oct 02:01
v0.1.1
8d0569a
Compare
Choose a tag to compare

This is the first patch release of the 0.1.z branch of libpathrs. The
primary fixes are related to packaging the Python libpathrs bindings for
distributions.

  • procfs: add support for operating on files in the /proc root (or other
    processes) with ProcfsBase::ProcRoot.

    While the cached file descriptor shouldn't leak into containers (container
    runtimes know to set PR_SET_DUMPABLE, and our cached file descriptor is
    O_CLOEXEC), I felt a little uncomfortable about having a global unmasked
    procfs handle sitting around in libpathrs. So, in order to avoid making a
    file descriptor leak by a libpathrs user catastrophic, libpathrs will
    always try to use a "limited" procfs handle as the global cached handle
    (which is much safer to leak into a container) and for operations on
    ProcfsBase::ProcRoot, a temporary new "unrestricted" procfs handle is
    created just for that operartion. This is more expensive, but it avoids a
    potential leak turning into a breakout or other nightmare scenario.

  • python bindings: The cffi build script is now a little easier to use for
    distributions that want to build the python bindings at the same time as the
    main library. After compiling the library, set the PATHRS_SRC_ROOT
    environment variable to the root of the libpathrs source directory. This
    will instruct the cffi build script (when called from setup.py or
    python3 -m build) to link against the library built in the source directory
    rather than using system libraries. As long as you install the same library
    later, this should cause no issues.

    Standard wheel builds still work the same way, so users that want to link
    against the system libraries don't need to make any changes.

  • Root::mkdir_all no longer does strict verification that directories craeted
    by mkdir_all "look right" after opening each component. These checks didn't
    protect against any practical attack (since an attacker could just get us to
    use a directory by creating it before Root::mkdir_all and we would happily
    use it) and just resulted in spurious errors when dealing with complicated
    filesystem configurations (POSIX ACLs, weird filesystem-specific mount
    options). (#71)

  • capi: Passing invalid pathrs_proc_base_t values to pathrs_proc_* will now
    return an error rather than resulting in Undefined Behaviour™.

Thanks to the following people who made this release possible:

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

libpathrs v0.1.0 -- "負けたくないことに理由って要る?"

13 Sep 15:44
v0.1.0
32f55b9
Compare
Choose a tag to compare

This is the first fully-fledged release of libpathrs. All of the obvious
features have been implemented, and both the C and Rust APIs have been
redesigned a few times so I am fairly sure this design is pretty solid
now. While there was a fairly long hiatus in development, we're back on
track.

Many things have changed since the last release, here are the highlights:

  • cffi: Redesign the entire API to be file descriptor based, removing the need
    for complicated freeing logic and matching what most kernel APIs actually
    look like. While there is a risk that users would operate on file descriptors
    themselves, the benefits of a pure-fd-based API outweigh those issues (and
    languages with bindings like Python and Go can easily wrap the file
    descriptor to provide helper methods and avoid this mistake by users).

    Aside from making C users happier, this makes writing bindings much simpler
    because every language has native support for handling the freeing of file
    objects (Go in particular has *os.File which would be too difficult to
    emulate outside of the stdlib because of it's unique Close handling).

    • Unfortunately, this API change also removed some information from the C API
      because it was too difficult to deal with:
      • Backtraces are no longer provided to the C API. There is no plan to
        re-add them because they complicate the C API a fair bit and it turns out
        that it's basically impossible to graft backtraces to languages that have
        native backtrace support (Go and Python) so providing this information
        has no real benefit to anyone.
      • The configuration API has been removed for now. In the future we will
        probably want to re-add it, but figuring out a nice API for this is left
        for a future (pre-1.0) release. In practice, the default settings are the
        best settings to use for most people anyway.
  • libpathrs now has a "safe procfs resolver" implementation that
    verifies all of our operations on /proc are done safely (including
    using fsopen(2) or open_tree(2) to create a private /proc to protect
    against race attacks).

    This is mainly motivated by issues like CVE-2019-16884 and
    CVE-2019-19921, where an attacker could configure a malicious mount
    table such that naively doing /proc operations could result in
    security issues. While there are limited things you can do in such a
    scenario, it is far more preferable to be able to detect these kinds
    of attacks and at least error out if there is a malicious /proc.

    This is based on similar work I did in filepath-securejoin.

    • This API is also exposed to users through the Rust and C FFI because
      this is something a fair number of system tools (such as container
      runtimes) need.
  • libpathrs now has an official MSRV of 1.63, which is verified by our
    CI. The MSRV was chosen because it's the Rust version in Debian stable
    and it has io_safety which is one of the last bits we absolutely need.

  • root: new Root methods:

    • readlink and resolve_nofollow to allow users to operate on symlinks
      directly (though it is still unsafe to use the returned path for
      lookups!).
    • remove_all so that Go users can switch from os.RemoveAll (though
      Go's os.RemoveAll is safe against races since Go 1.21.11 and Go
      1.22.4).
    • mkdir_all so that Go users can switch from os.MkdirAll. This is
      based on similar work done in filepath-securejoin.
  • root: The method for configuring the resolver has changed to be more
    akin to a getter-setter style. This allows for more ergonomic usage
    (see the RootRef::with_resolver_flags examples) and also lets us avoid
    exposing internal types needlessly.

    As part of this change, the ability to choose the resolver backend was
    removed (because the C API also no longer supports it). This will
    probably be re-added in the future, but for now it seems best to not
    add extra APIs that aren't necessary until someone asks.

  • opath resolver: We now emulate fs.protected_symlinks when resolving
    symlinks using the emulated opath resolver. This is only done if
    fs.protected_symlinks is enabled on the system (to mirror the
    behaviour of openat2).

  • packaging: Add an autoconf-like install.sh script that generates a
    pkg-config specification for libpathrs. This should help distributions
    package libpathrs.

  • Handling of // and trailing slashes has been fixed to better match what
    users expect and what the kernel does.

  • opath resolver: Use reference counting to avoid needlessly cloning files
    internally when doing lookups.

  • cffi: Building the C API is now optional, so Rust crates won't contain any of
    the C FFI code and we only build the C FFI crate types manually in the
    makefile. This also lets us remove some dependencies and other annoying
    things in the Rust crate (since those things are only needed for the C API).

  • python bindings: Switch to setuptools to allow for a proper Python package
    install. This also includes some reworking of the layout to avoid leaking
    stuff to users that just do import pathrs.

  • bindings: All of the bindings were rewritten to use the new API.

  • rust: Rework libpathrs to use the (stabilised in Rust 1.63) io_safety
    features. This lets us avoid possible "use after free" issues with file
    descriptors that were closed by accident.

    This required the addition of HandleRef and RootRef to wrap BorrowedFd
    (this is needed for the C API, but is almost certainly useful to other
    folks). Unfortunately we can't implement Deref so all of the methods need
    to be duplicated for the new types.

  • Split Root::remove into Root::remove_file (unlink) and
    Root::remove_dir (rmdir) so we don't need to do the retry loop anymore.
    Some users care about what kind of inode they're removing, and if a user
    really wants to nuke a path they would want to use Root::remove_all anyway
    because the old Root::remove would not remove non-empty directories.

Thanks to the following contributors who made this release possible:

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

libpathrs 0.0.2

14 Feb 17:22
v0.0.2
4627e9a
Compare
Choose a tag to compare
libpathrs 0.0.2 Pre-release
Pre-release

The main improvements in this release are:

  • Go bindings (thanks to Maxim).
  • Massively reworked threading model for C FFI -- now all errors are
    thread-local but libpathrs objects can be used from multiple threads
    without races.
  • pathrs_from_fd() now makes a copy of the input file to avoid issues
    with languages that might not be able to smoothly handle the concept
    of "forget this file you used to manage".
  • Update to the latest (now-merged) openat2 syscall ABI.

Thanks to all the contributors who made this release possible:

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

libpathrs 0.0.1

14 Feb 17:23
v0.0.1
94e7188
Compare
Choose a tag to compare
libpathrs 0.0.1 Pre-release
Pre-release

First PoC release, but still lots of work to be done.

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

libpathrs 0.0.0 [yanked]

14 Feb 17:23
v0.0.0
51d95fa
Compare
Choose a tag to compare
Pre-release

Historic release which had broken docs and was yanked.

Signed-off-by: Aleksa Sarai cyphar@cyphar.com