feat: Expand safe directory traversal to all Unix platforms and fix related type conversions. #9792
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…elated type conversions.
|
GNU testsuite comparison: |
sylvestre
requested changes
Dec 23, 2025
Contributor
sylvestre
left a comment
sylvestre
left a comment
There was a problem hiding this comment.
plenty of jobs are failing, please fix them
- Use 'as u64' casts with clippy::unnecessary_cast suppression for st_nlink and st_ino to handle platform-specific type differences - Add TOCTOU (time-of-check time-of-use) to cspell dictionary Fixes compilation errors on FreeBSD, OpenBSD, and Android where libc types differ from Linux/macOS (st_nlink is u16, st_ino is u32). The cast is unnecessary on some platforms but required on others, hence the clippy suppression.
Resolved merge conflict in src/uu/du/src/du.rs by keeping the unix cfg guard (not target_os = "linux") to align with the PR's goal of expanding safe_traversal to all Unix platforms.
Contributor
|
Still a few job failures |
|
GNU testsuite comparison: |
This commit addresses compilation errors and test failures on macOS and BSD platforms introduced by the safe_traversal expansion to Unix platforms. **SELinux Platform Guards (8 files):** The SELinux module in uucore is Linux-only, gated behind `#[cfg(all(target_os = "linux", feature = "selinux"))]`. However, code was only checking `#[cfg(feature = "selinux")]`, causing compilation failures on macOS/BSDs where uucore::selinux doesn't exist. Fixed by updating all SELinux feature checks from: `#[cfg(feature = "selinux")]` to: `#[cfg(all(feature = "selinux", target_os = "linux"))]` Modified files: - src/uu/cp/src/cp.rs (2 locations) - src/uu/id/src/id.rs (4 locations) - src/uu/install/src/install.rs (17 locations) - src/uu/mkdir/src/mkdir.rs (1 location) - src/uu/mkfifo/src/mkfifo.rs (1 location) - src/uu/mknod/src/mknod.rs (1 location) - src/uu/stat/src/stat.rs (2 locations) **Type Conversion Fix:** On macOS, `libc::mode_t` is `u16` while `metadata.permissions().mode()` returns `u32`, causing a type mismatch in rm's safe_traversal code. Fixed in src/uu/rm/src/platform/unix.rs:320 by adding explicit cast: `initial_mode as libc::mode_t` **Test Fix:** Updated test_chmod_recursive to expect consistent error messages across all Unix platforms. With safe_traversal now enabled universally on Unix, the detailed error format "cannot access 'z': Permission denied" is used on all platforms, not just Linux. Modified: tests/by-util/test_chmod.rs **Verification:** - ✅ All unit tests pass (chmod, du, rm, cp, id, stat, mkdir, mkfifo, mknod, install, uucore) - ✅ All functional tests pass - ✅ cargo build --features feat_os_macos - ✅ cargo build --features feat_os_unix - ✅ cargo clippy (macOS & Unix features) - ✅ cargo fmt --all -- --check - ✅ chmod integration tests (40/40 passed)
|
GNU testsuite comparison: |
Fixes multiple platform-specific type issues in safe_traversal.rs: 1. **Clippy unnecessary_cast warnings** - Add #[allow(clippy::unnecessary_cast)] to dev(), mode(), and rdev() methods. These casts are unnecessary on Linux where types are already u64/u32, but required on macOS/BSD where: - st_dev is i32 (needs cast to u64) - st_mode is u16 (needs cast to u32) - st_rdev is i32 (needs cast to u64) 2. **Android type mismatch** - Cast st_mode to libc::mode_t in file_type() method. On Android, st_mode is u32 but libc::mode_t is u16, causing compilation failure when passing to FileType::from_mode(). These fixes match the existing pattern already used for st_ino and st_nlink. Resolves: - Style/lint (ubuntu-latest, all, true) - clippy errors - Style and Lint (unix) - OpenBSD clippy errors - Test builds (Android x86/x86_64) - type mismatch errors
|
GNU testsuite comparison: |
|
GNU testsuite comparison: |
…modules & disable safe dir for Redox (assumedly will be handled in another PR but can implement Redox specific version if requested)
…sive_impl and safe_traversal modules
|
GNU testsuite comparison: |
- Fix type mismatches in rm's unix.rs by casting libc constants to u16 to match st_mode - Add Redox stubs for safe_traversal to prevent build errors on Redox - Make locale format tests robust: only enforce strict checks on platforms with locale support (Linux, macOS, BSDs) These changes ensure safe directory traversal and related utilities build and test cleanly across all Unix targets, including Redox, and CI passes regardless of locale support.
…safe_remove_dir_recursive_impl
…pe for Android platform
|
GNU testsuite comparison: |
…lity (final huzzah)
|
GNU testsuite comparison: |
|
GNU testsuite comparison: |
…bility Fixes compilation errors on Redox by properly gating code that depends on nix crate types (FileStat) which are not available on Redox. Changes: - Add direct libc import for Redox (nix::libc not available) - Gate Metadata struct, impl, and MetadataExt trait (use FileStat) - Gate metadata_at() and metadata() methods (return Metadata) - Revert unrelated locale test changes from commit 5704355 The Redox platform lacks support for nix::sys::stat::FileStat, causing build failures. These items now follow the existing pattern of returning "safe_traversal is not supported on Redox" errors via gated stub methods.
|
GNU testsuite comparison: |
|
GNU testsuite comparison: |
Author
|
@sylvestre Would you like the Mac OS test to be updated in the same PR, or save it for another? Also I've gated Redox, under the assumption that redox and non-posix OS implementations would be handled in another PR as well. Let me know! |
Contributor
another pr is fine |
Author
|
That should be better, I removed the scattered #[cfg(...redox...)] guards. Since the module is already excluded on Redox in features.rs, the internal guards were redundant. |
|
GNU testsuite comparison: |
|
GNU testsuite comparison: |
|
GNU testsuite comparison: |
Make safe-traversal feature conditional for chmod and du crates, enabling compilation on Redox OS which lacks support for the fstatat syscalls required by uucore's safe_traversal module. Changes: - Move safe-traversal to platform-specific dependencies for non-Redox Unix - Add guards to exclude DirFd usage on Redox - Provide Redox-specific implementation for chmod's walk_dir_with_context using standard filesystem operations - Add guard to du's new_from_dirfd to match its DirFd import guard Both utilities now fall back to standard fs operations on Redox.
|
GNU testsuite comparison: |
|
GNU testsuite comparison: |
Author
|
@sylvestre That should do it. Let me know if there's anything else needed for this pr to be merged |
Contributor
still a bunch of jobs are failing :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
feat: enable safe traversal on all Unix platforms
Expands the
safe_traversalmodule support fromtarget_os = "linux"tounix, enabling security improvements (specifically preventing TOCTOU races) on macOS and BSDs.Changes:
#[cfg(target_os = "linux")]with#[cfg(unix)]inuucore,du,chmod, andrm.src/uu/rm/src/platform/linux.rstounix.rsto reflect the broader platform support.safe_traversal.rsanddu.rsto handle platform-specific differences inlibctypes (e.g.,mode_t).Verification:
Verified with
cargo teston macOS.Closes #9747