Skip to content

v0.3.0
Compare
Choose a tag to compare
@cyphar cyphar released this 11 Jul 14:09
· 62 commits to main since this release
v0.3.0
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 2897FAD2B7E9446F
Learn about vigilant mode.
b984b9c
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 2897FAD2B7E9446F
Learn about vigilant mode.

This release contains no changes to SecureJoin.

However, it does introduce a new *os.File-based API which is much safer
to use for most usecases. These are adapted from libpathrs and are
the bare minimum to be able to operate more safely on an untrusted
rootfs where an attacker has write access (something that SecureJoin
cannot protect against). The new APIs are:

  • OpenInRoot, which resolves a path inside a rootfs and returns an
    *os.File handle to the path. Note that the file handle returned by
    OpenInRoot is an O_PATH handle, which cannot be used for reading or
    writing (as well as some other operations -- see open(2) for more
    details    ).

  • Reopen, which takes an O_PATH file handle and safely re-opens it to
    "upgrade" it to a regular handle.

  • MkdirAll, which is a safe implementation of os.MkdirAll that can be
    used to create directory trees inside a rootfs.

As these are new APIs, it is possible they may change in the future.
However, they should be safe to start migrating to as we have extensive
tests ensuring they behave correctly and are safe against various races
and other attacks.

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

Assets 2
Loading