Add a test and a hotfix for path_open read rights #618
Conversation
|
I created a hotfix, but this is blocked by #632. |
Add a routine for obtaining an `OsFile` containing a file descriptor for stdin/stdout/stderr so that we can do fd_fdstat_get on them.
This commits renames `OsFile` to `OsHandle` which seems to make more sense semantically as it is permitted to hold a valid OS handle to OS entities other than simply file/dir (e.g., socket, stream, etc.). As such, this commit also renames methods on `Descriptor` struct from `as_actual_file` to `as_file` as this in reality does pertain ops on FS entities such as files/dirs, and `as_file` to `as_os_handle` as in this case it can be anything, from file, through a socket, to a stream.
To prevent a `ManuallyDrop<OsHandleRef>` from outliving the resource it holds on to, create an `OsHandleRef` class parameterized on the lifetime of the `Descriptor`.
While we are waiting for the Rust toolchain to use the new ABI, I thought it might be useful to sync `snapshot_0` with the latest code in `wasi-common` "upstream". This mainly includes the latest refactoring effort to unify the machinery for `fd_readdir` between Linux, Windows and BSD.
marmistrz
changed the title
Also, remove a no-op restriction of rights to the ones returned by `determine_type_rights`. It was redundant, because `FdEntry:from` internally also called `determine_type_rights` and only dropped some of them.
|
The hotfix works for me locally and is ready for review. See the commit message for the reason why This PR builds upon #647, hence the merge conflicts. |
|
@kubkon @sunfishcode @peterhuene could you please review this change? |
peterhuene
added
the
wasi:impl
There was a problem hiding this comment.
This makes sense to me! Some minor feedback provided. Let's get @kubkon and @sunfishcode's feedback before moving forward.
| @@ -0,0 +1,96 @@ | |||
| use std::{env, process}; | |||
| use wasi_old::wasi_unstable; | |||
There was a problem hiding this comment.
Should we update this to use the wasi crate given it's a new test program?
There was a problem hiding this comment.
I'm quite confused how to cope with the snapshot stuff or wasi vs wasi_old, so any input is appreciated.
There was a problem hiding this comment.
As an example, the test program added for #711 uses the wasi crate, which will currently target the preview1 impl.
I assume we'll be moving all the test programs over to the wasi crate sooner or later.
Additionally, I think we'll want dedicated tests targeted at previous previews for the sole purpose of testing backwards compatibility for WASI interface changes so we don't have to snapshot all of the test programs themselves for every snapshot of WASI, but perhaps @sunfishcode @alexcrichton @kubkon know more regarding that.
There was a problem hiding this comment.
Yep, the current trend is to use wasi in tests as @peterhuene suggested. As far as I remember, @alexcrichton has already started porting some of the tests to using wasi instead of wasi_old.
In the future, I definitely agree we should have a way to test different versions of the snapshot, preferably in a way that's automatic.
| @@ -52,3 +52,32 @@ pub unsafe fn cleanup_file(dir_fd: wasi_unstable::Fd, file_name: &str) { | |||
| pub unsafe fn close_fd(fd: wasi_unstable::Fd) { | |||
| assert!(wasi_unstable::fd_close(fd).is_ok(), "closing a file"); | |||
| } | |||
|
|
|||
| // Returns: (rights_base, rights_inheriting) | |||
| pub unsafe fn fd_get_rights(fd: wasi_unstable::Fd) -> (wasi_unstable::Rights, wasi_unstable::Rights) { | |||
There was a problem hiding this comment.
This function may not be necessary if we do update the test propram to use wasi given how it greatly simplifies things.
| (fdstat.fs_rights_base, fdstat.fs_rights_inheriting) | ||
| } | ||
|
|
||
| pub unsafe fn drop_rights( |
There was a problem hiding this comment.
Likewise for this function, although a utility function that does the same thing using wasi would make sense.
| // This should not be needed, but currently determine_type_and_access_rights, | ||
| // which is used by FdEntry::from, may grant more rights than requested. | ||
| // | ||
| // This is a hotfix. It needs to be discussed whether or not `path_open` |
There was a problem hiding this comment.
Let's have that discussion here so we don't add a comment with this is a hotfix.
I think @sunfishcode is more qualified to answer this than I. On the surface it sounds wrong to me, though.
There was a problem hiding this comment.
Perhaps we could change "This is a hotfix." for "TODO"?
There was a problem hiding this comment.
I intend to remove the it needs to be discussed part when we'll have discussed it ;)
|
The documentation for Code which doesn't know exactly which rights it will need can do an |
|
@sunfishcode but the documentation says nothing about granting more rights than requested. Those rights were not requested by the user, but were implicitly granted by the runtime, as per #617. The file was opened as and we still have the right to The resaon is that, in the current codebase, |
|
We shouldn't grant more rights than the user requests. I think the algorithm for
|
|
I agree that such semantics are desirable. This in particular means that some of the tests are incorrect. For instance in wasmtime/crates/test-programs/wasi-tests/src/bin/file_allocate.rs Lines 11 to 20 in a582389 but later on fd_allocate is expected to succeed:wasmtime/crates/test-programs/wasi-tests/src/bin/file_allocate.rs Lines 52 to 55 in a582389 I'll change tests like this one to explicitly pass in the required rights. One tricky question: if wasmtime/crates/test-programs/wasi-tests/src/bin/truncation_rights.rs Lines 40 to 49 in a582389 or should we rather change it to: status = wasi_path_open(
dir_fd,
0,
"file",
wasi_unstable::O_TRUNC,
wasi_unstable::RIGHT_PATH_FILESTAT_SET_SIZE,
0,
0,
&mut file_fd,
); |
With current implementation new file descriptors may have
RIGHT_FD_READeven after it was dropped on the parent descriptor beforehand. This makes it possible to read the file content when it should be denied. (on Unix)Connected with #570 & #617.