Cryptographically verifiable, distributed dependency reviews
Add the last reviewed version to Cargo.toml / [dependencies]:
openat = "0.1.18"
Please, use mobile in landscape.
Filter reviews clicking on the numbers in the summary.
Full column names in tooltip hints: rating Negative, rating Neutral, rating Positive, rating Strong, thoroughness, understanding, reviews count.
© bestia.dev 2023, MIT License, Version: 2023.608.1636
Open source repository for this web app: https://github.com/bestia-dev/cargo_crev_web/
Disclaimer: as far evaluating syscall usage is concerned, this
review considers only the behavior on Linux.
Pros
FromRawFD
).calling free); if necessary, cleanup takes place in drop().
Cons
by upstream (#18, #20).
dir.rs
Unsafe
Dir::_open()
callinglibc::open()
: return check ok;pointer arg obtained from safe Rust type.
Dir::_sub_dir()
callinglibc::openat()
: return checkok; pointer arg obtained from safe Rust type.
Dir::_read_link()
callinglibc::readlinkat()
: returncheck ok; pointer arg from safe, zeroed
Vec
; size passedproperly; result then resized to return value..
Dir::new_unnamed_file()
callingCStr::from_bytes_with_nul_unchecked()
: argument is staticconstant and null terminated.
Dir::_open_file()
callinglibc::openat()
: returncheck ok; pointer arg from safe Rust type.
Dir::_open_file()
callingFile::from_raw_fd()
: argwas obtained via ok syscall immediately above.
Dir::_symlink()
callinglibc::symlinkat()
: returncheck ok; pointer args obtained from safe Rust types.
Dir::_create_dir()
callinglibc::mkdirat()
: returncheck ok; pointer arg obtained from safe Rust type.
Dir::_unlink()
callinglibc::unlinkat()
: return checkok; pointer args are sane.
Dir::_stat()
callingmem::zeroed()
: used on stackallocated struct type.
Dir::_stat()
callinglibc::fstatat()
: return checkok; pointer arg
path
obtained from safe Rust type;struct stat
obtained from zeroed buffer._rename()
callinglibc::renameat()
: return check ok;pointer args from safe Rust types.
_hardlink()
callinglibc::linkat()
: return check ok;pointer args from safe Rust types.
_rename_flags()
callinglibc::syscall()
forrenameat(2)
: return check ok; pointer args from safe Rusttypes; (non-impl'd syscall wrapper, related to libc issue
#1508).
impl FromRawFd for Dir {}
: unsafe API.impl Drop for Dir {}
callinglibc::close()
: no checksfor result, which is ok in dtor that must not fail. Checks for
libc::AT_FDCWD
which is used occasionally in arguments tointernal APIs.
Other gotchas
O_NOFOLLOW
in calls toopenat(2)
,fstatat(2)
.to enforce selectively.
O_TMPFILE
inDir::new_unnamed_file()
: ok-ishand issues documented.
last_os_error()
.libc::mode_t
tolibc::c_uint
for calls toopenat()
; apparently necessary on Freebsd; the rationaleshould be documented (see #21).
Dir::symlink()
reverses order of argument of the syscall.This is unexpected but documented.
list.rs
Unsafe
DirIter::next_entry()
: unsafe due to writes to errnoand general MT unsafety of wrapped call to
readdir(3)
;ok due to errno residing in TLS. Result pointer is wrapped in
option type, cannot point to an invalid object, not shared
across threads (
DirIter
is neither Send nor Sync), droppedproperly, and not exposed publicly.
impl Iterator for DirIter {}
: calls unsafenext_entry()
(see above); calls unsafe
CStr::from_ptr()on
const charpointer obtained earlier by call to
readdir(3)`` which guarantees null termination.impl Drop for DirIter {}
callinglibc::closedir()
:is only reached for valid objects.
name.rs
AsPath
for converting various typesto something useable with C APIs that take paths (
CStr
,CString``). Lifetime bounds ensure this can be used efficiently
and safely. No fishy casts.
filetype.rs
metadata.rs
is.metadata.rs
struct stat
, so no issue here with lifetimes.