Centralize sysroot path translation and case-fold#33
Merged
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Move guest-to-host path resolution into a single entry point in
src/syscall/path.{c,h}. path_translate_at honors three modes (no-follow,
follow, create-with-optional-parents), preserves the resolver errno on
failure so callers translate it via linux_errno() instead of flattening
to ENAMETOOLONG, and rejects ".." in the basename when follow_final is
false so an lstat cannot escape above the sysroot.
Factor --sysroot/--create-sysroot provisioning out of main.c into
src/core/sysroot.{c,h}. Validate caller-supplied sysroot length before
any heap allocation, treat collision-sentinel truncation as a hard
validation failure rather than failing open, and set errno on every parse
path so the cleanup logger reports a real reason.
Add a case-fold sidecar at src/syscall/sidecar.{c,h} for case-insensitive
macOS volumes. The sidecar keeps colliding Linux guest names distinct by
mapping each to a hidden token file plus a per-directory index, so that
guest workloads relying on case-sensitive Linux path semantics still
work on the host's case-insensitive APFS or HFS+. Procemu-virtual paths
(/proc, /sys, /dev) short-circuit the sidecar walk after normalization
so they reach the procemu intercept intact instead of failing with ENOENT
against a directory that does not exist in the sysroot.
Fix /proc/self/exe sysroot prefix strip: proc_set_sysroot stores the
realpath canonical form, so the readlink handler now canonicalizes the
stored elf_path before the prefix check, otherwise macOS symlinks such
as /var -> /private/var make the strncmp diverge and leak the host path
back to the guest.
Serialize sysroot_casefold across fork IPC so child processes keep the
sidecar feature after clone/fork. Lock elf_path against torn reads from
sibling vCPUs during execve and expose proc_elf_path_snapshot for
content-consuming callers; proc_get_elf_path keeps the legacy
boolean-test contract.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Move guest-to-host path resolution into a single entry point in src/syscall/path.{c,h}. path_translate_at honors three modes (no-follow, follow, create-with-optional-parents), preserves the resolver errno on failure so callers translate it via linux_errno() instead of flattening to ENAMETOOLONG, and rejects ".." in the basename when follow_final is false so an lstat cannot escape above the sysroot.
Factor --sysroot/--create-sysroot provisioning out of main.c into src/core/sysroot.{c,h}. Validate caller-supplied sysroot length before any heap allocation, treat collision-sentinel truncation as a hard validation failure rather than failing open, and set errno on every parse path so the cleanup logger reports a real reason.
Add a case-fold sidecar at src/syscall/sidecar.{c,h} for case-insensitive macOS volumes. The sidecar keeps colliding Linux guest names distinct by mapping each to a hidden token file plus a per-directory index, so that guest workloads relying on case-sensitive Linux path semantics still work on the host's case-insensitive APFS or HFS+. Procemu-virtual paths (/proc, /sys, /dev) short-circuit the sidecar walk after normalization so they reach the procemu intercept intact instead of failing with ENOENT against a directory that does not exist in the sysroot.
Fix /proc/self/exe sysroot prefix strip: proc_set_sysroot stores the realpath canonical form, so the readlink handler now canonicalizes the stored elf_path before the prefix check, otherwise macOS symlinks such as /var -> /private/var make the strncmp diverge and leak the host path back to the guest.
Serialize sysroot_casefold across fork IPC so child processes keep the sidecar feature after clone/fork. Lock elf_path against torn reads from sibling vCPUs during execve and expose proc_elf_path_snapshot for content-consuming callers; proc_get_elf_path keeps the legacy boolean-test contract.
Summary by cubic
Centralizes guest-to-host path translation and adds a case-fold sidecar so Linux paths behave correctly on macOS case-insensitive volumes. Also moves sysroot setup into
core/sysrootwith capability probing, and fixes/proc/self/execanonicalization plus exec path races.New Features
path_translate_atas the single resolver with no-follow, follow, and create(+parents) modes; adopted across exec, stat, xattr, open, readdir, and rename paths.src/syscall/sidecar.{c,h}) to keep colliding names distinct; skips/proc,/sys,/dev, remaps readdir names back to guest form, and is serialized across fork IPC.--sysroot/--create-sysrootintosrc/core/sysroot.{c,h}with case-sensitivity/case-preserving probing, stricter dir validation, and mount/create helpers.Bug Fixes
/proc/self/exehandling to avoid leaking host prefixes via macOS symlink aliases.elf_pathand addedproc_elf_path_snapshotto prevent torn reads (also used for proc comm names).errnoand rejected..in the final basename when not following, preventing escapes above the sysroot.Written for commit a80aa17. Summary will update on new commits.