Use the ambient-authority crate instead of unsafe.

Use the newly-created ambient-authority crate to indicate functions
which have ambient authority, rather than using `unsafe`.

Fixes #141.

Author: sunfishcode

README.md

@@ -91,9 +91,8 @@ There currently are three main ways:
  - Use the [`cap-directories`] crate to create `Dir`s for config, cache and
    other data directories.
  - Use the [`cap-tempfile`] crate to create `Dir`s for temporary directories.
- - Use the `unsafe` [`Dir::open_ambient_dir`] to open a plain path. This
-   function is not sandboxed, and may open any file the host process has
-   access to.
+ - Use [`Dir::open_ambient_dir`] to open a plain path. This function is not
+   sandboxed, and may open any file the host process has access to.
 
 ## Examples
 

benches/mod.rs

@@ -11,7 +11,9 @@ use std::{fs, path::PathBuf};
 
 #[bench]
 fn nested_directories_open(b: &mut test::Bencher) {
-    let dir = unsafe { cap_tempfile::tempdir().unwrap() };
+    use cap_tempfile::ambient_authority;
+
+    let dir = cap_tempfile::tempdir(ambient_authority()).unwrap();
 
     let mut path = PathBuf::new();
     for _ in 0..256 {
@@ -41,7 +43,9 @@ fn nested_directories_open_baseline(b: &mut test::Bencher) {
 
 #[bench]
 fn nested_directories_metadata(b: &mut test::Bencher) {
-    let dir = unsafe { cap_tempfile::tempdir().unwrap() };
+    use cap_tempfile::ambient_authority;
+
+    let dir = cap_tempfile::tempdir(ambient_authority()).unwrap();
 
     let mut path = PathBuf::new();
     for _ in 0..256 {
@@ -72,7 +76,9 @@ fn nested_directories_metadata_baseline(b: &mut test::Bencher) {
 
 #[bench]
 fn nested_directories_canonicalize(b: &mut test::Bencher) {
-    let dir = unsafe { cap_tempfile::tempdir().unwrap() };
+    use cap_tempfile::ambient_authority;
+
+    let dir = cap_tempfile::tempdir(ambient_authority()).unwrap();
 
     let mut path = PathBuf::new();
     for _ in 0..256 {
@@ -103,7 +109,9 @@ fn nested_directories_canonicalize_baseline(b: &mut test::Bencher) {
 #[cfg(unix)]
 #[bench]
 fn nested_directories_readlink(b: &mut test::Bencher) {
-    let dir = unsafe { cap_tempfile::tempdir().unwrap() };
+    use cap_tempfile::ambient_authority;
+
+    let dir = cap_tempfile::tempdir(ambient_authority()).unwrap();
 
     let mut path = PathBuf::new();
     for _ in 0..256 {
@@ -143,7 +151,9 @@ fn nested_directories_readlink_baseline(b: &mut test::Bencher) {
 
 #[bench]
 fn curdir(b: &mut test::Bencher) {
-    let dir = unsafe { cap_tempfile::tempdir().unwrap() };
+    use cap_tempfile::ambient_authority;
+
+    let dir = cap_tempfile::tempdir(ambient_authority()).unwrap();
 
     let mut path = PathBuf::new();
     for _ in 0..256 {
@@ -176,7 +186,9 @@ fn curdir_baseline(b: &mut test::Bencher) {
 
 #[bench]
 fn parentdir(b: &mut test::Bencher) {
-    let dir = unsafe { cap_tempfile::tempdir().unwrap() };
+    use cap_tempfile::ambient_authority;
+
+    let dir = cap_tempfile::tempdir(ambient_authority()).unwrap();
 
     let mut path = PathBuf::new();
     for _ in 0..256 {
@@ -219,7 +231,9 @@ fn parentdir_baseline(b: &mut test::Bencher) {
 
 #[bench]
 fn directory_iteration(b: &mut test::Bencher) {
-    let dir = unsafe { cap_tempfile::tempdir().unwrap() };
+    use cap_tempfile::ambient_authority;
+
+    let dir = cap_tempfile::tempdir(ambient_authority()).unwrap();
 
     for i in 0..256 {
         dir.create(i.to_string()).unwrap();
@@ -234,7 +248,9 @@ fn directory_iteration(b: &mut test::Bencher) {
 
 #[bench]
 fn directory_iteration_fast(b: &mut test::Bencher) {
-    let dir = unsafe { cap_tempfile::tempdir().unwrap() };
+    use cap_tempfile::ambient_authority;
+
+    let dir = cap_tempfile::tempdir(ambient_authority()).unwrap();
 
     for i in 0..256 {
         dir.create(i.to_string()).unwrap();
@@ -265,7 +281,9 @@ fn directory_iteration_baseline(b: &mut test::Bencher) {
 #[cfg(unix)]
 #[bench]
 fn symlink_chasing_open(b: &mut test::Bencher) {
-    let dir = unsafe { cap_tempfile::tempdir().unwrap() };
+    use cap_tempfile::ambient_authority;
+
+    let dir = cap_tempfile::tempdir(ambient_authority()).unwrap();
 
     dir.create("0").unwrap();
     for i in 0..32 {
@@ -303,7 +321,9 @@ fn symlink_chasing_open_baseline(b: &mut test::Bencher) {
 #[cfg(unix)]
 #[bench]
 fn symlink_chasing_metadata(b: &mut test::Bencher) {
-    let dir = unsafe { cap_tempfile::tempdir().unwrap() };
+    use cap_tempfile::ambient_authority;
+
+    let dir = cap_tempfile::tempdir(ambient_authority()).unwrap();
 
     dir.create("0").unwrap();
     for i in 0..32 {
@@ -341,7 +361,9 @@ fn symlink_chasing_metadata_baseline(b: &mut test::Bencher) {
 #[cfg(unix)]
 #[bench]
 fn symlink_chasing_canonicalize(b: &mut test::Bencher) {
-    let dir = unsafe { cap_tempfile::tempdir().unwrap() };
+    use cap_tempfile::ambient_authority;
+
+    let dir = cap_tempfile::tempdir(ambient_authority()).unwrap();
 
     dir.create("0").unwrap();
     for i in 0..32 {
@@ -378,7 +400,9 @@ fn symlink_chasing_canonicalize_baseline(b: &mut test::Bencher) {
 
 #[bench]
 fn recursive_create_delete(b: &mut test::Bencher) {
-    let dir = unsafe { cap_tempfile::tempdir().unwrap() };
+    use cap_tempfile::ambient_authority;
+
+    let dir = cap_tempfile::tempdir(ambient_authority()).unwrap();
 
     let mut path = PathBuf::new();
     for depth in 0..256 {
@@ -409,7 +433,9 @@ fn recursive_create_delete_baseline(b: &mut test::Bencher) {
 
 #[bench]
 fn copy_4b(b: &mut test::Bencher) {
-    let dir = unsafe { cap_tempfile::tempdir().unwrap() };
+    use cap_tempfile::ambient_authority;
+
+    let dir = cap_tempfile::tempdir(ambient_authority()).unwrap();
 
     dir.write("file", &vec![1u8; 0x4]).unwrap();
 
@@ -433,7 +459,9 @@ fn copy_4b_baseline(b: &mut test::Bencher) {
 
 #[bench]
 fn copy_4k(b: &mut test::Bencher) {
-    let dir = unsafe { cap_tempfile::tempdir().unwrap() };
+    use cap_tempfile::ambient_authority;
+
+    let dir = cap_tempfile::tempdir(ambient_authority()).unwrap();
 
     dir.write("file", &vec![1u8; 0x1000]).unwrap();
 
@@ -457,7 +485,9 @@ fn copy_4k_baseline(b: &mut test::Bencher) {
 
 #[bench]
 fn copy_4m(b: &mut test::Bencher) {
-    let dir = unsafe { cap_tempfile::tempdir().unwrap() };
+    use cap_tempfile::ambient_authority;
+
+    let dir = cap_tempfile::tempdir(ambient_authority()).unwrap();
 
     dir.write("file", &vec![1u8; 0x400000]).unwrap();
 

cap-async-std/src/fs/dir.rs

@@ -8,10 +8,15 @@ use async_std::{
     fs, io,
     path::{Path, PathBuf},
 };
-use cap_primitives::fs::{
-    canonicalize, copy, create_dir, hard_link, open, open_ambient_dir, open_dir, read_base_dir,
-    read_dir, read_link, remove_dir, remove_dir_all, remove_file, remove_open_dir,
-    remove_open_dir_all, rename, set_permissions, stat, DirOptions, FollowSymlinks, Permissions,
+use cap_primitives::{
+    ambient_authority,
+    fs::{
+        canonicalize, copy, create_dir, hard_link, open, open_ambient_dir, open_dir, read_base_dir,
+        read_dir, read_link, remove_dir, remove_dir_all, remove_file, remove_open_dir,
+        remove_open_dir_all, rename, set_permissions, stat, DirOptions, FollowSymlinks,
+        Permissions,
+    },
+    AmbientAuthority,
 };
 use std::fmt;
 use unsafe_io::{AsUnsafeFile, FromUnsafeFile, OwnsRaw};
@@ -48,12 +53,12 @@ impl Dir {
     /// To prevent race conditions on Windows, the file must be opened without
     /// `FILE_SHARE_DELETE`.
     ///
-    /// # Safety
+    /// # Ambient Authority
     ///
     /// `async_std::fs::File` is not sandboxed and may access any path that the host
     /// process has access to.
     #[inline]
-    pub unsafe fn from_std_file(std_file: fs::File) -> Self {
+    pub fn from_std_file(std_file: fs::File, _: AmbientAuthority) -> Self {
         Self { std_file }
     }
 
@@ -87,21 +92,21 @@ impl Dir {
     #[cfg(not(target_os = "wasi"))]
     fn _open_with(file: &std::fs::File, path: &Path, options: &OpenOptions) -> io::Result<File> {
         let file = open(file, path.as_ref(), options)?.into();
-        Ok(unsafe { File::from_std(file) })
+        Ok(File::from_std(file, ambient_authority()))
     }
 
     #[cfg(target_os = "wasi")]
     fn _open_with(file: &std::fs::File, path: &Path, options: &OpenOptions) -> io::Result<File> {
         let file = options.open_at(&self.std_file, path)?.into();
-        Ok(unsafe { File::from_std(file) })
+        Ok(File::from_std(file, ambient_authority()))
     }
 
     /// Attempts to open a directory.
     #[inline]
     pub fn open_dir<P: AsRef<Path>>(&self, path: P) -> io::Result<Self> {
         let file = self.std_file.as_file_view();
         let dir = open_dir(&file, path.as_ref().as_ref())?.into();
-        Ok(unsafe { Self::from_std_file(dir) })
+        Ok(Self::from_std_file(dir, ambient_authority()))
     }
 
     /// Creates a new, empty directory at the provided path.
@@ -579,21 +584,25 @@ impl Dir {
     /// Constructs a new instance of `Self` by opening the given path as a
     /// directory using the host process' ambient authority.
     ///
-    /// # Safety
+    /// # Ambient Authority
     ///
     /// This function is not sandboxed and may access any path that the host
     /// process has access to.
     #[inline]
-    pub unsafe fn open_ambient_dir<P: AsRef<Path>>(path: P) -> io::Result<Self> {
-        open_ambient_dir(path.as_ref().as_ref()).map(|f| Self::from_std_file(f.into()))
+    pub fn open_ambient_dir<P: AsRef<Path>>(
+        path: P,
+        ambient_authority: AmbientAuthority,
+    ) -> io::Result<Self> {
+        open_ambient_dir(path.as_ref().as_ref(), ambient_authority)
+            .map(|f| Self::from_std_file(f.into(), ambient_authority))
     }
 }
 
 #[cfg(not(windows))]
 impl FromRawFd for Dir {
     #[inline]
     unsafe fn from_raw_fd(fd: RawFd) -> Self {
-        Self::from_std_file(fs::File::from_raw_fd(fd))
+        Self::from_std_file(fs::File::from_raw_fd(fd), ambient_authority())
     }
 }
 
@@ -603,7 +612,7 @@ impl FromRawHandle for Dir {
     /// `FILE_SHARE_DELETE`.
     #[inline]
     unsafe fn from_raw_handle(handle: RawHandle) -> Self {
-        Self::from_std_file(fs::File::from_raw_handle(handle))
+        Self::from_std_file(fs::File::from_raw_handle(handle), ambient_authority())
     }
 }
 

cap-async-std/src/fs/dir_entry.rs

@@ -4,6 +4,7 @@ use async_std::io;
 use async_std::os::unix::fs::DirEntryExt;
 #[cfg(target_os = "wasi")]
 use async_std::os::wasi::fs::DirEntryExt;
+use cap_primitives::ambient_authority;
 use std::{ffi::OsString, fmt};
 
 /// Entries returned by the `ReadDir` iterator.
@@ -30,21 +31,21 @@ impl DirEntry {
     #[inline]
     pub fn open(&self) -> io::Result<File> {
         let file = self.inner.open()?.into();
-        Ok(unsafe { File::from_std(file) })
+        Ok(File::from_std(file, ambient_authority()))
     }
 
     /// Open the file with the given options.
     #[inline]
     pub fn open_with(&self, options: &OpenOptions) -> io::Result<File> {
         let file = self.inner.open_with(options)?.into();
-        Ok(unsafe { File::from_std(file) })
+        Ok(File::from_std(file, ambient_authority()))
     }
 
     /// Open the entry as a directory.
     #[inline]
     pub fn open_dir(&self) -> io::Result<Dir> {
         let file = self.inner.open_dir()?.into();
-        Ok(unsafe { Dir::from_std_file(file) })
+        Ok(Dir::from_std_file(file, ambient_authority()))
     }
 
     /// Removes the file from its filesystem.
@@ -97,9 +98,9 @@ impl DirEntryExt for DirEntry {
 
 #[cfg(windows)]
 #[doc(hidden)]
-unsafe impl cap_primitives::fs::_WindowsDirEntryExt for DirEntry {
+impl cap_primitives::fs::_WindowsDirEntryExt for DirEntry {
     #[inline]
-    unsafe fn full_metadata(&self) -> io::Result<Metadata> {
+    fn full_metadata(&self) -> io::Result<Metadata> {
         self.inner.full_metadata()
     }
 }

cap-async-std/src/fs/file.rs

@@ -8,7 +8,7 @@ use async_std::{
     io::{self, IoSlice, IoSliceMut, Read, Seek, SeekFrom, Write},
     task::{Context, Poll},
 };
-use cap_primitives::fs::is_file_read_write;
+use cap_primitives::{ambient_authority, fs::is_file_read_write, AmbientAuthority};
 use std::{fmt, pin::Pin};
 use unsafe_io::{AsUnsafeFile, OwnsRaw};
 #[cfg(windows)]
@@ -35,12 +35,12 @@ pub struct File {
 impl File {
     /// Constructs a new instance of `Self` from the given `async_std::fs::File`.
     ///
-    /// # Safety
+    /// # Ambient Authority
     ///
     /// `async_std::fs::File` is not sandboxed and may access any path that the host
     /// process has access to.
     #[inline]
-    pub unsafe fn from_std(std: fs::File) -> Self {
+    pub fn from_std(std: fs::File, _: AmbientAuthority) -> Self {
         Self { std }
     }
 
@@ -135,15 +135,15 @@ fn permissions_into_std(
 impl FromRawFd for File {
     #[inline]
     unsafe fn from_raw_fd(fd: RawFd) -> Self {
-        Self::from_std(fs::File::from_raw_fd(fd))
+        Self::from_std(fs::File::from_raw_fd(fd), ambient_authority())
     }
 }
 
 #[cfg(windows)]
 impl FromRawHandle for File {
     #[inline]
     unsafe fn from_raw_handle(handle: RawHandle) -> Self {
-        Self::from_std(fs::File::from_raw_handle(handle))
+        Self::from_std(fs::File::from_raw_handle(handle), ambient_authority())
     }
 }