release: v0.4.0 — guard API, GuardedFile, error model cleanup#3
Merged
Conversation
Adds the guard API (FdJail / GuardedFile / Attestation / openat2), tightens
the error model, and fixes several pre-1.0 API stability issues.
Key changes
-----------
- guard feature: FdJail pins the jail root as a dirfd; FdJail::open uses a
single openat2(RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS) syscall on Linux
5.6+ (x86_64 + aarch64); O_NOFOLLOW fallback on macOS/BSD and unsupported
Linux arches (riscv64, s390x, …) with attestation().toctou_safe = false.
- GuardedFile (renamed from JailFile): wraps the opened File + Attestation;
implements Read/Write/Seek/Deref/AsFd/AsRawFd. sign_attestation() via
pluggable Signer/Verifier traits.
- Attestation and KernelVersion are now #[non_exhaustive].
- JailError::InvalidRoot is now a struct variant { path, source: Option<io::Error> },
replacing both the old tuple variant and the guard-only InvalidJailRoot.
- FdJail::check renamed to check_path.
- secure-open: O_NOFOLLOW = 0 silent fallback replaced with compile_error!
on unknown Unix platforms.
- FdJail implements Clone (dup(2) on Linux) + Send + Sync.
- MSRV bumped to 1.85; CI matrix hardened (semver-checks un-suppressed,
SHA-pinned actions, cargo-deny, aarch64/armv7 cross tests).
- DESIGN.md rewritten; SECURITY.md versioning section updated for pre/post-1.0.
- docs/fd_first_spec.md deleted (stale artifact from fd-first → guard rename).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
guardfeature —FdJailpins the jail root as a livedirfdand opens files via a singleopenat2(RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS)syscall on Linux 5.6+ (x86_64/aarch64), making validate-and-open atomically kernel-enforced. Falls back toO_NOFOLLOWon macOS/BSD and unsupported Linux arches (riscv64, s390x, …) withattestation().toctou_safe = falseadvertising the weaker guarantee.GuardedFile(renamed fromJailFile) wraps the openFile+ anAttestationsnapshot (inode, device, nlink, timestamp, optional Ed25519 signature). ImplementsRead/Write/Seek/Deref/AsFd/AsRawFd. PluggableSigner/Verifiertraits — no vendored crypto.FdJailnow implementsClone(viadup(2)on Linux) +Send+Sync.API stability fixes
guard::JailFileguard::GuardedFileJailError::InvalidRoot(PathBuf)+InvalidJailRoot { path, source }JailError::InvalidRoot { path, source: Option<io::Error> }FdJail::checkFdJail::check_pathAttestation/KernelVersion(exhaustive)#[non_exhaustive]O_NOFOLLOW = 0on unknown Unix (silent security bug)compile_error!compile_error!on riscv64 +guardOther
cargo-semver-checksun-suppressed in CI; SHA-pinned actions.DESIGN.mdfully rewritten;SECURITY.mdversioning section updated.docs/fd_first_spec.mddeleted (stalefd-first → guardrename artifact).Test plan
cargo-denypassescargo-semver-checkspasses against v0.3.1 baseline