Initial filesystem implementation

Author: patricoferris

lib_eio_windows/dune

@@ -1,7 +1,7 @@
 (library
  (name eio_windows)
  (public_name eio_windows)
- (library_flags :standard -ccopt -lbcrypt)
+ (library_flags :standard -ccopt -lbcrypt -ccopt -lntdll)
  (enabled_if (= %{os_type} "Win32"))
  (foreign_stubs
   (language c)

lib_eio_windows/eio_windows.ml

@@ -43,7 +43,7 @@ let run main =
     method mono_clock = Time.mono_clock
     method net = Net.v
     method domain_mgr = Domain_mgr.v
-    method cwd = failwith "file-system operations not supported on Windows yet"
-    method fs = failwith "file-system operations not supported on Windows yet"
+    method cwd = ((Fs.cwd, "") :> Eio.Fs.dir Eio.Path.t)
+    method fs = ((Fs.fs, "") :> Eio.Fs.dir Eio.Path.t)
     method secure_random = Flow.secure_random
   end

lib_eio_windows/eio_windows_stubs.c

@@ -11,12 +11,29 @@
 #include <assert.h>
 #include <ntstatus.h>
 #include <bcrypt.h>
+#include <winternl.h>
+#include <ntdef.h>
+
+typedef ULONG (__stdcall *pNtCreateFile)(
+   PHANDLE FileHandle,
+   ULONG DesiredAccess,
+   PVOID ObjectAttributes,
+   PVOID IoStatusBlock,
+   PLARGE_INTEGER AllocationSize,
+   ULONG FileAttributes,
+   ULONG ShareAccess,
+   ULONG CreateDisposition,
+   ULONG CreateOptions,
+   PVOID EaBuffer,
+   ULONG EaLength
+ );
 
 #include <caml/mlvalues.h>
 #include <caml/memory.h>
 #include <caml/alloc.h>
 #include <caml/unixsupport.h>
 #include <caml/bigarray.h>
+#include <caml/osdeps.h>
 
 #ifdef ARCH_SIXTYFOUR
 #define Int63_val(v) Long_val(v)
@@ -64,9 +81,72 @@ CAMLprim value caml_eio_windows_pwritev(value v_fd, value v_bufs, value v_offset
   uerror("pwritev is not supported on windows yet", Nothing);
 }
 
-CAMLprim value caml_eio_windows_openat(value v_dirfd, value v_pathname, value v_flags, value v_mode)
+// File-system operations
+
+// We recreate an openat like function using NtCreateFile
+CAMLprim value caml_eio_windows_openat(value v_dirfd, value v_pathname, value v_open_flags, value v_create_disposition, value v_create_options)
 {
-  uerror("openat is not supported on windows yet", Nothing);
+  CAMLparam2(v_dirfd, v_pathname);
+  HANDLE h, dir;
+  OBJECT_ATTRIBUTES obj_attr;
+  IO_STATUS_BLOCK io_status;
+  wchar_t *pathname;
+  UNICODE_STRING relative;
+  NTSTATUS r;
+
+  // Not sure what the overhead of this is, but it allows us to have low-level control
+  // over file creation. In particular, we can specify the HANDLE to the parent directory
+  // of a relative path a la openat.
+  pNtCreateFile NtCreatefile = (pNtCreateFile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateFile");
+  caml_unix_check_path(v_pathname, "openat");
+  pathname = caml_stat_strdup_to_utf16(String_val(v_pathname));
+  RtlInitUnicodeString(&relative, pathname);
+
+  // If NULL the filepath has to be absolute
+  if (Is_some(v_dirfd)) {
+    dir = Handle_val(Field(v_dirfd, 0));
+  } else {
+    dir = NULL;
+  }
+
+  // Initialise object attributes, passing in the root directory FD
+  InitializeObjectAttributes(
+    &obj_attr,
+    &relative,
+    OBJ_CASE_INSENSITIVE, // TODO: Double-check what flags need to be passed at this point.
+    dir,
+    NULL
+  );
+
+  // Create the file
+  r = NtCreatefile(
+    &h,
+    (GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE),
+    &obj_attr,
+    &io_status,
+    0, // Allocation size
+    FILE_ATTRIBUTE_NORMAL, // TODO: Could check flags to see if we can do READONLY here a la OCaml
+    (FILE_SHARE_READ | FILE_SHARE_WRITE),
+    Int_val(v_create_disposition),
+    (Int_val(v_create_options) | FILE_SYNCHRONOUS_IO_NONALERT),
+    NULL, // Extended attribute buffer
+    0     // Extended attribute buffer length
+  );
+
+  // Free the allocated pathname
+  caml_stat_free(pathname);
+  
+  if (h == INVALID_HANDLE_VALUE) {
+    caml_win32_maperr(GetLastError());
+    uerror("openat", v_pathname);
+  }
+
+  if (!NT_SUCCESS(r)) {
+    caml_win32_maperr(GetLastError());
+    uerror("openat", Nothing);
+  }
+  
+  CAMLreturn(caml_win32_alloc_handle(h));
 }
 
 CAMLprim value caml_eio_windows_mkdirat(value v_fd, value v_path, value v_perm)

lib_eio_windows/fs.ml

@@ -0,0 +1,187 @@
+(*
+ * Copyright (C) 2023 Thomas Leonard
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *)
+
+(* This module provides (optional) sandboxing, allowing operations to be restricted to a subtree.
+
+   For now, sandboxed directories use realpath and [O_NOFOLLOW], which is probably quite slow,
+   and requires duplicating a load of path lookup logic from the kernel.
+   It might be better to hold a directory FD rather than a path.
+   On FreeBSD we could use O_RESOLVE_BENEATH and let the OS handle everything for us.
+   On other systems we would have to resolve one path component at a time. *)
+
+open Eio.Std
+
+module Fd = Eio_unix.Fd
+
+class virtual posix_dir = object
+  inherit Eio.Fs.dir
+
+  val virtual opt_nofollow : Low_level.Flags.Open.t
+  (** Extra flags for open operations. Sandboxes will add [O_NOFOLLOW] here. *)
+
+  method virtual private resolve : string -> string
+  (** [resolve path] returns the real path that should be used to access [path].
+      For sandboxes, this is [realpath path] (and it checks that it is within the sandbox).
+      For unrestricted access, this is the identity function. *)
+
+  method virtual with_parent_dir : 'a. (string -> (Fd.t option -> string -> 'a) -> 'a)
+  (** [with_parent_dir path fn] runs [fn dir_fd rel_path],
+      where [rel_path] accessed relative to [dir_fd] gives access to [path].
+      For unrestricted access, this just runs [fn None path].
+      For sandboxes, it opens the parent of [path] as [dir_fd] and runs [fn (Some dir_fd) (basename path)]. *)
+end
+
+(* When renaming, we get a plain [Eio.Fs.dir]. We need extra access to check
+   that the new location is within its sandbox. *)
+type _ Eio.Generic.ty += Posix_dir : posix_dir Eio.Generic.ty
+let as_posix_dir x = Eio.Generic.probe x Posix_dir
+
+class virtual dir ~label = object (self)
+  inherit posix_dir
+
+  val mutable closed = false
+
+  method! probe : type a. a Eio.Generic.ty -> a option = function
+    | Posix_dir -> Some (self :> posix_dir)
+    | _ -> None
+
+  method open_in ~sw path =
+    let open Low_level in
+    let fd = Err.run (Low_level.openat ~sw (self#resolve path)) Low_level.Flags.Open.(rdonly) Flags.Disposition.(open_if) Flags.Create.(non_directory) in
+    (Flow.of_fd fd :> <Eio.File.ro; Eio.Flow.close>)
+
+  method open_out ~sw ~append ~create path =
+    let open Low_level in
+    let _mode, flags =
+      match create with
+      | `Never            -> 0,    Low_level.Flags.Open.empty
+      | `If_missing  perm -> perm, Low_level.Flags.Open.creat
+      | `Or_truncate perm -> perm, Low_level.Flags.Open.(creat + trunc)
+      | `Exclusive   perm -> perm, Low_level.Flags.Open.(creat + excl)
+    in
+    let flags = if append then Low_level.Flags.Open.(flags + append) else flags in
+    let flags = Low_level.Flags.Open.(flags + rdwr + opt_nofollow) in
+    match
+      self#with_parent_dir path @@ fun dirfd path ->
+      Low_level.openat ?dirfd ~sw path flags Flags.Disposition.(open_if) Flags.Create.(non_directory)
+    with
+    | fd -> (Flow.of_fd fd :> <Eio.File.rw; Eio.Flow.close>)
+    | exception Unix.Unix_error (ELOOP, _, _) ->
+      (* The leaf was a symlink (or we're unconfined and the main path changed, but ignore that).
+         A leaf symlink might be OK, but we need to check it's still in the sandbox.
+         todo: possibly we should limit the number of redirections here, like the kernel does. *)
+      let target = Unix.readlink path in
+      let full_target =
+        if Filename.is_relative target then
+          Filename.concat (Filename.dirname path) target
+        else target
+      in
+      self#open_out ~sw ~append ~create full_target
+    | exception Unix.Unix_error (code, name, arg) ->
+      raise (Err.wrap code name arg)
+
+  method mkdir ~perm path =
+    self#with_parent_dir path @@ fun dirfd path ->
+    Err.run (Low_level.mkdir ?dirfd ~mode:perm) path
+
+  method unlink path =
+    self#with_parent_dir path @@ fun dirfd path ->
+    Err.run (Low_level.unlink ?dirfd ~dir:false) path
+
+  method rmdir path =
+    self#with_parent_dir path @@ fun dirfd path ->
+    Err.run (Low_level.unlink ?dirfd ~dir:true) path
+
+  method read_dir path =
+    (* todo: need fdopendir here to avoid races *)
+    let path = self#resolve path in
+    Err.run Low_level.readdir path
+    |> Array.to_list
+
+  method rename old_path new_dir new_path =
+    match as_posix_dir new_dir with
+    | None -> invalid_arg "Target is not an eio_posix directory!"
+    | Some new_dir ->
+      self#with_parent_dir old_path @@ fun old_dir old_path ->
+      new_dir#with_parent_dir new_path @@ fun new_dir new_path ->
+      Err.run (Low_level.rename ?old_dir old_path ?new_dir) new_path
+
+  method open_dir ~sw path =
+    Switch.check sw;
+    let label = Filename.basename path in
+    let d = new sandbox ~label (self#resolve path) in
+    Switch.on_release sw (fun () -> d#close);
+    (d :> Eio.Fs.dir_with_close)
+
+  method close = closed <- true
+
+  method pp f = Fmt.string f (String.escaped label)
+end
+
+and sandbox ~label dir_path = object (self)
+  inherit dir ~label
+
+  (* nofollow not on windows. *)
+  val opt_nofollow = Low_level.Flags.Open.empty
+
+  (* Resolve a relative path to an absolute one, with no symlinks.
+     @raise Eio.Fs.Permission_denied if it's outside of [dir_path]. *)
+  method private resolve path =
+    if closed then Fmt.invalid_arg "Attempt to use closed directory %S" dir_path;
+    if Filename.is_relative path then (
+      let dir_path = Err.run Low_level.realpath dir_path in
+      let full = Err.run Low_level.realpath (Filename.concat dir_path path) in
+      let prefix_len = String.length dir_path + 1 in
+      (* \\??\\ Is necessary with NtCreateFile. *)
+      if String.length full >= prefix_len && String.sub full 0 prefix_len = dir_path ^ Filename.dir_sep then
+        "\\??\\" ^ full
+      else if full = dir_path then
+        "\\??\\" ^ full
+      else
+        raise @@ Eio.Fs.err (Permission_denied (Err.Outside_sandbox (full, dir_path)))
+    ) else (
+      raise @@ Eio.Fs.err (Permission_denied Err.Absolute_path)
+    )
+
+  method with_parent_dir path fn =
+    if closed then Fmt.invalid_arg "Attempt to use closed directory %S" dir_path;
+    let dir, leaf = Filename.dirname path, Filename.basename path in
+    if leaf = ".." then (
+      (* We could be smarter here and normalise the path first, but '..'
+         doesn't make sense for any of the current uses of [with_parent_dir]
+         anyway. *)
+      raise (Eio.Fs.err (Permission_denied (Err.Invalid_leaf leaf)))
+    ) else (
+      let dir = self#resolve dir in
+      Switch.run @@ fun sw ->
+      let open Low_level in
+      let dirfd = Low_level.openat ~sw dir Flags.Open.(rdonly) Flags.Disposition.(open_if) Flags.Create.(directory) in
+      fn (Some dirfd) leaf
+    )
+end
+
+(* Full access to the filesystem. *)
+let fs = object
+  inherit dir ~label:"fs"
+
+  val opt_nofollow = Low_level.Flags.Open.empty
+
+  (* No checks *)
+  method private resolve path = path
+  method private with_parent_dir path fn = fn None path
+end
+
+let cwd = new sandbox ~label:"cwd" "."

lib_eio_windows/include/discover.ml

@@ -4,7 +4,7 @@ let () =
   C.main ~name:"discover" (fun c ->
       let defs =
         C.C_define.import c ~c_flags:["-D_LARGEFILE64_SOURCE"]
-          ~includes:["sys/types.h"; "sys/stat.h"; "fcntl.h"]
+          ~includes:["sys/types.h"; "sys/stat.h"; "fcntl.h"; "ntdef.h"]
           C.C_define.Type.[
             "_O_RDONLY", Int;
             "_O_RDWR", Int;
@@ -14,11 +14,30 @@ let () =
             "_O_NOINHERIT", Int;
             "_O_TRUNC", Int;
             "_O_EXCL", Int;
+
+            (* Create Disposition *)
+            "FILE_SUPERSEDE", Int;
+            "FILE_CREATE", Int;
+            "FILE_OPEN", Int;
+            "FILE_OPEN_IF", Int;
+            "FILE_OVERWRITE", Int;
+            "FILE_OVERWRITE_IF", Int;
+
+            (* Create Options *)
+            "FILE_DIRECTORY_FILE", Int;
+            "FILE_NON_DIRECTORY_FILE", Int;
+            "FILE_NO_INTERMEDIATE_BUFFERING", Int;
+            "FILE_WRITE_THROUGH", Int;
+            "FILE_SEQUENTIAL_ONLY", Int;
           ]
         |> List.map (function
             | name, C.C_define.Value.Int v ->
-              let name_length = String.length name in
-              let name = String.sub name 1 (name_length - 1) in
+              let name =
+                if name.[0] = '_' then 
+                  let name_length = String.length name in
+                  String.sub name 1 (name_length - 1)
+                else name
+              in
               Printf.sprintf "let %s = 0x%x" (String.lowercase_ascii name) v
             | _ -> assert false
           )