1
use crate::clocks::Datetime;
2
use crate::runtime::{AbortOnDropJoinHandle, spawn_blocking};
3
use anyhow::Context as _;
4
use cap_fs_ext::{FileTypeExt as _, MetadataExt as _};
5
use fs_set_times::SystemTimeSpec;
6
use std::collections::hash_map;
7
use std::sync::Arc;
8
use tracing::debug;
9
use wasmtime::component::{HasData, Resource, ResourceTable};
10

11
/// A helper struct which implements [`HasData`] for the `wasi:filesystem` APIs.
12
///
13
/// This can be useful when directly calling `add_to_linker` functions directly,
14
/// such as [`wasmtime_wasi::p2::bindings::filesystem::types::add_to_linker`] as
15
/// the `D` type parameter. See [`HasData`] for more information about the type
16
/// parameter's purpose.
17
///
18
/// When using this type you can skip the [`WasiFilesystemView`] trait, for
19
/// example.
20
///
21
/// # Examples
22
///
23
/// ```
24
/// use wasmtime::component::{Linker, ResourceTable};
25
/// use wasmtime::{Engine, Result, Config};
26
/// use wasmtime_wasi::filesystem::*;
27
///
28
/// struct MyStoreState {
29
///     table: ResourceTable,
30
///     filesystem: WasiFilesystemCtx,
31
/// }
32
///
33
/// fn main() -> Result<()> {
34
///     let mut config = Config::new();
35
///     config.async_support(true);
36
///     let engine = Engine::new(&config)?;
37
///     let mut linker = Linker::new(&engine);
38
///
39
///     wasmtime_wasi::p2::bindings::filesystem::types::add_to_linker::<MyStoreState, WasiFilesystem>(
40
///         &mut linker,
41
///         |state| WasiFilesystemCtxView {
42
///             table: &mut state.table,
43
///             ctx: &mut state.filesystem,
44
///         },
45
///     )?;
46
///     Ok(())
47
/// }
48
/// ```
49
pub struct WasiFilesystem;
50

51
impl HasData for WasiFilesystem {
52
    type Data<'a> = WasiFilesystemCtxView<'a>;
53
}
54

55
#[derive(Clone, Default)]
56
pub struct WasiFilesystemCtx {
57
    pub(crate) allow_blocking_current_thread: bool,
58
    pub(crate) preopens: Vec<(Dir, String)>,
59
}
60

61
pub struct WasiFilesystemCtxView<'a> {
62
    pub ctx: &'a mut WasiFilesystemCtx,
63
    pub table: &'a mut ResourceTable,
64
}
65

66
pub trait WasiFilesystemView: Send {
67
    fn filesystem(&mut self) -> WasiFilesystemCtxView<'_>;
68
}
69

70
bitflags::bitflags! {
71
    #[derive(Copy, Clone, Debug, PartialEq, Eq)]
72
    pub struct FilePerms: usize {
73
        const READ = 0b1;
74
        const WRITE = 0b10;
75
    }
76
}
77

78
bitflags::bitflags! {
79
    #[derive(Copy, Clone, Debug, PartialEq, Eq)]
80
    pub struct OpenMode: usize {
81
        const READ = 0b1;
82
        const WRITE = 0b10;
83
    }
84
}
85

86
bitflags::bitflags! {
87
    /// Permission bits for operating on a directory.
88
    ///
89
    /// Directories can be limited to being readonly. This will restrict what
90
    /// can be done with them, for example preventing creation of new files.
91
    #[derive(Copy, Clone, Debug, PartialEq, Eq)]
92
    pub struct DirPerms: usize {
93
        /// This directory can be read, for example its entries can be iterated
94
        /// over and files can be opened.
95
        const READ = 0b1;
96

97
        /// This directory can be mutated, for example by creating new files
98
        /// within it.
99
        const MUTATE = 0b10;
100
    }
101
}
102

103
bitflags::bitflags! {
104
    /// Flags determining the method of how paths are resolved.
105
    #[derive(Copy, Clone, Debug, PartialEq, Eq)]
106
    pub(crate) struct PathFlags: usize {
107
        /// This directory can be read, for example its entries can be iterated
108
        /// over and files can be opened.
109
        const SYMLINK_FOLLOW = 0b1;
110
    }
111
}
112

113
bitflags::bitflags! {
114
    /// Open flags used by `open-at`.
115
    #[derive(Copy, Clone, Debug, PartialEq, Eq)]
116
    pub(crate) struct OpenFlags: usize {
117
        /// Create file if it does not exist, similar to `O_CREAT` in POSIX.
118
        const CREATE = 0b1;
119
        /// Fail if not a directory, similar to `O_DIRECTORY` in POSIX.
120
        const DIRECTORY = 0b10;
121
        /// Fail if file already exists, similar to `O_EXCL` in POSIX.
122
        const EXCLUSIVE = 0b100;
123
        /// Truncate file to size 0, similar to `O_TRUNC` in POSIX.
124
        const TRUNCATE = 0b1000;
125
    }
126
}
127

128
bitflags::bitflags! {
129
    /// Descriptor flags.
130
    ///
131
    /// Note: This was called `fdflags` in earlier versions of WASI.
132
    #[derive(Copy, Clone, Debug, PartialEq, Eq)]
133
    pub(crate) struct DescriptorFlags: usize {
134
        /// Read mode: Data can be read.
135
        const READ = 0b1;
136
        /// Write mode: Data can be written to.
137
        const WRITE = 0b10;
138
        /// Request that writes be performed according to synchronized I/O file
139
        /// integrity completion. The data stored in the file and the file's
140
        /// metadata are synchronized. This is similar to `O_SYNC` in POSIX.
141
        ///
142
        /// The precise semantics of this operation have not yet been defined for
143
        /// WASI. At this time, it should be interpreted as a request, and not a
144
        /// requirement.
145
        const FILE_INTEGRITY_SYNC = 0b100;
146
        /// Request that writes be performed according to synchronized I/O data
147
        /// integrity completion. Only the data stored in the file is
148
        /// synchronized. This is similar to `O_DSYNC` in POSIX.
149
        ///
150
        /// The precise semantics of this operation have not yet been defined for
151
        /// WASI. At this time, it should be interpreted as a request, and not a
152
        /// requirement.
153
        const DATA_INTEGRITY_SYNC = 0b1000;
154
        /// Requests that reads be performed at the same level of integrity
155
        /// requested for writes. This is similar to `O_RSYNC` in POSIX.
156
        ///
157
        /// The precise semantics of this operation have not yet been defined for
158
        /// WASI. At this time, it should be interpreted as a request, and not a
159
        /// requirement.
160
        const REQUESTED_WRITE_SYNC = 0b10000;
161
        /// Mutating directories mode: Directory contents may be mutated.
162
        ///
163
        /// When this flag is unset on a descriptor, operations using the
164
        /// descriptor which would create, rename, delete, modify the data or
165
        /// metadata of filesystem objects, or obtain another handle which
166
        /// would permit any of those, shall fail with `error-code::read-only` if
167
        /// they would otherwise succeed.
168
        ///
169
        /// This may only be set on directories.
170
        const MUTATE_DIRECTORY = 0b100000;
171
    }
172
}
173

174
/// Error codes returned by functions, similar to `errno` in POSIX.
175
/// Not all of these error codes are returned by the functions provided by this
176
/// API; some are used in higher-level library layers, and others are provided
177
/// merely for alignment with POSIX.
178
#[cfg_attr(
179
    windows,
180
    expect(dead_code, reason = "on Windows, some of these are not used")
181
)]
182
pub(crate) enum ErrorCode {
183
    /// Permission denied, similar to `EACCES` in POSIX.
184
    Access,
185
    /// Connection already in progress, similar to `EALREADY` in POSIX.
186
    Already,
187
    /// Bad descriptor, similar to `EBADF` in POSIX.
188
    BadDescriptor,
189
    /// Device or resource busy, similar to `EBUSY` in POSIX.
190
    Busy,
191
    /// File exists, similar to `EEXIST` in POSIX.
192
    Exist,
193
    /// File too large, similar to `EFBIG` in POSIX.
194
    FileTooLarge,
195
    /// Illegal byte sequence, similar to `EILSEQ` in POSIX.
196
    IllegalByteSequence,
197
    /// Operation in progress, similar to `EINPROGRESS` in POSIX.
198
    InProgress,
199
    /// Interrupted function, similar to `EINTR` in POSIX.
200
    Interrupted,
201
    /// Invalid argument, similar to `EINVAL` in POSIX.
202
    Invalid,
203
    /// I/O error, similar to `EIO` in POSIX.
204
    Io,
205
    /// Is a directory, similar to `EISDIR` in POSIX.
206
    IsDirectory,
207
    /// Too many levels of symbolic links, similar to `ELOOP` in POSIX.
208
    Loop,
209
    /// Too many links, similar to `EMLINK` in POSIX.
210
    TooManyLinks,
211
    /// Filename too long, similar to `ENAMETOOLONG` in POSIX.
212
    NameTooLong,
213
    /// No such file or directory, similar to `ENOENT` in POSIX.
214
    NoEntry,
215
    /// Not enough space, similar to `ENOMEM` in POSIX.
216
    InsufficientMemory,
217
    /// No space left on device, similar to `ENOSPC` in POSIX.
218
    InsufficientSpace,
219
    /// Not a directory or a symbolic link to a directory, similar to `ENOTDIR` in POSIX.
220
    NotDirectory,
221
    /// Directory not empty, similar to `ENOTEMPTY` in POSIX.
222
    NotEmpty,
223
    /// Not supported, similar to `ENOTSUP` and `ENOSYS` in POSIX.
224
    Unsupported,
225
    /// Value too large to be stored in data type, similar to `EOVERFLOW` in POSIX.
226
    Overflow,
227
    /// Operation not permitted, similar to `EPERM` in POSIX.
228
    NotPermitted,
229
    /// Broken pipe, similar to `EPIPE` in POSIX.
230
    Pipe,
231
    /// Invalid seek, similar to `ESPIPE` in POSIX.
232
    InvalidSeek,
233
}
234

235
fn datetime_from(t: std::time::SystemTime) -> Datetime {
236
    // FIXME make this infallible or handle errors properly
237
    Datetime::try_from(cap_std::time::SystemTime::from_std(t)).unwrap()
238
}
239

240
/// The type of a filesystem object referenced by a descriptor.
241
///
242
/// Note: This was called `filetype` in earlier versions of WASI.
243
pub(crate) enum DescriptorType {
244
    /// The type of the descriptor or file is unknown or is different from
245
    /// any of the other types specified.
246
    Unknown,
247
    /// The descriptor refers to a block device inode.
248
    BlockDevice,
249
    /// The descriptor refers to a character device inode.
250
    CharacterDevice,
251
    /// The descriptor refers to a directory inode.
252
    Directory,
253
    /// The file refers to a symbolic link inode.
254
    SymbolicLink,
255
    /// The descriptor refers to a regular file inode.
256
    RegularFile,
257
}
258

259
impl From<cap_std::fs::FileType> for DescriptorType {
260
    fn from(ft: cap_std::fs::FileType) -> Self {
261
        if ft.is_dir() {
262
            DescriptorType::Directory
263
        } else if ft.is_symlink() {
264
            DescriptorType::SymbolicLink
265
        } else if ft.is_block_device() {
266
            DescriptorType::BlockDevice
267
        } else if ft.is_char_device() {
268
            DescriptorType::CharacterDevice
269
        } else if ft.is_file() {
270
            DescriptorType::RegularFile
271
        } else {
272
            DescriptorType::Unknown
273
        }
274
    }
275
}
276

277
/// File attributes.
278
///
279
/// Note: This was called `filestat` in earlier versions of WASI.
280
pub(crate) struct DescriptorStat {
281
    /// File type.
282
    pub type_: DescriptorType,
283
    /// Number of hard links to the file.
284
    pub link_count: u64,
285
    /// For regular files, the file size in bytes. For symbolic links, the
286
    /// length in bytes of the pathname contained in the symbolic link.
287
    pub size: u64,
288
    /// Last data access timestamp.
289
    ///
290
    /// If the `option` is none, the platform doesn't maintain an access
291
    /// timestamp for this file.
292
    pub data_access_timestamp: Option<Datetime>,
293
    /// Last data modification timestamp.
294
    ///
295
    /// If the `option` is none, the platform doesn't maintain a
296
    /// modification timestamp for this file.
297
    pub data_modification_timestamp: Option<Datetime>,
298
    /// Last file status-change timestamp.
299
    ///
300
    /// If the `option` is none, the platform doesn't maintain a
301
    /// status-change timestamp for this file.
302
    pub status_change_timestamp: Option<Datetime>,
303
}
304

305
impl From<cap_std::fs::Metadata> for DescriptorStat {
306
    fn from(meta: cap_std::fs::Metadata) -> Self {
307
        Self {
308
            type_: meta.file_type().into(),
309
            link_count: meta.nlink(),
310
            size: meta.len(),
311
            data_access_timestamp: meta.accessed().map(|t| datetime_from(t.into_std())).ok(),
312
            data_modification_timestamp: meta.modified().map(|t| datetime_from(t.into_std())).ok(),
313
            status_change_timestamp: meta.created().map(|t| datetime_from(t.into_std())).ok(),
314
        }
315
    }
316
}
317

318
/// A 128-bit hash value, split into parts because wasm doesn't have a
319
/// 128-bit integer type.
320
pub(crate) struct MetadataHashValue {
321
    /// 64 bits of a 128-bit hash value.
322
    pub lower: u64,
323
    /// Another 64 bits of a 128-bit hash value.
324
    pub upper: u64,
325
}
326

327
impl From<&cap_std::fs::Metadata> for MetadataHashValue {
328
    fn from(meta: &cap_std::fs::Metadata) -> Self {
329
        use cap_fs_ext::MetadataExt;
330
        // Without incurring any deps, std provides us with a 64 bit hash
331
        // function:
332
        use std::hash::Hasher;
333
        // Note that this means that the metadata hash (which becomes a preview1 ino) may
334
        // change when a different rustc release is used to build this host implementation:
335
        let mut hasher = hash_map::DefaultHasher::new();
336
        hasher.write_u64(meta.dev());
337
        hasher.write_u64(meta.ino());
338
        let lower = hasher.finish();
339
        // MetadataHashValue has a pair of 64-bit members for representing a
340
        // single 128-bit number. However, we only have 64 bits of entropy. To
341
        // synthesize the upper 64 bits, lets xor the lower half with an arbitrary
342
        // constant, in this case the 64 bit integer corresponding to the IEEE
343
        // double representation of (a number as close as possible to) pi.
344
        // This seems better than just repeating the same bits in the upper and
345
        // lower parts outright, which could make folks wonder if the struct was
346
        // mangled in the ABI, or worse yet, lead to consumers of this interface
347
        // expecting them to be equal.
348
        let upper = lower ^ 4614256656552045848u64;
349
        Self { lower, upper }
350
    }
351
}
352

353
#[cfg(unix)]
354
fn from_raw_os_error(err: Option<i32>) -> Option<ErrorCode> {
355
    use rustix::io::Errno as RustixErrno;
356
    if err.is_none() {
357
        return None;
358
    }
359
    Some(match RustixErrno::from_raw_os_error(err.unwrap()) {
360
        RustixErrno::PIPE => ErrorCode::Pipe,
361
        RustixErrno::PERM => ErrorCode::NotPermitted,
362
        RustixErrno::NOENT => ErrorCode::NoEntry,
363
        RustixErrno::NOMEM => ErrorCode::InsufficientMemory,
364
        RustixErrno::IO => ErrorCode::Io,
365
        RustixErrno::BADF => ErrorCode::BadDescriptor,
366
        RustixErrno::BUSY => ErrorCode::Busy,
367
        RustixErrno::ACCESS => ErrorCode::Access,
368
        RustixErrno::NOTDIR => ErrorCode::NotDirectory,
369
        RustixErrno::ISDIR => ErrorCode::IsDirectory,
370
        RustixErrno::INVAL => ErrorCode::Invalid,
371
        RustixErrno::EXIST => ErrorCode::Exist,
372
        RustixErrno::FBIG => ErrorCode::FileTooLarge,
373
        RustixErrno::NOSPC => ErrorCode::InsufficientSpace,
374
        RustixErrno::SPIPE => ErrorCode::InvalidSeek,
375
        RustixErrno::MLINK => ErrorCode::TooManyLinks,
376
        RustixErrno::NAMETOOLONG => ErrorCode::NameTooLong,
377
        RustixErrno::NOTEMPTY => ErrorCode::NotEmpty,
378
        RustixErrno::LOOP => ErrorCode::Loop,
379
        RustixErrno::OVERFLOW => ErrorCode::Overflow,
380
        RustixErrno::ILSEQ => ErrorCode::IllegalByteSequence,
381
        RustixErrno::NOTSUP => ErrorCode::Unsupported,
382
        RustixErrno::ALREADY => ErrorCode::Already,
383
        RustixErrno::INPROGRESS => ErrorCode::InProgress,
384
        RustixErrno::INTR => ErrorCode::Interrupted,
385

386
        // On some platforms, these have the same value as other errno values.
387
        #[allow(unreachable_patterns, reason = "see comment")]
388
        RustixErrno::OPNOTSUPP => ErrorCode::Unsupported,
389

390
        _ => return None,
391
    })
392
}
393

394
#[cfg(windows)]
395
fn from_raw_os_error(raw_os_error: Option<i32>) -> Option<ErrorCode> {
396
    use windows_sys::Win32::Foundation;
397
    Some(match raw_os_error.map(|code| code as u32) {
398
        Some(Foundation::ERROR_FILE_NOT_FOUND) => ErrorCode::NoEntry,
399
        Some(Foundation::ERROR_PATH_NOT_FOUND) => ErrorCode::NoEntry,
400
        Some(Foundation::ERROR_ACCESS_DENIED) => ErrorCode::Access,
401
        Some(Foundation::ERROR_SHARING_VIOLATION) => ErrorCode::Access,
402
        Some(Foundation::ERROR_PRIVILEGE_NOT_HELD) => ErrorCode::NotPermitted,
403
        Some(Foundation::ERROR_INVALID_HANDLE) => ErrorCode::BadDescriptor,
404
        Some(Foundation::ERROR_INVALID_NAME) => ErrorCode::NoEntry,
405
        Some(Foundation::ERROR_NOT_ENOUGH_MEMORY) => ErrorCode::InsufficientMemory,
406
        Some(Foundation::ERROR_OUTOFMEMORY) => ErrorCode::InsufficientMemory,
407
        Some(Foundation::ERROR_DIR_NOT_EMPTY) => ErrorCode::NotEmpty,
408
        Some(Foundation::ERROR_NOT_READY) => ErrorCode::Busy,
409
        Some(Foundation::ERROR_BUSY) => ErrorCode::Busy,
410
        Some(Foundation::ERROR_NOT_SUPPORTED) => ErrorCode::Unsupported,
411
        Some(Foundation::ERROR_FILE_EXISTS) => ErrorCode::Exist,
412
        Some(Foundation::ERROR_BROKEN_PIPE) => ErrorCode::Pipe,
413
        Some(Foundation::ERROR_BUFFER_OVERFLOW) => ErrorCode::NameTooLong,
414
        Some(Foundation::ERROR_NOT_A_REPARSE_POINT) => ErrorCode::Invalid,
415
        Some(Foundation::ERROR_NEGATIVE_SEEK) => ErrorCode::Invalid,
416
        Some(Foundation::ERROR_DIRECTORY) => ErrorCode::NotDirectory,
417
        Some(Foundation::ERROR_ALREADY_EXISTS) => ErrorCode::Exist,
418
        Some(Foundation::ERROR_STOPPED_ON_SYMLINK) => ErrorCode::Loop,
419
        Some(Foundation::ERROR_DIRECTORY_NOT_SUPPORTED) => ErrorCode::IsDirectory,
420
        _ => return None,
421
    })
422
}
423

424
impl<'a> From<&'a std::io::Error> for ErrorCode {
425
    fn from(err: &'a std::io::Error) -> ErrorCode {
426
        match from_raw_os_error(err.raw_os_error()) {
427
            Some(errno) => errno,
428
            None => {
429
                debug!("unknown raw os error: {err}");
430
                match err.kind() {
431
                    std::io::ErrorKind::NotFound => ErrorCode::NoEntry,
432
                    std::io::ErrorKind::PermissionDenied => ErrorCode::NotPermitted,
433
                    std::io::ErrorKind::AlreadyExists => ErrorCode::Exist,
434
                    std::io::ErrorKind::InvalidInput => ErrorCode::Invalid,
435
                    _ => ErrorCode::Io,
436
                }
437
            }
438
        }
439
    }
440
}
441

442
impl From<std::io::Error> for ErrorCode {
443
    fn from(err: std::io::Error) -> ErrorCode {
444
        ErrorCode::from(&err)
445
    }
446
}
447

448
#[derive(Clone)]
449
pub enum Descriptor {
450
    File(File),
451
    Dir(Dir),
452
}
453

454
impl Descriptor {
455
    pub(crate) fn file(&self) -> Result<&File, ErrorCode> {
456
        match self {
457
            Descriptor::File(f) => Ok(f),
458
            Descriptor::Dir(_) => Err(ErrorCode::BadDescriptor),
459
        }
460
    }
461

462
    pub(crate) fn dir(&self) -> Result<&Dir, ErrorCode> {
463
        match self {
464
            Descriptor::Dir(d) => Ok(d),
465
            Descriptor::File(_) => Err(ErrorCode::NotDirectory),
466
        }
467
    }
468

469
    async fn get_metadata(&self) -> std::io::Result<cap_std::fs::Metadata> {
470
        match self {
471
            Self::File(f) => {
472
                // No permissions check on metadata: if opened, allowed to stat it
473
                f.run_blocking(|f| f.metadata()).await
474
            }
475
            Self::Dir(d) => {
476
                // No permissions check on metadata: if opened, allowed to stat it
477
                d.run_blocking(|d| d.dir_metadata()).await
478
            }
479
        }
480
    }
481

482
    pub(crate) async fn sync_data(&self) -> Result<(), ErrorCode> {
483
        match self {
484
            Self::File(f) => {
485
                match f.run_blocking(|f| f.sync_data()).await {
486
                    Ok(()) => Ok(()),
487
                    // On windows, `sync_data` uses `FileFlushBuffers` which fails with
488
                    // `ERROR_ACCESS_DENIED` if the file is not upen for writing. Ignore
489
                    // this error, for POSIX compatibility.
490
                    #[cfg(windows)]
491
                    Err(err)
492
                        if err.raw_os_error()
493
                            == Some(windows_sys::Win32::Foundation::ERROR_ACCESS_DENIED as _) =>
494
                    {
495
                        Ok(())
496
                    }
497
                    Err(err) => Err(err.into()),
498
                }
499
            }
500
            Self::Dir(d) => {
501
                d.run_blocking(|d| {
502
                    let d = d.open(std::path::Component::CurDir)?;
503
                    d.sync_data()?;
504
                    Ok(())
505
                })
506
                .await
507
            }
508
        }
509
    }
510

511
    pub(crate) async fn get_flags(&self) -> Result<DescriptorFlags, ErrorCode> {
512
        use system_interface::fs::{FdFlags, GetSetFdFlags};
513

514
        fn get_from_fdflags(flags: FdFlags) -> DescriptorFlags {
515
            let mut out = DescriptorFlags::empty();
516
            if flags.contains(FdFlags::DSYNC) {
517
                out |= DescriptorFlags::REQUESTED_WRITE_SYNC;
518
            }
519
            if flags.contains(FdFlags::RSYNC) {
520
                out |= DescriptorFlags::DATA_INTEGRITY_SYNC;
521
            }
522
            if flags.contains(FdFlags::SYNC) {
523
                out |= DescriptorFlags::FILE_INTEGRITY_SYNC;
524
            }
525
            out
526
        }
527
        match self {
528
            Self::File(f) => {
529
                let flags = f.run_blocking(|f| f.get_fd_flags()).await?;
530
                let mut flags = get_from_fdflags(flags);
531
                if f.open_mode.contains(OpenMode::READ) {
532
                    flags |= DescriptorFlags::READ;
533
                }
534
                if f.open_mode.contains(OpenMode::WRITE) {
535
                    flags |= DescriptorFlags::WRITE;
536
                }
537
                Ok(flags)
538
            }
539
            Self::Dir(d) => {
540
                let flags = d.run_blocking(|d| d.get_fd_flags()).await?;
541
                let mut flags = get_from_fdflags(flags);
542
                if d.open_mode.contains(OpenMode::READ) {
543
                    flags |= DescriptorFlags::READ;
544
                }
545
                if d.open_mode.contains(OpenMode::WRITE) {
546
                    flags |= DescriptorFlags::MUTATE_DIRECTORY;
547
                }
548
                Ok(flags)
549
            }
550
        }
551
    }
552

553
    pub(crate) async fn get_type(&self) -> Result<DescriptorType, ErrorCode> {
554
        match self {
555
            Self::File(f) => {
556
                let meta = f.run_blocking(|f| f.metadata()).await?;
557
                Ok(meta.file_type().into())
558
            }
559
            Self::Dir(_) => Ok(DescriptorType::Directory),
560
        }
561
    }
562

563
    pub(crate) async fn set_times(
564
        &self,
565
        atim: Option<SystemTimeSpec>,
566
        mtim: Option<SystemTimeSpec>,
567
    ) -> Result<(), ErrorCode> {
568
        use fs_set_times::SetTimes as _;
569
        match self {
570
            Self::File(f) => {
571
                if !f.perms.contains(FilePerms::WRITE) {
572
                    return Err(ErrorCode::NotPermitted);
573
                }
574
                f.run_blocking(|f| f.set_times(atim, mtim)).await?;
575
                Ok(())
576
            }
577
            Self::Dir(d) => {
578
                if !d.perms.contains(DirPerms::MUTATE) {
579
                    return Err(ErrorCode::NotPermitted);
580
                }
581
                d.run_blocking(|d| d.set_times(atim, mtim)).await?;
582
                Ok(())
583
            }
584
        }
585
    }
586

587
    pub(crate) async fn sync(&self) -> Result<(), ErrorCode> {
588
        match self {
589
            Self::File(f) => {
590
                match f.run_blocking(|f| f.sync_all()).await {
591
                    Ok(()) => Ok(()),
592
                    // On windows, `sync_data` uses `FileFlushBuffers` which fails with
593
                    // `ERROR_ACCESS_DENIED` if the file is not upen for writing. Ignore
594
                    // this error, for POSIX compatibility.
595
                    #[cfg(windows)]
596
                    Err(err)
597
                        if err.raw_os_error()
598
                            == Some(windows_sys::Win32::Foundation::ERROR_ACCESS_DENIED as _) =>
599
                    {
600
                        Ok(())
601
                    }
602
                    Err(err) => Err(err.into()),
603
                }
604
            }
605
            Self::Dir(d) => {
606
                d.run_blocking(|d| {
607
                    let d = d.open(std::path::Component::CurDir)?;
608
                    d.sync_all()?;
609
                    Ok(())
610
                })
611
                .await
612
            }
613
        }
614
    }
615

616
    pub(crate) async fn stat(&self) -> Result<DescriptorStat, ErrorCode> {
617
        match self {
618
            Self::File(f) => {
619
                // No permissions check on stat: if opened, allowed to stat it
620
                let meta = f.run_blocking(|f| f.metadata()).await?;
621
                Ok(meta.into())
622
            }
623
            Self::Dir(d) => {
624
                // No permissions check on stat: if opened, allowed to stat it
625
                let meta = d.run_blocking(|d| d.dir_metadata()).await?;
626
                Ok(meta.into())
627
            }
628
        }
629
    }
630

631
    pub(crate) async fn is_same_object(&self, other: &Self) -> wasmtime::Result<bool> {
632
        use cap_fs_ext::MetadataExt;
633
        let meta_a = self.get_metadata().await?;
634
        let meta_b = other.get_metadata().await?;
635
        if meta_a.dev() == meta_b.dev() && meta_a.ino() == meta_b.ino() {
636
            // MetadataHashValue does not derive eq, so use a pair of
637
            // comparisons to check equality:
638
            debug_assert_eq!(
639
                MetadataHashValue::from(&meta_a).upper,
640
                MetadataHashValue::from(&meta_b).upper,
641
            );
642
            debug_assert_eq!(
643
                MetadataHashValue::from(&meta_a).lower,
644
                MetadataHashValue::from(&meta_b).lower,
645
            );
646
            Ok(true)
647
        } else {
648
            // Hash collisions are possible, so don't assert the negative here
649
            Ok(false)
650
        }
651
    }
652

653
    pub(crate) async fn metadata_hash(&self) -> Result<MetadataHashValue, ErrorCode> {
654
        let meta = self.get_metadata().await?;
655
        Ok(MetadataHashValue::from(&meta))
656
    }
657
}
658

659
#[derive(Clone)]
660
pub struct File {
661
    /// The operating system File this struct is mediating access to.
662
    ///
663
    /// Wrapped in an Arc because the same underlying file is used for
664
    /// implementing the stream types. A copy is also needed for
665
    /// [`spawn_blocking`].
666
    ///
667
    /// [`spawn_blocking`]: Self::spawn_blocking
668
    pub file: Arc<cap_std::fs::File>,
669
    /// Permissions to enforce on access to the file. These permissions are
670
    /// specified by a user of the `crate::WasiCtxBuilder`, and are
671
    /// enforced prior to any enforced by the underlying operating system.
672
    pub perms: FilePerms,
673
    /// The mode the file was opened under: bits for reading, and writing.
674
    /// Required to correctly report the DescriptorFlags, because cap-std
675
    /// doesn't presently provide a cross-platform equivalent of reading the
676
    /// oflags back out using fcntl.
677
    pub open_mode: OpenMode,
678

679
    allow_blocking_current_thread: bool,
680
}
681

682
impl File {
683
    pub fn new(
684
        file: cap_std::fs::File,
685
        perms: FilePerms,
686
        open_mode: OpenMode,
687
        allow_blocking_current_thread: bool,
688
    ) -> Self {
689
        Self {
690
            file: Arc::new(file),
691
            perms,
692
            open_mode,
693
            allow_blocking_current_thread,
694
        }
695
    }
696

697
    /// Execute the blocking `body` function.
698
    ///
699
    /// Depending on how the WasiCtx was configured, the body may either be:
700
    /// - Executed directly on the current thread. In this case the `async`
701
    ///   signature of this method is effectively a lie and the returned
702
    ///   Future will always be immediately Ready. Or:
703
    /// - Spawned on a background thread using [`tokio::task::spawn_blocking`]
704
    ///   and immediately awaited.
705
    ///
706
    /// Intentionally blocking the executor thread might seem unorthodox, but is
707
    /// not actually a problem for specific workloads. See:
708
    /// - [`crate::WasiCtxBuilder::allow_blocking_current_thread`]
709
    /// - [Poor performance of wasmtime file I/O maybe because tokio](https://github.com/bytecodealliance/wasmtime/issues/7973)
710
    /// - [Implement opt-in for enabling WASI to block the current thread](https://github.com/bytecodealliance/wasmtime/pull/8190)
711
    pub(crate) async fn run_blocking<F, R>(&self, body: F) -> R
712
    where
713
        F: FnOnce(&cap_std::fs::File) -> R + Send + 'static,
714
        R: Send + 'static,
715
    {
716
        match self.as_blocking_file() {
717
            Some(file) => body(file),
718
            None => self.spawn_blocking(body).await,
719
        }
720
    }
721

722
    pub(crate) fn spawn_blocking<F, R>(&self, body: F) -> AbortOnDropJoinHandle<R>
723
    where
724
        F: FnOnce(&cap_std::fs::File) -> R + Send + 'static,
725
        R: Send + 'static,
726
    {
727
        let f = self.file.clone();
728
        spawn_blocking(move || body(&f))
729
    }
730

731
    /// Returns `Some` when the current thread is allowed to block in filesystem
732
    /// operations, and otherwise returns `None` to indicate that
733
    /// `spawn_blocking` must be used.
734
    pub(crate) fn as_blocking_file(&self) -> Option<&cap_std::fs::File> {
735
        if self.allow_blocking_current_thread {
736
            Some(&self.file)
737
        } else {
738
            None
739
        }
740
    }
741

742
    /// Returns reference to the underlying [`cap_std::fs::File`]
743
    #[cfg(feature = "p3")]
744
    pub(crate) fn as_file(&self) -> &Arc<cap_std::fs::File> {
745
        &self.file
746
    }
747

748
    pub(crate) async fn advise(
749
        &self,
750
        offset: u64,
751
        len: u64,
752
        advice: system_interface::fs::Advice,
753
    ) -> Result<(), ErrorCode> {
754
        use system_interface::fs::FileIoExt as _;
755
        self.run_blocking(move |f| f.advise(offset, len, advice))
756
            .await?;
757
        Ok(())
758
    }
759

760
    pub(crate) async fn set_size(&self, size: u64) -> Result<(), ErrorCode> {
761
        if !self.perms.contains(FilePerms::WRITE) {
762
            return Err(ErrorCode::NotPermitted);
763
        }
764
        self.run_blocking(move |f| f.set_len(size)).await?;
765
        Ok(())
766
    }
767
}
768

769
#[derive(Clone)]
770
pub struct Dir {
771
    /// The operating system file descriptor this struct is mediating access
772
    /// to.
773
    ///
774
    /// Wrapped in an Arc because a copy is needed for [`spawn_blocking`].
775
    ///
776
    /// [`spawn_blocking`]: Self::spawn_blocking
777
    pub dir: Arc<cap_std::fs::Dir>,
778
    /// Permissions to enforce on access to this directory. These permissions
779
    /// are specified by a user of the `crate::WasiCtxBuilder`, and
780
    /// are enforced prior to any enforced by the underlying operating system.
781
    ///
782
    /// These permissions are also enforced on any directories opened under
783
    /// this directory.
784
    pub perms: DirPerms,
785
    /// Permissions to enforce on any files opened under this directory.
786
    pub file_perms: FilePerms,
787
    /// The mode the directory was opened under: bits for reading, and writing.
788
    /// Required to correctly report the DescriptorFlags, because cap-std
789
    /// doesn't presently provide a cross-platform equivalent of reading the
790
    /// oflags back out using fcntl.
791
    pub open_mode: OpenMode,
792

793
    pub(crate) allow_blocking_current_thread: bool,
794
}
795

796
impl Dir {
797
    pub fn new(
798
        dir: cap_std::fs::Dir,
799
        perms: DirPerms,
800
        file_perms: FilePerms,
801
        open_mode: OpenMode,
802
        allow_blocking_current_thread: bool,
803
    ) -> Self {
804
        Dir {
805
            dir: Arc::new(dir),
806
            perms,
807
            file_perms,
808
            open_mode,
809
            allow_blocking_current_thread,
810
        }
811
    }
812

813
    /// Execute the blocking `body` function.
814
    ///
815
    /// Depending on how the WasiCtx was configured, the body may either be:
816
    /// - Executed directly on the current thread. In this case the `async`
817
    ///   signature of this method is effectively a lie and the returned
818
    ///   Future will always be immediately Ready. Or:
819
    /// - Spawned on a background thread using [`tokio::task::spawn_blocking`]
820
    ///   and immediately awaited.
821
    ///
822
    /// Intentionally blocking the executor thread might seem unorthodox, but is
823
    /// not actually a problem for specific workloads. See:
824
    /// - [`crate::WasiCtxBuilder::allow_blocking_current_thread`]
825
    /// - [Poor performance of wasmtime file I/O maybe because tokio](https://github.com/bytecodealliance/wasmtime/issues/7973)
826
    /// - [Implement opt-in for enabling WASI to block the current thread](https://github.com/bytecodealliance/wasmtime/pull/8190)
827
    pub(crate) async fn run_blocking<F, R>(&self, body: F) -> R
828
    where
829
        F: FnOnce(&cap_std::fs::Dir) -> R + Send + 'static,
830
        R: Send + 'static,
831
    {
832
        if self.allow_blocking_current_thread {
833
            body(&self.dir)
834
        } else {
835
            let d = self.dir.clone();
836
            spawn_blocking(move || body(&d)).await
837
        }
838
    }
839

840
    /// Returns reference to the underlying [`cap_std::fs::Dir`]
841
    #[cfg(feature = "p3")]
842
    pub(crate) fn as_dir(&self) -> &Arc<cap_std::fs::Dir> {
843
        &self.dir
844
    }
845

846
    pub(crate) async fn create_directory_at(&self, path: String) -> Result<(), ErrorCode> {
847
        if !self.perms.contains(DirPerms::MUTATE) {
848
            return Err(ErrorCode::NotPermitted);
849
        }
850
        self.run_blocking(move |d| d.create_dir(&path)).await?;
851
        Ok(())
852
    }
853

854
    pub(crate) async fn stat_at(
855
        &self,
856
        path_flags: PathFlags,
857
        path: String,
858
    ) -> Result<DescriptorStat, ErrorCode> {
859
        if !self.perms.contains(DirPerms::READ) {
860
            return Err(ErrorCode::NotPermitted);
861
        }
862

863
        let meta = if path_flags.contains(PathFlags::SYMLINK_FOLLOW) {
864
            self.run_blocking(move |d| d.metadata(&path)).await?
865
        } else {
866
            self.run_blocking(move |d| d.symlink_metadata(&path))
867
                .await?
868
        };
869
        Ok(meta.into())
870
    }
871

872
    pub(crate) async fn set_times_at(
873
        &self,
874
        path_flags: PathFlags,
875
        path: String,
876
        atim: Option<SystemTimeSpec>,
877
        mtim: Option<SystemTimeSpec>,
878
    ) -> Result<(), ErrorCode> {
879
        use cap_fs_ext::DirExt as _;
880

881
        if !self.perms.contains(DirPerms::MUTATE) {
882
            return Err(ErrorCode::NotPermitted);
883
        }
884
        if path_flags.contains(PathFlags::SYMLINK_FOLLOW) {
885
            self.run_blocking(move |d| {
886
                d.set_times(
887
                    &path,
888
                    atim.map(cap_fs_ext::SystemTimeSpec::from_std),
889
                    mtim.map(cap_fs_ext::SystemTimeSpec::from_std),
890
                )
891
            })
892
            .await?;
893
        } else {
894
            self.run_blocking(move |d| {
895
                d.set_symlink_times(
896
                    &path,
897
                    atim.map(cap_fs_ext::SystemTimeSpec::from_std),
898
                    mtim.map(cap_fs_ext::SystemTimeSpec::from_std),
899
                )
900
            })
901
            .await?;
902
        }
903
        Ok(())
904
    }
905

906
    pub(crate) async fn link_at(
907
        &self,
908
        old_path_flags: PathFlags,
909
        old_path: String,
910
        new_dir: &Self,
911
        new_path: String,
912
    ) -> Result<(), ErrorCode> {
913
        if !self.perms.contains(DirPerms::MUTATE) {
914
            return Err(ErrorCode::NotPermitted);
915
        }
916
        if !new_dir.perms.contains(DirPerms::MUTATE) {
917
            return Err(ErrorCode::NotPermitted);
918
        }
919
        if old_path_flags.contains(PathFlags::SYMLINK_FOLLOW) {
920
            return Err(ErrorCode::Invalid);
921
        }
922
        let new_dir_handle = Arc::clone(&new_dir.dir);
923
        self.run_blocking(move |d| d.hard_link(&old_path, &new_dir_handle, &new_path))
924
            .await?;
925
        Ok(())
926
    }
927

928
    pub(crate) async fn open_at(
929
        &self,
930
        path_flags: PathFlags,
931
        path: String,
932
        oflags: OpenFlags,
933
        flags: DescriptorFlags,
934
        allow_blocking_current_thread: bool,
935
    ) -> Result<Descriptor, ErrorCode> {
936
        use cap_fs_ext::{FollowSymlinks, OpenOptionsFollowExt, OpenOptionsMaybeDirExt};
937
        use system_interface::fs::{FdFlags, GetSetFdFlags};
938

939
        if !self.perms.contains(DirPerms::READ) {
940
            return Err(ErrorCode::NotPermitted);
941
        }
942

943
        if !self.perms.contains(DirPerms::MUTATE) {
944
            if oflags.contains(OpenFlags::CREATE) || oflags.contains(OpenFlags::TRUNCATE) {
945
                return Err(ErrorCode::NotPermitted);
946
            }
947
            if flags.contains(DescriptorFlags::WRITE) {
948
                return Err(ErrorCode::NotPermitted);
949
            }
950
        }
951

952
        // Track whether we are creating file, for permission check:
953
        let mut create = false;
954
        // Track open mode, for permission check and recording in created descriptor:
955
        let mut open_mode = OpenMode::empty();
956
        // Construct the OpenOptions to give the OS:
957
        let mut opts = cap_std::fs::OpenOptions::new();
958
        opts.maybe_dir(true);
959

960
        if oflags.contains(OpenFlags::CREATE) {
961
            if oflags.contains(OpenFlags::EXCLUSIVE) {
962
                opts.create_new(true);
963
            } else {
964
                opts.create(true);
965
            }
966
            create = true;
967
            opts.write(true);
968
            open_mode |= OpenMode::WRITE;
969
        }
970

971
        if oflags.contains(OpenFlags::TRUNCATE) {
972
            opts.truncate(true).write(true);
973
        }
974
        if flags.contains(DescriptorFlags::READ) {
975
            opts.read(true);
976
            open_mode |= OpenMode::READ;
977
        }
978
        if flags.contains(DescriptorFlags::WRITE) {
979
            opts.write(true);
980
            open_mode |= OpenMode::WRITE;
981
        } else {
982
            // If not opened write, open read. This way the OS lets us open
983
            // the file, but we can use perms to reject use of the file later.
984
            opts.read(true);
985
            open_mode |= OpenMode::READ;
986
        }
987
        if path_flags.contains(PathFlags::SYMLINK_FOLLOW) {
988
            opts.follow(FollowSymlinks::Yes);
989
        } else {
990
            opts.follow(FollowSymlinks::No);
991
        }
992

993
        // These flags are not yet supported in cap-std:
994
        if flags.contains(DescriptorFlags::FILE_INTEGRITY_SYNC)
995
            || flags.contains(DescriptorFlags::DATA_INTEGRITY_SYNC)
996
            || flags.contains(DescriptorFlags::REQUESTED_WRITE_SYNC)
997
        {
998
            return Err(ErrorCode::Unsupported);
999
        }
1000

1001
        if oflags.contains(OpenFlags::DIRECTORY) {
1002
            if oflags.contains(OpenFlags::CREATE)
1003
                || oflags.contains(OpenFlags::EXCLUSIVE)
1004
                || oflags.contains(OpenFlags::TRUNCATE)
1005
            {
1006
                return Err(ErrorCode::Invalid);
1007
            }
1008
        }
1009

1010
        // Now enforce this WasiCtx's permissions before letting the OS have
1011
        // its shot:
1012
        if !self.perms.contains(DirPerms::MUTATE) && create {
1013
            return Err(ErrorCode::NotPermitted);
1014
        }
1015
        if !self.file_perms.contains(FilePerms::WRITE) && open_mode.contains(OpenMode::WRITE) {
1016
            return Err(ErrorCode::NotPermitted);
1017
        }
1018

1019
        // Represents each possible outcome from the spawn_blocking operation.
1020
        // This makes sure we don't have to give spawn_blocking any way to
1021
        // manipulate the table.
1022
        enum OpenResult {
1023
            Dir(cap_std::fs::Dir),
1024
            File(cap_std::fs::File),
1025
            NotDir,
1026
        }
1027

1028
        let opened = self
1029
            .run_blocking::<_, std::io::Result<OpenResult>>(move |d| {
1030
                let mut opened = d.open_with(&path, &opts)?;
1031
                if opened.metadata()?.is_dir() {
1032
                    Ok(OpenResult::Dir(cap_std::fs::Dir::from_std_file(
1033
                        opened.into_std(),
1034
                    )))
1035
                } else if oflags.contains(OpenFlags::DIRECTORY) {
1036
                    Ok(OpenResult::NotDir)
1037
                } else {
1038
                    // FIXME cap-std needs a nonblocking open option so that files reads and writes
1039
                    // are nonblocking. Instead we set it after opening here:
1040
                    let set_fd_flags = opened.new_set_fd_flags(FdFlags::NONBLOCK)?;
1041
                    opened.set_fd_flags(set_fd_flags)?;
1042
                    Ok(OpenResult::File(opened))
1043
                }
1044
            })
1045
            .await?;
1046

1047
        match opened {
1048
            OpenResult::Dir(dir) => Ok(Descriptor::Dir(Dir::new(
1049
                dir,
1050
                self.perms,
1051
                self.file_perms,
1052
                open_mode,
1053
                allow_blocking_current_thread,
1054
            ))),
1055

1056
            OpenResult::File(file) => Ok(Descriptor::File(File::new(
1057
                file,
1058
                self.file_perms,
1059
                open_mode,
1060
                allow_blocking_current_thread,
1061
            ))),
1062

1063
            OpenResult::NotDir => Err(ErrorCode::NotDirectory),
1064
        }
1065
    }
1066

1067
    pub(crate) async fn readlink_at(&self, path: String) -> Result<String, ErrorCode> {
1068
        if !self.perms.contains(DirPerms::READ) {
1069
            return Err(ErrorCode::NotPermitted);
1070
        }
1071
        let link = self.run_blocking(move |d| d.read_link(&path)).await?;
1072
        link.into_os_string()
1073
            .into_string()
1074
            .or(Err(ErrorCode::IllegalByteSequence))
1075
    }
1076

1077
    pub(crate) async fn remove_directory_at(&self, path: String) -> Result<(), ErrorCode> {
1078
        if !self.perms.contains(DirPerms::MUTATE) {
1079
            return Err(ErrorCode::NotPermitted);
1080
        }
1081
        self.run_blocking(move |d| d.remove_dir(&path)).await?;
1082
        Ok(())
1083
    }
1084

1085
    pub(crate) async fn rename_at(
1086
        &self,
1087
        old_path: String,
1088
        new_dir: &Self,
1089
        new_path: String,
1090
    ) -> Result<(), ErrorCode> {
1091
        if !self.perms.contains(DirPerms::MUTATE) {
1092
            return Err(ErrorCode::NotPermitted);
1093
        }
1094
        if !new_dir.perms.contains(DirPerms::MUTATE) {
1095
            return Err(ErrorCode::NotPermitted);
1096
        }
1097
        let new_dir_handle = Arc::clone(&new_dir.dir);
1098
        self.run_blocking(move |d| d.rename(&old_path, &new_dir_handle, &new_path))
1099
            .await?;
1100
        Ok(())
1101
    }
1102

1103
    pub(crate) async fn symlink_at(
1104
        &self,
1105
        src_path: String,
1106
        dest_path: String,
1107
    ) -> Result<(), ErrorCode> {
1108
        // On windows, Dir.symlink is provided by DirExt
1109
        #[cfg(windows)]
1110
        use cap_fs_ext::DirExt;
1111

1112
        if !self.perms.contains(DirPerms::MUTATE) {
1113
            return Err(ErrorCode::NotPermitted);
1114
        }
1115
        self.run_blocking(move |d| d.symlink(&src_path, &dest_path))
1116
            .await?;
1117
        Ok(())
1118
    }
1119

1120
    pub(crate) async fn unlink_file_at(&self, path: String) -> Result<(), ErrorCode> {
1121
        use cap_fs_ext::DirExt;
1122

1123
        if !self.perms.contains(DirPerms::MUTATE) {
1124
            return Err(ErrorCode::NotPermitted);
1125
        }
1126
        self.run_blocking(move |d| d.remove_file_or_symlink(&path))
1127
            .await?;
1128
        Ok(())
1129
    }
1130

1131
    pub(crate) async fn metadata_hash_at(
1132
        &self,
1133
        path_flags: PathFlags,
1134
        path: String,
1135
    ) -> Result<MetadataHashValue, ErrorCode> {
1136
        // No permissions check on metadata: if dir opened, allowed to stat it
1137
        let meta = self
1138
            .run_blocking(move |d| {
1139
                if path_flags.contains(PathFlags::SYMLINK_FOLLOW) {
1140
                    d.metadata(path)
1141
                } else {
1142
                    d.symlink_metadata(path)
1143
                }
1144
            })
1145
            .await?;
1146
        Ok(MetadataHashValue::from(&meta))
1147
    }
1148
}
1149

1150
impl WasiFilesystemCtxView<'_> {
1151
    pub(crate) fn get_directories(
1152
        &mut self,
1153
    ) -> wasmtime::Result<Vec<(Resource<Descriptor>, String)>> {
1154
        let preopens = self.ctx.preopens.clone();
1155
        let mut results = Vec::with_capacity(preopens.len());
1156
        for (dir, name) in preopens {
1157
            let fd = self
1158
                .table
1159
                .push(Descriptor::Dir(dir))
1160
                .with_context(|| format!("failed to push preopen {name}"))?;
1161
            results.push((fd, name));
1162
        }
1163
        Ok(results)
1164
    }
1165
}
1166

1167