The branch main has been updated by asomers: URL: https://cgit.FreeBSD.org/src/commit/?id=e03ed9daeb49fffa1d16b8d00240c65e92650d01
commit e03ed9daeb49fffa1d16b8d00240c65e92650d01 Author: Jitendra Bhati <[email protected]> AuthorDate: 2026-06-12 17:07:55 +0000 Commit: Alan Somers <[email protected]> CommitDate: 2026-06-23 14:53:56 +0000 fts: refactor to use fd-relative operations internally Replace all _open() calls with _openat() in __fts_open(), fts_read(), and fts_children(). Add fts_dirfd to FTSENT. Callers can use openat(ent->fts_dirfd, ent->fts_name, ...) to access files safely without relying on fts_accpath, which enables: 1. Capsicum capability mode where path-based operations fail 2. Security-sensitive programs that avoid TOCTOU races Replace statfs(ent->fts_path) with _fstatfs(ent->fts_dirfd) in fts_ufslinks() when fts_dirfd is valid, falling back to statfs() for root-level entries where fts_dirfd is -1 This is a preparatory change for fts_openat() which will allow callers to provide a pre-opened directory fd, enabling fts(3) traversal inside Capsicum capability mode. Sponsored by: Google LLC (GSoC 2026) Reviewed by: asomers, jillest MFC after: 2 weeks Pull Request: https://github.com/freebsd/freebsd-src/pull/2278 --- include/fts.h | 1 + lib/libc/gen/fts.c | 38 +++++++++++++++++++++++++++----------- 2 files changed, 28 insertions(+), 11 deletions(-) diff --git a/include/fts.h b/include/fts.h index 479905bda463..716103189dca 100644 --- a/include/fts.h +++ b/include/fts.h @@ -133,6 +133,7 @@ struct _ftsent { struct stat *fts_statp; /* stat(2) information */ char *fts_name; /* file name */ FTS *fts_fts; /* back pointer to main FTS */ + int fts_dirfd; /* fd for parent directory */ }; #include <sys/cdefs.h> diff --git a/lib/libc/gen/fts.c b/lib/libc/gen/fts.c index e8063ecb646e..90d5abc49e60 100644 --- a/lib/libc/gen/fts.c +++ b/lib/libc/gen/fts.c @@ -67,6 +67,7 @@ static FTSENT *fts_build(FTS *, int); static void fts_lfree(FTSENT *); static void fts_load(FTS *, FTSENT *); static size_t fts_maxarglen(char * const *); +static FTS *__fts_open(FTS *, char * const *, int); static void fts_padjust(FTS *, FTSENT *); static int fts_palloc(FTS *, size_t); static FTSENT *fts_sort(FTS *, FTSENT *, size_t); @@ -129,7 +130,7 @@ static const char *ufslike_filesystems[] = { default: 0) static FTS * -__fts_open(FTS *sp, char * const *argv) +__fts_open(FTS *sp, char * const *argv, int rootfd) { FTSENT *p, *root; FTSENT *parent, *tmp; @@ -212,9 +213,9 @@ __fts_open(FTS *sp, char * const *argv) * descriptor we run anyway, just more slowly. */ if (!ISSET(FTS_NOCHDIR) && - (sp->fts_rfd = _open(".", O_RDONLY | O_CLOEXEC, 0)) < 0) + (sp->fts_rfd = _openat(rootfd, ".", O_RDONLY | + O_CLOEXEC, 0)) < 0) SET(FTS_NOCHDIR); - return (sp); mem3: fts_lfree(root); @@ -250,7 +251,7 @@ fts_open(char * const *argv, int options, sp->fts_compar = compar; sp->fts_options = options; - return (__fts_open(sp, argv)); + return (__fts_open(sp, argv, AT_FDCWD)); } #ifdef __BLOCKS__ @@ -304,7 +305,7 @@ fts_open_b(char * const *argv, int options, fts_block compar) sp->fts_compar_b = compar; sp->fts_options = options | FTS_COMPAR_B; - if ((sp = __fts_open(sp, argv)) == NULL) { + if ((sp = __fts_open(sp, argv, AT_FDCWD)) == NULL) { #ifdef __BLOCKS__ Block_release(compar); #else @@ -356,6 +357,8 @@ fts_close(FTS *sp) p = p->fts_link != NULL ? p->fts_link : p->fts_parent; free(freep); } + if (p->fts_dirfd >= 0) + (void)_close(p->fts_dirfd); free(p); } @@ -439,8 +442,9 @@ fts_read(FTS *sp) (p->fts_info == FTS_SL || p->fts_info == FTS_SLNONE)) { p->fts_info = fts_stat(sp, p, 1, -1); if (p->fts_info == FTS_D && !ISSET(FTS_NOCHDIR)) { - if ((p->fts_symfd = _open(".", O_RDONLY | O_CLOEXEC, - 0)) < 0) { + if ((p->fts_symfd = p->fts_dirfd >= 0 ? + _dup(p->fts_dirfd) : _openat(AT_FDCWD, ".", + O_RDONLY | O_CLOEXEC, 0)) < 0) { p->fts_errno = errno; p->fts_info = FTS_ERR; } else @@ -484,7 +488,7 @@ fts_read(FTS *sp) * FTS_STOP or the fts_info field of the node. */ if (sp->fts_child != NULL) { - if (fts_safe_changedir(sp, p, -1, p->fts_accpath)) { + if (fts_safe_changedir(sp, p, p->fts_dirfd, p->fts_name)) { p->fts_errno = errno; p->fts_flags |= FTS_DONTCHDIR; for (p = sp->fts_child; p != NULL; @@ -532,7 +536,9 @@ next: tmp = p; p->fts_info = fts_stat(sp, p, 1, -1); if (p->fts_info == FTS_D && !ISSET(FTS_NOCHDIR)) { if ((p->fts_symfd = - _open(".", O_RDONLY | O_CLOEXEC, 0)) < 0) { + p->fts_dirfd >= 0 ? + _dup(p->fts_dirfd) : _openat(AT_FDCWD, ".", + O_RDONLY | O_CLOEXEC, 0)) < 0) { p->fts_errno = errno; p->fts_info = FTS_ERR; } else @@ -558,6 +564,8 @@ name: t = sp->fts_path + NAPPEND(p->fts_parent); * can distinguish between error and EOF. */ free(tmp); + if (p->fts_dirfd >= 0) + (void)_close(p->fts_dirfd); free(p); errno = 0; return (sp->fts_cur = NULL); @@ -671,7 +679,9 @@ fts_children(FTS *sp, int instr) ISSET(FTS_NOCHDIR)) return (sp->fts_child = fts_build(sp, instr)); - if ((fd = _open(".", O_RDONLY | O_CLOEXEC, 0)) < 0) + if ((fd = sp->fts_cur->fts_dirfd >= 0 ? + _dup(sp->fts_cur->fts_dirfd) : _openat(AT_FDCWD, ".", + O_RDONLY | O_CLOEXEC, 0)) < 0) return (NULL); sp->fts_child = fts_build(sp, instr); serrno = (sp->fts_child == NULL) ? errno : 0; @@ -907,6 +917,7 @@ mem1: saved_errno = errno; } p->fts_level = level; + p->fts_dirfd = _dup(_dirfd(dirp)); p->fts_parent = sp->fts_cur; p->fts_pathlen = len + dnamlen; @@ -1185,6 +1196,7 @@ fts_alloc(FTS *sp, char *name, size_t namelen) return (NULL); p->fts_symfd = -1; + p->fts_dirfd = -1; p->fts_path = sp->fts_path; p->fts_name = (char *)(p + 1); p->fts_namelen = namelen; @@ -1205,6 +1217,8 @@ fts_lfree(FTSENT *head) /* Free a linked list of structures. */ while ((p = head)) { head = head->fts_link; + if (p->fts_dirfd >= 0) + (void)_close(p->fts_dirfd); free(p); } } @@ -1322,7 +1336,9 @@ fts_ufslinks(FTS *sp, const FTSENT *ent) * avoidance. */ if (priv->ftsp_dev != ent->fts_dev) { - if (statfs(ent->fts_path, &priv->ftsp_statfs) != -1) { + if ((ent->fts_dirfd >= 0 ? + _fstatfs(ent->fts_dirfd, &priv->ftsp_statfs) : + statfs(ent->fts_path, &priv->ftsp_statfs)) != -1) { priv->ftsp_dev = ent->fts_dev; priv->ftsp_linksreliable = 0; for (cpp = ufslike_filesystems; *cpp; cpp++) {
