Expand description
Capability-scoped filesystem access (DataDir).
Wraps a cap_std::fs::Dir so every read and write is confined to a
base directory: .., absolute paths, drive / UNC prefixes, and
symlink escapes are rejected at the syscall layer (Linux
openat2(RESOLVE_BENEATH); component-by-component resolution
elsewhere). This closes the CWE-22 / CWE-59 / CWE-367 class for
advisory import, export, dump, and audit-log writes.
ambient_authority() — the point where process-wide filesystem
authority crosses into the capability boundary — appears in exactly
one place: DataDir::open. The base directory itself is the trust
boundary (an operator-configured path, validated by
csaf_models::settings::is_valid_storage_path); everything joined
onto it afterwards is untrusted and stays confined.
Structs§
- DataDir
- A capability handle to a base directory.