feat(transfer): wire renameat sandbox into deferred SEC-1.j receiver callers#4697
Open
oferchen wants to merge 1 commit into
Open
feat(transfer): wire renameat sandbox into deferred SEC-1.j receiver callers#4697oferchen wants to merge 1 commit into
oferchen wants to merge 1 commit into
Conversation
…callers Wires `renameat_via_sandbox_or_fallback` into the synchronous `process_file_response` temp -> final commit by adding a `dest_dir` anchor to `ResponseContext` so the SEC-1.j leaf detector can resolve single-component renames through the sandbox dirfd, matching the pattern already shipped in `receiver/transfer/sync.rs`. The io_uring fast path is preserved; only the path-based fallback gains the sandbox routing. The remaining deferred sites (`disk_commit/process.rs` temp-rename and backup-rename, `engine/.../guard.rs` local-copy commit) require carrier plumbing across the cross-thread message boundary or a cross-crate API change; left as `TODO` comments at the rename call sites with the specific blocker noted. Windows falls through to the path-based stdlib via `#[cfg(not(unix))]`, matching the existing SEC-1.l audit guidance.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to SEC-1.j (#4693). Wires
fast_io::renameat_via_sandbox_or_fallbackinto the synchronoustransfer_ops::process_file_responsetemp -> final rename, matching the pattern already shipped inreceiver/transfer/sync.rs. The io_uring fast path is preserved; only the path-based fallback gains the sandbox routing. Adds adest_diranchor toResponseContextso the SEC-1.j single-component leaf detector has the anchor it needs.Deferred site status
response.rs:284-330).ResponseContextnow carriesdest_diralongside the existingsandboxcarrier; sole builder atpipeline.rs:297-303populates it fromsetup.dest_dir.DiskCommitConfigandBackupConfigare owned (Clone + Debug) configs sent across the network -> disk thread boundary. Threading aDirSandboxreference requires wrapping it inArc<DirSandbox>(or similar shareable form) and plumbing it through the message types. TODO markers added nearrename_with_io_uring_fallbackandmake_backup.DestinationWriteGuardlives in theenginecrate. Threading sandbox tocommit_named_temp_filerequires a cross-crate API change onDestinationWriteGuard::newand its local-copy callers. TODO marker added on the commit fn.Cross-platform
All sandbox plumbing is
#[cfg(unix)]. Windows continues to use the path-basedstd::fs::renamevia#[cfg(not(unix))], matching the SEC-1.l audit guidance.Test plan
Noneor paths are multi-component)