Skip to content
/ securefs Public

Secure Linux file system operations scoped to an arbitrary root directory, without chroot

License

MIT license
31 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

orbstack/securefs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
internal/syncx
internal/syncx
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
securefs.go
securefs.go
 
 
securefs_test.go
securefs_test.go
 
 

Repository files navigation

securefs

Go library for secure file system operations scoped to an arbitrary root directory on Linux, without chroot, mount namespaces, or other privileged features.

This uses the Linux-specific openat2 syscall with RESOLVE_IN_ROOT to prevent symlink escapes and race conditions. Other solutions like securejoin are subject to race conditions.

Unlike O_NOFOLLOW, this supports all file system operations and works with symlinks (as long as they don't escape the specified root directory).

About

Secure Linux file system operations scoped to an arbitrary root directory, without chroot

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

31 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages