cap-std icon indicating copy to clipboard operation
cap-std copied to clipboard

Published 20 hours ago verified publisher icon bytecodealliance

Attenuation

Open ratmice opened this issue 5 years ago • 3 comments

I have a slight question about attenuation, let me take cap_std::fs::Dir::remove_file as an example, It seems to rely upon (from the rust perspective) interior mutability, as in it takes an &self, rather than an &mut self.

I assume to attenuate a Dir into say a ReadOnlyDir, i'd basically need to build a wrapper around Dir which only exposes those functions which do not exercise write permission.

If for instance it did take an &mut, Dir itself could be used to express read-only and writable directories... I'm not sure actually taking an &mut would be the right way to expose this, it entails uniqueness as well as mutation, I'd need to think about it, But looking through the API it the first question that came to mind.

ratmice avatar Aug 17 '20 08:08 ratmice

Indeed, cap-std follows Rust's std in this respect. For example, std::fs::File::set_len takes a &File and not a &mut File even though it mutates the file. And yeah, as you say, you don't have a guarantee of uniqueness; anyone that can figure out the file's name, including other code in the same program, could open the file and mutate it out from underneath.

So I think a wrapping ReadonlyDir sounds like the way to go here. If you're interested, that sounds useful enough that it could live in cap-std or perhaps an auxiliary crate.

sunfishcode avatar Aug 17 '20 16:08 sunfishcode

Cool, I'm not going to get to it right away, but going forward I'll look at moving existing code, and any new projects to this, probably need it eventually, at that time i will certainly give it a shot!

Thank you for clarifying the direction forwards in this regard.

ratmice avatar Aug 17 '20 16:08 ratmice

see also the file API from How Emily Tamed the Caml, where editable and readable are separate types:

type readable = {
isDir : unit -> bool;
exists : unit -> bool;
subRdFiles : unit -> readable list;
subRdFile : string -> readable;
inChannel : unit -> in_channel;
getBytes : unit -> string;
fullPath : unit -> string;
}
type editable = {
ro : readable;
subEdFiles : unit -> editable list;
subEdFile : string -> editable;
outChannel : unit -> out_channel;
setBytes : string -> unit;
mkDir : unit -> unit;
createNewFile : unit -> unit;
delete : unit -> unit;
}

and Capabilities – Tahoe-LAFS where from a read-write capability, you can get a read-only capability, and from there a verify-capability.

dckc avatar Dec 23 '20 06:12 dckc

I've now created a crate called dir-view, which is a wrapper around cap-std, and which provides the ability to have a read-only view of a directory.

sunfishcode avatar Jan 24 '23 00:01 sunfishcode