@secure-exec/core 0.2.0-rc.2 → 0.2.1-rc.1

package/dist/kernel/mount-table.js

@@ -0,0 +1,353 @@
+/**
+ * Mount Table.
+ *
+ * Linux-style VFS mount table that routes paths to mounted filesystem backends
+ * by longest-prefix matching. Replaces the hardcoded layer composition
+ * (DeviceLayer wraps ProcLayer wraps base FS) with a unified routing table.
+ */
+import { KernelError } from "./types.js";
+/**
+ * Normalize a path: collapse //, ., .., strip trailing /.
+ */
+function normalizePath(path) {
+    if (!path || path === "/")
+        return "/";
+    const parts = path.split("/");
+    const stack = [];
+    for (const part of parts) {
+        if (part === "" || part === ".")
+            continue;
+        if (part === "..") {
+            stack.pop();
+        }
+        else {
+            stack.push(part);
+        }
+    }
+    return `/${stack.join("/")}`;
+}
+/**
+ * Get parent directory path.
+ */
+function parentPath(p) {
+    if (p === "/")
+        return "/";
+    const idx = p.lastIndexOf("/");
+    if (idx <= 0)
+        return "/";
+    return p.slice(0, idx);
+}
+/**
+ * Get basename of a path.
+ */
+function basename(p) {
+    const idx = p.lastIndexOf("/");
+    return p.slice(idx + 1);
+}
+export class MountTable {
+    /**
+     * Mounts sorted by path length descending so longest-prefix match is first hit.
+     */
+    mounts;
+    constructor(rootFs) {
+        this.mounts = [{ path: "/", fs: rootFs, readOnly: false }];
+    }
+    /**
+     * Mount a filesystem at the given path.
+     * Auto-creates the mount point directory in the parent filesystem if needed.
+     */
+    mount(path, fs, options) {
+        const normalized = normalizePath(path);
+        if (normalized === "/") {
+            throw new KernelError("EINVAL", "cannot mount over root");
+        }
+        // Check if already mounted
+        if (this.mounts.some((m) => m.path === normalized)) {
+            throw new KernelError("EEXIST", `already mounted at ${normalized}`);
+        }
+        // Auto-create mount point directory in the parent filesystem.
+        // Resolve *before* inserting the new mount so the path goes to the current owner.
+        const { mount: parentMount, relativePath } = this.resolve(normalized);
+        void parentMount.fs
+            .mkdir(relativePath || "/", { recursive: true })
+            .catch(() => {
+            /* directory may already exist */
+        });
+        const entry = {
+            path: normalized,
+            fs,
+            readOnly: options?.readOnly ?? false,
+        };
+        this.mounts.push(entry);
+        // Sort by path length descending for longest-prefix-first matching
+        this.mounts.sort((a, b) => b.path.length - a.path.length);
+    }
+    /**
+     * Unmount the filesystem at the given path.
+     */
+    unmount(path) {
+        const normalized = normalizePath(path);
+        if (normalized === "/") {
+            throw new KernelError("EINVAL", "cannot unmount root");
+        }
+        const idx = this.mounts.findIndex((m) => m.path === normalized);
+        if (idx === -1) {
+            throw new KernelError("EINVAL", `not a mount point: ${normalized}`);
+        }
+        this.mounts.splice(idx, 1);
+    }
+    /**
+     * List all current mounts.
+     */
+    getMounts() {
+        return this.mounts.map((m) => ({
+            path: m.path,
+            readOnly: m.readOnly,
+        }));
+    }
+    // -----------------------------------------------------------------------
+    // Path resolution
+    // -----------------------------------------------------------------------
+    resolve(fullPath) {
+        const normalized = normalizePath(fullPath);
+        for (const mount of this.mounts) {
+            if (mount.path === "/") {
+                // Root mount: forward path as-is
+                return { mount, relativePath: normalized };
+            }
+            if (normalized === mount.path ||
+                normalized.startsWith(`${mount.path}/`)) {
+                const rel = normalized === mount.path
+                    ? ""
+                    : normalized.slice(mount.path.length + 1);
+                return { mount, relativePath: rel };
+            }
+        }
+        // Should never happen since root mount always matches
+        throw new KernelError("ENOENT", `no mount for path: ${fullPath}`);
+    }
+    assertWritable(mount, path) {
+        if (mount.readOnly) {
+            throw new KernelError("EROFS", `read-only filesystem: ${path}`);
+        }
+    }
+    // -----------------------------------------------------------------------
+    // Read operations
+    // -----------------------------------------------------------------------
+    async readFile(path) {
+        const { mount, relativePath } = this.resolve(path);
+        return mount.fs.readFile(relativePath);
+    }
+    async readTextFile(path) {
+        const { mount, relativePath } = this.resolve(path);
+        return mount.fs.readTextFile(relativePath);
+    }
+    async readDir(path) {
+        const { mount, relativePath } = this.resolve(path);
+        const entries = await mount.fs.readDir(relativePath);
+        // Merge mount point basenames for child mounts
+        const normalized = normalizePath(path);
+        const mountBasenames = this.getChildMountBasenames(normalized);
+        if (mountBasenames.length === 0)
+            return entries;
+        const entrySet = new Set(entries);
+        for (const name of mountBasenames) {
+            entrySet.add(name);
+        }
+        return [...entrySet];
+    }
+    async readDirWithTypes(path) {
+        const { mount, relativePath } = this.resolve(path);
+        const entries = await mount.fs.readDirWithTypes(relativePath);
+        // Merge mount point basenames as directory entries
+        const normalized = normalizePath(path);
+        const mountBasenames = this.getChildMountBasenames(normalized);
+        if (mountBasenames.length === 0)
+            return entries;
+        const nameSet = new Set(entries.map((e) => e.name));
+        for (const name of mountBasenames) {
+            if (!nameSet.has(name)) {
+                entries.push({
+                    name,
+                    isDirectory: true,
+                    isSymbolicLink: false,
+                });
+            }
+        }
+        return entries;
+    }
+    async exists(path) {
+        const { mount, relativePath } = this.resolve(path);
+        return mount.fs.exists(relativePath);
+    }
+    async stat(path) {
+        const { mount, relativePath } = this.resolve(path);
+        return mount.fs.stat(relativePath);
+    }
+    async lstat(path) {
+        const { mount, relativePath } = this.resolve(path);
+        return mount.fs.lstat(relativePath);
+    }
+    async realpath(path) {
+        const { mount, relativePath } = this.resolve(path);
+        const resolved = await mount.fs.realpath(relativePath);
+        if (mount.path === "/")
+            return resolved;
+        // Re-prefix the mount path for non-root mounts
+        return `${mount.path}/${resolved}`;
+    }
+    async readlink(path) {
+        const { mount, relativePath } = this.resolve(path);
+        return mount.fs.readlink(relativePath);
+    }
+    async pread(path, offset, length) {
+        const { mount, relativePath } = this.resolve(path);
+        return mount.fs.pread(relativePath, offset, length);
+    }
+    async pwrite(path, offset, data) {
+        const { mount, relativePath } = this.resolve(path);
+        this.assertWritable(mount, path);
+        return mount.fs.pwrite(relativePath, offset, data);
+    }
+    // -----------------------------------------------------------------------
+    // Write operations (check readOnly before forwarding)
+    // -----------------------------------------------------------------------
+    async writeFile(path, content) {
+        const { mount, relativePath } = this.resolve(path);
+        this.assertWritable(mount, path);
+        return mount.fs.writeFile(relativePath, content);
+    }
+    async createDir(path) {
+        const { mount, relativePath } = this.resolve(path);
+        this.assertWritable(mount, path);
+        return mount.fs.createDir(relativePath);
+    }
+    async mkdir(path, options) {
+        const { mount, relativePath } = this.resolve(path);
+        this.assertWritable(mount, path);
+        return mount.fs.mkdir(relativePath, options);
+    }
+    async removeFile(path) {
+        const { mount, relativePath } = this.resolve(path);
+        this.assertWritable(mount, path);
+        return mount.fs.removeFile(relativePath);
+    }
+    async removeDir(path) {
+        const { mount, relativePath } = this.resolve(path);
+        this.assertWritable(mount, path);
+        return mount.fs.removeDir(relativePath);
+    }
+    async symlink(target, linkPath) {
+        const { mount, relativePath } = this.resolve(linkPath);
+        this.assertWritable(mount, linkPath);
+        return mount.fs.symlink(target, relativePath);
+    }
+    async link(oldPath, newPath) {
+        const oldResolved = this.resolve(oldPath);
+        const newResolved = this.resolve(newPath);
+        if (oldResolved.mount !== newResolved.mount) {
+            throw new KernelError("EXDEV", `link across mounts: ${oldPath} -> ${newPath}`);
+        }
+        this.assertWritable(oldResolved.mount, oldPath);
+        return oldResolved.mount.fs.link(oldResolved.relativePath, newResolved.relativePath);
+    }
+    async rename(oldPath, newPath) {
+        const oldResolved = this.resolve(oldPath);
+        const newResolved = this.resolve(newPath);
+        if (oldResolved.mount !== newResolved.mount) {
+            throw new KernelError("EXDEV", `rename across mounts: ${oldPath} -> ${newPath}`);
+        }
+        this.assertWritable(oldResolved.mount, oldPath);
+        return oldResolved.mount.fs.rename(oldResolved.relativePath, newResolved.relativePath);
+    }
+    async chmod(path, mode) {
+        const { mount, relativePath } = this.resolve(path);
+        this.assertWritable(mount, path);
+        return mount.fs.chmod(relativePath, mode);
+    }
+    async chown(path, uid, gid) {
+        const { mount, relativePath } = this.resolve(path);
+        this.assertWritable(mount, path);
+        return mount.fs.chown(relativePath, uid, gid);
+    }
+    async utimes(path, atime, mtime) {
+        const { mount, relativePath } = this.resolve(path);
+        this.assertWritable(mount, path);
+        return mount.fs.utimes(relativePath, atime, mtime);
+    }
+    async truncate(path, length) {
+        const { mount, relativePath } = this.resolve(path);
+        this.assertWritable(mount, path);
+        return mount.fs.truncate(relativePath, length);
+    }
+    async fsync(path) {
+        const { mount, relativePath } = this.resolve(path);
+        await mount.fs.fsync?.(relativePath);
+    }
+    async copy(srcPath, dstPath) {
+        const srcResolved = this.resolve(srcPath);
+        const dstResolved = this.resolve(dstPath);
+        if (srcResolved.mount !== dstResolved.mount) {
+            throw new KernelError("EXDEV", `copy across mounts: ${srcPath} -> ${dstPath}`);
+        }
+        this.assertWritable(srcResolved.mount, dstPath);
+        if (srcResolved.mount.fs.copy) {
+            return srcResolved.mount.fs.copy(srcResolved.relativePath, dstResolved.relativePath);
+        }
+        // Fallback: readFile + writeFile.
+        const content = await srcResolved.mount.fs.readFile(srcResolved.relativePath);
+        await srcResolved.mount.fs.writeFile(dstResolved.relativePath, content);
+    }
+    async readDirStat(path) {
+        const { mount, relativePath } = this.resolve(path);
+        if (mount.fs.readDirStat) {
+            return mount.fs.readDirStat(relativePath);
+        }
+        // Fallback: readDirWithTypes + stat for each entry.
+        const entries = await mount.fs.readDirWithTypes(relativePath);
+        const normalized = normalizePath(path);
+        const results = [];
+        for (const entry of entries) {
+            const entryPath = normalized === "/" ? `/${entry.name}` : `${normalized}/${entry.name}`;
+            const stat = await mount.fs.stat(entryPath);
+            results.push({ ...entry, stat });
+        }
+        return results;
+    }
+    // -----------------------------------------------------------------------
+    // Helpers
+    // -----------------------------------------------------------------------
+    /**
+     * Get basenames of child mount points under a directory.
+     * For example, if mounts exist at /dev and /proc, calling with "/" returns ["dev", "proc"].
+     */
+    getChildMountBasenames(dirPath) {
+        const names = [];
+        for (const mount of this.mounts) {
+            if (mount.path === "/")
+                continue;
+            const mountParent = parentPath(mount.path);
+            if (mountParent === dirPath) {
+                names.push(basename(mount.path));
+            }
+        }
+        return names;
+    }
+    /**
+     * Synchronous open preparation (O_CREAT, O_EXCL, O_TRUNC).
+     * Delegates to the underlying backend's prepareOpenSync if it exists.
+     */
+    prepareOpenSync(path, flags) {
+        const { mount, relativePath } = this.resolve(path);
+        if (flags & ~0 && mount.readOnly) {
+            // Check for write flags (O_CREAT=0o100, O_TRUNC=0o1000)
+            const O_CREAT = 0o100;
+            const O_TRUNC = 0o1000;
+            if ((flags & O_CREAT) || (flags & O_TRUNC)) {
+                this.assertWritable(mount, path);
+            }
+        }
+        const backend = mount.fs;
+        return backend.prepareOpenSync?.(relativePath, flags) ?? false;
+    }
+}

package/dist/kernel/permissions.d.ts

@@ -6,6 +6,15 @@
  */
 import type { Permissions } from "./types.js";
 import type { VirtualFileSystem } from "./vfs.js";
+/**
+ * Normalize a filesystem path for permission checks.
+ *
+ * Resolves `.` and `..` components and collapses repeated slashes so that
+ * permission callbacks always see the canonical path. Without this,
+ * `/home/user/project/../../../etc/passwd` would pass a naive
+ * `startsWith('/home/user/project')` check.
+ */
+export declare function normalizeFsPath(p: string): string;
 /**
  * Wrap a VFS with permission checks on every operation.
  */

package/dist/kernel/permissions.js

@@ -18,12 +18,43 @@ function fsError(op, path, reason) {
         : `permission denied, ${op} '${path ?? ""}'`;
     return new KernelError("EACCES", msg);
 }
+/**
+ * Normalize a filesystem path for permission checks.
+ *
+ * Resolves `.` and `..` components and collapses repeated slashes so that
+ * permission callbacks always see the canonical path. Without this,
+ * `/home/user/project/../../../etc/passwd` would pass a naive
+ * `startsWith('/home/user/project')` check.
+ */
+export function normalizeFsPath(p) {
+    // Collapse repeated slashes
+    let cleaned = p.replace(/\/+/g, "/");
+    if (cleaned.length > 1 && cleaned.endsWith("/")) {
+        cleaned = cleaned.slice(0, -1);
+    }
+    const isAbsolute = cleaned.startsWith("/");
+    const parts = cleaned.split("/");
+    const resolved = [];
+    for (const seg of parts) {
+        if (seg === "" || seg === ".")
+            continue;
+        if (seg === "..") {
+            if (resolved.length > 0)
+                resolved.pop();
+        }
+        else {
+            resolved.push(seg);
+        }
+    }
+    const result = (isAbsolute ? "/" : "") + resolved.join("/");
+    return result || (isAbsolute ? "/" : ".");
+}
 /**
  * Wrap a VFS with permission checks on every operation.
  */
 export function wrapFileSystem(fs, permissions) {
     const check = (op, path) => {
-        checkPermission(permissions?.fs, { op, path }, (req, reason) => fsError(op, req.path, reason));
+        checkPermission(permissions?.fs, { op, path: normalizeFsPath(path) }, (req, reason) => fsError(op, req.path, reason));
     };
     const wrapped = {
         prepareOpenSync: (path, flags) => {
@@ -59,6 +90,7 @@ export function wrapFileSystem(fs, permissions) {
         utimes: async (path, atime, mtime) => { check("utimes", path); return fs.utimes(path, atime, mtime); },
         truncate: async (path, length) => { check("truncate", path); return fs.truncate(path, length); },
         pread: async (path, offset, length) => { check("read", path); return fs.pread(path, offset, length); },
+        pwrite: async (path, offset, data) => { check("write", path); return fs.pwrite(path, offset, data); },
     };
     return wrapped;
 }

package/dist/kernel/proc-backend.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Proc backend.
+ *
+ * Standalone VirtualFileSystem that handles /proc paths.
+ * Receives relative paths (e.g. "self/fd" not "/proc/self/fd").
+ * Designed to be mounted at /proc via MountTable.
+ */
+import type { FDTableManager } from "./fd-table.js";
+import type { MountEntry } from "./mount-table.js";
+import type { ProcessTable } from "./process-table.js";
+import type { VirtualFileSystem } from "./vfs.js";
+export interface ProcBackendOptions {
+    processTable: ProcessTable;
+    fdTableManager: FDTableManager;
+    hostname?: string;
+    mountTable?: {
+        getMounts(): ReadonlyArray<MountEntry>;
+    };
+}
+/**
+ * Resolve /proc/self references to the given PID.
+ * Paths are relative (no /proc prefix).
+ */
+export declare function resolveProcSelfPath(path: string, pid: number): string;
+/**
+ * Create a standalone proc backend VFS.
+ * All paths are relative to /proc (e.g. "self/fd", "1/environ", "mounts").
+ * Mount at /proc via MountTable.
+ */
+export declare function createProcBackend(options: ProcBackendOptions): VirtualFileSystem;