docs/concepts/filesystems/dotdot.md - fuchsia - Git at Google

 # Dot Dot Considered Harmful

 Child processes on Fuchsia are only capable of accessing the resources provided
 to them -- this is an essential idea encompassing “capability-based” systems. If
 a handle is provided to a service, access to that handle implies the client can
 use it.

 Intuitively, this concept can be applied to filesystems: If a handle is
 provided to a directory, it should imply access to resources within that
 directory (and additionally, their subdirectories). Unfortunately, however, a
 holdout from POSIX prevents directory handles from cleanly integrating with
 these concepts in a capability system: “..”. If a handle is provided to a
 directory, the client can simply request “..”, and the handle will be
 “upgraded” to access the parent directory, with broader scope. As a
 consequence, this implies that a handle to a directory can be upgraded
 arbitrarily to access the entire filesystem.

 Traditionally, filesystems have tried to combat this using "chroot", which
 changes the notion of a filesystem root, preventing access beyond ".." in
 trivial cases of path traversal. However, this approach has some problems:

   * Chroot changes the notion of root on a coarse, "per-program" basis, not on
     a per-descriptor basis
   * Chroots are often misused (i.e., fchdir to a different open handle that
     sits outside the chroot)
   * Chroots are not "on by default", so it may be tempting for programs to
     simply not use them.

 To overcome these deficiencies, Fuchsia does not implement traditional dot dot
 semantics on filesystem servers, which would allow open directories to traverse
 upward. More specifically, it disallows access to “..”, preventing clients
 from trivially accessing parent directories. This provides some strong
 properties for process creation: If an application manager only wants to give a
 process access to "/data/my_private_data", then it can simply provide a handle
 to that open directory to the child process, and it will "automatically" be
 sandboxed.

 ## What about paths that can be resolved without the filesystem server?

 Certain paths, such as “foo/../bar”, which can be transformed to “bar”, can be
 determined without accessing a filesystem server in the absence of symbolic
 links (and at the time of writing, symbolic links do not exist on Fuchsia).
 These paths may be canonicalized, or cleaned, on the client-side, prior to
 sending path-based requests to filesystem servers: the libfdio library already
 does this for any fdio operations that are eventually transmitted to
 filesystem servers in a function called `__fdio_cleanpath`.

 ## What about shell traversal?

 I.e, if someone “cd”s into a directory, how can they leave? Internally, the
 notion of “CWD” isn’t merely a file descriptor to an open directory; rather,
 it’s a combination of “file descriptor” and “absolute path interpreted to mean
 CWD”. If all operations to cd act on this absolute path, then “..” can always
 be resolved locally on a client, rather than being transmitted to a filesystem
 server. For example, if the CWD is “/foo/bar”, and a user calls “cd ..”, then
 the underlying call may be transformed into “chdir /foo/bar/..”, which can be
 canonicalized to “/foo”.

 Once these hurdles have been overcome, the benefits of removing “..” are
 enormous: access to filesystem resources fits naturally within the capability
 system, [sandboxing](/docs/concepts/process/sandboxing.md) new processes becomes massively easier, and
 resource access can more naturally be composed through filesystem
 [namespaces](/docs/concepts/process/namespaces.md).
	# Dot Dot Considered Harmful

	Child processes on Fuchsia are only capable of accessing the resources provided
	to them -- this is an essential idea encompassing “capability-based” systems. If
	a handle is provided to a service, access to that handle implies the client can
	use it.

	Intuitively, this concept can be applied to filesystems: If a handle is
	provided to a directory, it should imply access to resources within that
	directory (and additionally, their subdirectories). Unfortunately, however, a
	holdout from POSIX prevents directory handles from cleanly integrating with
	these concepts in a capability system: “..”. If a handle is provided to a
	directory, the client can simply request “..”, and the handle will be
	“upgraded” to access the parent directory, with broader scope. As a
	consequence, this implies that a handle to a directory can be upgraded
	arbitrarily to access the entire filesystem.

	Traditionally, filesystems have tried to combat this using "chroot", which
	changes the notion of a filesystem root, preventing access beyond ".." in
	trivial cases of path traversal. However, this approach has some problems:

	* Chroot changes the notion of root on a coarse, "per-program" basis, not on
	a per-descriptor basis
	* Chroots are often misused (i.e., fchdir to a different open handle that
	sits outside the chroot)
	* Chroots are not "on by default", so it may be tempting for programs to
	simply not use them.

	To overcome these deficiencies, Fuchsia does not implement traditional dot dot
	semantics on filesystem servers, which would allow open directories to traverse
	upward. More specifically, it disallows access to “..”, preventing clients
	from trivially accessing parent directories. This provides some strong
	properties for process creation: If an application manager only wants to give a
	process access to "/data/my_private_data", then it can simply provide a handle
	to that open directory to the child process, and it will "automatically" be
	sandboxed.

	## What about paths that can be resolved without the filesystem server?

	Certain paths, such as “foo/../bar”, which can be transformed to “bar”, can be
	determined without accessing a filesystem server in the absence of symbolic
	links (and at the time of writing, symbolic links do not exist on Fuchsia).
	These paths may be canonicalized, or cleaned, on the client-side, prior to
	sending path-based requests to filesystem servers: the libfdio library already
	does this for any fdio operations that are eventually transmitted to
	filesystem servers in a function called `__fdio_cleanpath`.

	## What about shell traversal?

	I.e, if someone “cd”s into a directory, how can they leave? Internally, the
	notion of “CWD” isn’t merely a file descriptor to an open directory; rather,
	it’s a combination of “file descriptor” and “absolute path interpreted to mean
	CWD”. If all operations to cd act on this absolute path, then “..” can always
	be resolved locally on a client, rather than being transmitted to a filesystem
	server. For example, if the CWD is “/foo/bar”, and a user calls “cd ..”, then
	the underlying call may be transformed into “chdir /foo/bar/..”, which can be
	canonicalized to “/foo”.

	Once these hurdles have been overcome, the benefits of removing “..” are
	enormous: access to filesystem resources fits naturally within the capability
	system, [sandboxing](/docs/concepts/process/sandboxing.md) new processes becomes massively easier, and
	resource access can more naturally be composed through filesystem
	[namespaces](/docs/concepts/process/namespaces.md).