Skip to content

ExtractVirtualFileSystemResources does not set correct permissions#46

Open
ih0r-d wants to merge 2 commits intooracle:mainfrom
ih0r-d:feature/43-extract-vfs-resources-permissions
Open

ExtractVirtualFileSystemResources does not set correct permissions#46
ih0r-d wants to merge 2 commits intooracle:mainfrom
ih0r-d:feature/43-extract-vfs-resources-permissions

Conversation

@ih0r-d
Copy link
Contributor

@ih0r-d ih0r-d commented Jan 18, 2026

Description

Permissions are now stored as VFS metadata and applied on extraction.
This fixes non-executable binaries after extractResources.

Type of change

  • New feature (non-breaking change which adds functionality)

Related to #43

What is changed

Updated VirtualFileSystemImpl to support explicit POSIX file permissions as filesystem metadata instead of relying on implicit or hardcoded executable heuristics.

The VFS now:

  • parses file and directory permissions from fileslist,
  • stores permissions on VFS entries,
  • applies permissions when extracting files and directories,
  • uses declared permissions consistently for access and execution checks.

This makes VFS behavior deterministic and aligned with real filesystem semantics.

How Has This Been Tested?

  • Ran existing VirtualFileSystem unit tests locally after updating them to reflect permission-based behavior.
  • Added coverage for permission propagation during extraction.
  • Verified behavior using local embedding examples that trigger VFS extraction.

Test Configuration:

  • JDK: project default
  • OS: Linux / macOS
  • Build tool: Maven
  • GraalPy: local build (SNAPSHOT)

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests validating the new behavior
  • New and existing unit tests pass locally
  • Any dependent changes have been merged and published in downstream modules

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jan 18, 2026
@ih0r-d ih0r-d changed the title 43: ExtractVirtualFileSystemResources does not set correct permissions ExtractVirtualFileSystemResources does not set correct permissions Jan 18, 2026
@ih0r-d ih0r-d force-pushed the feature/43-extract-vfs-resources-permissions branch 2 times, most recently from 01f9a4f to 7cee664 Compare January 18, 2026 09:18
@ih0r-d ih0r-d force-pushed the feature/43-extract-vfs-resources-permissions branch 3 times, most recently from 5e340eb to 0c7bdc9 Compare January 19, 2026 18:02
@ih0r-d ih0r-d force-pushed the feature/43-extract-vfs-resources-permissions branch 3 times, most recently from 84fed6e to 903b332 Compare February 20, 2026 17:41
…ction

# Conflicts:
#	org.graalvm.python.embedding/src/main/java/org/graalvm/python/embedding/VirtualFileSystemImpl.java
@ih0r-d ih0r-d force-pushed the feature/43-extract-vfs-resources-permissions branch from 903b332 to cc9b62c Compare February 20, 2026 17:43
@ih0r-d ih0r-d marked this pull request as ready for review February 20, 2026 19:13
String.format("execute access should not be possible for non-executable file '%s'", p));
}

throw securityException("VFS.checkAccess",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this change? I think that main goal is that the permissions are applied when the VFS is extracted to the real filesystem, but when the VFS is used at runtime as virtualized filesystem, I think we should still present all the files as non-executable, because there's no way to actually execute them.


// v1 format: only absolute path
if (line.startsWith("/")) {
Set<PosixFilePermission> permissions = isExecutable(line)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the v1 format we should have the same (broken) permissions as before to stay fully compatible.

dirEntry = de;
} else if (genericEntry == null) {
dirEntry = new DirEntry(dir);
dirEntry = new DirEntry(dir, DEFAULT_DIR_PERMISSIONS);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here we create intermediate directories with default permissions if they are missing, but what if an intermediate directory is just listed later in the fileslist.txt with different than default permissions? E.g., when

dir xxxx /GRAALPY-VFS/foo/
dir xxxx /GRAALPY-VFS/foo/otherdir/
file xxxx /GRAALPY-VFS/foo/otherdir/hello.txt

is listed as

file xxxx /GRAALPY-VFS/foo/otherdir/hello.txt
dir xxxx /GRAALPY-VFS/foo/
dir xxxx /GRAALPY-VFS/foo/otherdir/

throw new IllegalArgumentException("Invalid fileslist entry (expected: <type> <mode> <path>): " + line);
}

EntryType type = switch (parts[0]) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already have convention that directories must end with PLATFORM_SEPARATOR - otherwise it is a file. No strong opinion, but I would find it simpler to keep this convention rather than to have extra switch here.

@steve-s
Copy link
Member

steve-s commented Feb 23, 2026

Thanks, @ih0r-d, for your contribution! I left some inline comments. Apart from that:

  • this needs update to org.graalvm.python.embedding.tools.vfs.VFSUtils so that it generates the new format
  • externalResourcesBuilderTest should be extended to check the permissions of the extracted files. GraalPyResources.extractVirtualFileSystemResources is the API that should support the permissions, for the VirtualFileSystem itself when used as org.graalvm.polyglot.io.FileSystem I think we should just keep the old behavior.
  • we should have another test like externalResourcesBuilderTest and another VFS in org.graalvm.python.embedding/src/test/resources that will exercise more broad range of permissions than the existing VFS instances used by the tests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants