avoid unnecessary security-guard invocations in ffi-lib

Relevant to racket/sandbox-lib#1

pkgs/base/info.rkt

@@ -12,7 +12,7 @@
 
 (define collection 'multi)
 
-(define version "6.10.0.2")
+(define version "6.10.0.3")
 
 (define deps `("racket-lib"
                ["racket" #:version ,version]))

racket/collects/ffi/unsafe.rkt

@@ -2,7 +2,9 @@
 
 ;; Foreign Racket interface
 (require '#%foreign setup/dirs racket/unsafe/ops racket/private/for
-         (only-in '#%unsafe unsafe-thread-at-root)
+         (only-in '#%unsafe
+                  unsafe-thread-at-root
+                  unsafe-make-security-guard-at-root)
          (for-syntax racket/base racket/list syntax/stx racket/syntax
                      racket/struct-info))
 
@@ -163,9 +165,9 @@
        (ormap ffi-lib* names)    ; try good names first
        (ffi-lib* name0)          ; try original
        (ormap (lambda (name)     ; try relative paths
-		(and (file-exists? name) (ffi-lib* (fullpath name))))
+		(and (file-exists?/insecure name) (ffi-lib* (fullpath name))))
 	      names)
-       (and (file-exists? name0) ; relative with original
+       (and (file-exists?/insecure name0) ; relative with original
 	    (ffi-lib* (fullpath name0)))
        ;; give up: by default, call ffi-lib so it will raise an error
        (if fail
@@ -267,6 +269,14 @@
 ;; avoid them being GCed.  See set-ffi-obj! above.
 (define ffi-objects-ref-table (make-hasheq))
 
+;; Like `file-exists?`, but avoid security-guard checks on the grounds
+;; that it's being called from an already-allowed unsafe operation ---
+;; so a sandbox doesn't have to make additional allowances for the
+;; check.
+(define (file-exists?/insecure path)
+  (parameterize ([current-security-guard (unsafe-make-security-guard-at-root)])
+    (file-exists? path)))
+
 ;; ----------------------------------------------------------------------------
 ;; Compile-time support for fun-expanders
 

racket/collects/racket/unsafe/ops.rkt

@@ -20,6 +20,7 @@
                      unsafe-custodian-register
                      unsafe-custodian-unregister
                      unsafe-register-process-global
+                     unsafe-make-security-guard-at-root
                      unsafe-set-on-atomic-timeout!
                      unsafe-abort-current-continuation/no-wind
                      unsafe-call-with-composable-continuation/no-wind)

racket/src/racket/src/cstartup.inc

@@ -1,5 +1,5 @@
   {
-    SHARED_OK static MZCOMPILED_STRING_FAR unsigned char expr[] = {35,126,8,54,46,49,48,46,48,46,50,84,0,0,0,0,0,0,0,0,0,
+    SHARED_OK static MZCOMPILED_STRING_FAR unsigned char expr[] = {35,126,8,54,46,49,48,46,48,46,51,84,0,0,0,0,0,0,0,0,0,
 0,0,0,0,0,0,0,0,0,0,0,54,0,0,0,1,0,0,8,0,18,
 0,22,0,26,0,31,0,38,0,42,0,47,0,59,0,66,0,69,0,82,0,
 89,0,94,0,103,0,109,0,123,0,137,0,140,0,146,0,157,0,159,0,173,
@@ -102,7 +102,7 @@
     EVAL_ONE_SIZED_STR((char *)expr, 2091);
   }
   {
-    SHARED_OK static MZCOMPILED_STRING_FAR unsigned char expr[] = {35,126,8,54,46,49,48,46,48,46,50,84,0,0,0,0,0,0,0,0,0,
+    SHARED_OK static MZCOMPILED_STRING_FAR unsigned char expr[] = {35,126,8,54,46,49,48,46,48,46,51,84,0,0,0,0,0,0,0,0,0,
 0,0,0,0,0,0,0,0,0,0,0,183,0,0,0,1,0,0,8,0,16,
 0,29,0,34,0,51,0,63,0,85,0,114,0,158,0,164,0,178,0,193,0,
 211,0,223,0,239,0,253,0,19,1,39,1,73,1,90,1,107,1,130,1,145,
@@ -1011,7 +1011,7 @@
     EVAL_ONE_SIZED_STR((char *)expr, 19016);
   }
   {
-    SHARED_OK static MZCOMPILED_STRING_FAR unsigned char expr[] = {35,126,8,54,46,49,48,46,48,46,50,84,0,0,0,0,0,0,0,0,0,
+    SHARED_OK static MZCOMPILED_STRING_FAR unsigned char expr[] = {35,126,8,54,46,49,48,46,48,46,51,84,0,0,0,0,0,0,0,0,0,
 0,0,0,0,0,0,0,0,0,0,0,15,0,0,0,1,0,0,8,0,23,
 0,48,0,65,0,83,0,105,0,128,0,149,0,171,0,181,0,191,0,199,0,
 209,0,217,0,0,0,253,1,0,0,3,1,5,105,110,115,112,48,76,35,37,
@@ -1042,7 +1042,7 @@
     EVAL_ONE_SIZED_STR((char *)expr, 582);
   }
   {
-    SHARED_OK static MZCOMPILED_STRING_FAR unsigned char expr[] = {35,126,8,54,46,49,48,46,48,46,50,84,0,0,0,0,0,0,0,0,0,
+    SHARED_OK static MZCOMPILED_STRING_FAR unsigned char expr[] = {35,126,8,54,46,49,48,46,48,46,51,84,0,0,0,0,0,0,0,0,0,
 0,0,0,0,0,0,0,0,0,0,0,102,0,0,0,1,0,0,8,0,15,
 0,26,0,53,0,59,0,73,0,86,0,112,0,129,0,151,0,159,0,171,0,
 186,0,202,0,220,0,241,0,253,0,13,1,36,1,60,1,72,1,103,1,108,
@@ -1538,7 +1538,7 @@
     EVAL_ONE_SIZED_STR((char *)expr, 10344);
   }
   {
-    SHARED_OK static MZCOMPILED_STRING_FAR unsigned char expr[] = {35,126,8,54,46,49,48,46,48,46,50,84,0,0,0,0,0,0,0,0,0,
+    SHARED_OK static MZCOMPILED_STRING_FAR unsigned char expr[] = {35,126,8,54,46,49,48,46,48,46,51,84,0,0,0,0,0,0,0,0,0,
 0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,1,0,0,8,0,18,
 0,22,0,28,0,42,0,56,0,68,0,88,0,102,0,117,0,130,0,135,0,
 139,0,151,0,235,0,242,0,20,1,0,0,224,1,0,0,3,1,5,105,110,

racket/src/racket/src/schminc.h

@@ -15,7 +15,7 @@
 #define USE_COMPILED_STARTUP 1
 
 #define EXPECTED_PRIM_COUNT 1159
-#define EXPECTED_UNSAFE_COUNT 141
+#define EXPECTED_UNSAFE_COUNT 142
 #define EXPECTED_FLFXNUM_COUNT 69
 #define EXPECTED_EXTFL_COUNT 45
 #define EXPECTED_FUTURES_COUNT 15

racket/src/racket/src/schvers.h

@@ -13,12 +13,12 @@
    consistently.)
 */
 
-#define MZSCHEME_VERSION "6.10.0.2"
+#define MZSCHEME_VERSION "6.10.0.3"
 
 #define MZSCHEME_VERSION_X 6
 #define MZSCHEME_VERSION_Y 10
 #define MZSCHEME_VERSION_Z 0
-#define MZSCHEME_VERSION_W 2
+#define MZSCHEME_VERSION_W 3
 
 #define MZSCHEME_VERSION_MAJOR ((MZSCHEME_VERSION_X * 100) + MZSCHEME_VERSION_Y)
 #define MZSCHEME_VERSION_MINOR ((MZSCHEME_VERSION_Z * 1000) + MZSCHEME_VERSION_W)

racket/src/racket/src/thread.c

@@ -366,6 +366,7 @@ static Scheme_Object *is_thread_cell_values(int argc, Scheme_Object *args[]);
 static Scheme_Object *make_security_guard(int argc, Scheme_Object *argv[]);
 static Scheme_Object *security_guard_p(int argc, Scheme_Object *argv[]);
 static Scheme_Object *current_security_guard(int argc, Scheme_Object *argv[]);
+static Scheme_Object *unsafe_make_security_guard_at_root(int argc, Scheme_Object *argv[]);
 
 static Scheme_Object *security_guard_check_file(int argc, Scheme_Object *argv[]);
 static Scheme_Object *security_guard_check_file_link(int argc, Scheme_Object *argv[]);
@@ -642,6 +643,8 @@ scheme_init_unsafe_thread (Scheme_Env *env)
   GLOBAL_PRIM_W_ARITY("unsafe-register-process-global", unsafe_register_process_global, 2, 2, env);
 
   GLOBAL_PRIM_W_ARITY("unsafe-set-on-atomic-timeout!", unsafe_set_on_atomic_timeout, 1, 1, env);
+
+  GLOBAL_PRIM_W_ARITY("unsafe-make-security-guard-at-root", unsafe_make_security_guard_at_root, 0, 3, env);
 }
 
 void scheme_init_thread_places(void) {
@@ -8215,6 +8218,27 @@ static Scheme_Object *make_security_guard(int argc, Scheme_Object *argv[])
   return (Scheme_Object *)sg;
 }
 
+static Scheme_Object *unsafe_make_security_guard_at_root(int argc, Scheme_Object *argv[])
+{
+  Scheme_Security_Guard *sg;
+
+  if (argc > 0)
+    scheme_check_proc_arity("unsafe-make-security-guard-at-root", 3, 0, argc, argv);
+  if (argc > 1)
+    scheme_check_proc_arity("unsafe-make-security-guard-at-root", 4, 1, argc, argv);
+  if (argc > 2)
+    scheme_check_proc_arity2("unsafe-make-security-guard-at-root", 3, 2, argc, argv, 1);
+
+  sg = MALLOC_ONE_TAGGED(Scheme_Security_Guard);
+  sg->so.type = scheme_security_guard_type;
+  sg->parent = NULL;
+  sg->file_proc = ((argc > 0) ? argv[0] : NULL);
+  sg->network_proc = ((argc > 1) ? argv[1] : NULL);
+  sg->link_proc = ((argc > 2) ? argv[2] : NULL);
+
+  return (Scheme_Object *)sg;
+}
+
 static Scheme_Object *security_guard_p(int argc, Scheme_Object *argv[])
 {
   return ((SAME_TYPE(SCHEME_TYPE(argv[0]), scheme_security_guard_type)) 

racket/src/rktio/rktio_dll.c

@@ -303,6 +303,8 @@ static void get_dl_error(rktio_t *rktio)
     rktio->dll_error = strdup(s);
   else
     rktio->dll_error = strdup("unknown error");
+
+  set_racket_error(RKTIO_ERROR_DLL);
 }
 #endif