filesystem: allow access to /dev/shm/* (#44102)

kralicky · wbpcode · web-flow · commit 70765d736d1e · 2026-04-25T10:12:05.000-07:00
Commit Message: filesystem: allow access to /dev/shm/* Additional Description: This adds `/dev/shm/*` as an allowed path prefix for the posix filesystem impl. I ran into this issue while running integration tests while having the `--sandbox_base=/dev/shm` bazel flag set, which prevented the tests from accessing any files in their own sandbox. Risk Level: low/moderate. Testing: Updated existing tests. The new assertions only run if /dev/shm actually exists, so the code is #ifdef'd out on macos in case anyone out there is running macos coverage builds. Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Joe Kralicky <joekralicky@gmail.com> Signed-off-by: code <wbphub@gmail.com> Co-authored-by: code <wbphub@gmail.com>
diff --git a/source/common/filesystem/posix/filesystem_impl.cc b/source/common/filesystem/posix/filesystem_impl.cc
@@ -367,6 +367,17 @@ bool InstanceImplPosix::illegalPath(const std::string& path) {
       absl::StartsWith(canonical_path.return_value_, "/proc/") ||
       canonical_path.return_value_ == "/dev" || canonical_path.return_value_ == "/sys" ||
       canonical_path.return_value_ == "/proc") {
+
+#ifdef __linux__
+    // Allow /dev/shm/*, which is a de-facto standard tmpfs location on linux. A common use case is
+    // to set the bazel sandbox_base to /dev/shm, since /tmp is not always backed by memory. Some
+    // tests may then need to access files in bazel sandboxes under this directory.
+    if (absl::StartsWith(canonical_path.return_value_, "/dev/shm/") ||
+        canonical_path.return_value_ == "/dev/shm") {
+      return false;
+    }
+#endif
+
     return true;
   }
   return false;
diff --git a/test/common/filesystem/filesystem_impl_test.cc b/test/common/filesystem/filesystem_impl_test.cc
@@ -230,6 +230,23 @@ TEST_F(FileSystemImplTest, IllegalPath) {
   EXPECT_TRUE(file_system_.illegalPath("/dev/"));
   // Exception to allow opening from file descriptors. See #7258.
   EXPECT_FALSE(file_system_.illegalPath("/dev/fd/0"));
+
+  if (file_system_.directoryExists("/dev/shm")) {
+    // Exception for /dev/shm/*
+    EXPECT_FALSE(file_system_.illegalPath("/dev/shm/"));
+    EXPECT_FALSE(file_system_.illegalPath("/dev/shm"));
+    EXPECT_TRUE(file_system_.illegalPath("/dev/shm/_some_non_existent_file"));
+    // This is not the same special case as /dev/fd; paths will actually need to exist here to be
+    // considered valid.
+    std::string shmTempFile = "/dev/shm/envoy_test_XXXXXX";
+    auto fd = mkstemp(shmTempFile.data());
+    ASSERT_NE(fd, -1);
+    auto res = file_system_.illegalPath(shmTempFile);
+    close(fd);
+    unlink(shmTempFile.c_str());
+    EXPECT_FALSE(res);
+  }
+
   EXPECT_TRUE(file_system_.illegalPath("/proc"));
   EXPECT_TRUE(file_system_.illegalPath("/proc/"));
   EXPECT_TRUE(file_system_.illegalPath("/sys"));
diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt
@@ -1518,6 +1518,7 @@ timestamps
 timeval
 tmp
 tmpfile
+tmpfs
 token
 tokenize
 tokenized
