Disclaimer: as far evaluating syscall usage is concerned, this review considers only the behavior on Linux.

Pros

• Self-contained, bloat free.
• Only one unsafe public API (trait FromRawFD).
• Wrappers don't rely on complicated contracts (like manually calling free); if necessary, cleanup takes place in drop().

Cons

• Still considered beta according to the readme.
• No API to pass custom flags to syscalls. Issue is acknowledged by upstream (#18, #20).
• 23 uses of unsafe (one in test), but that is unavoidable FFI.

dir.rs

Unsafe

• • Dir::_open() calling libc::open(): return check ok; pointer arg obtained from safe Rust type.
• +1 Dir::_sub_dir() calling libc::openat(): return check ok; pointer arg obtained from safe Rust type.
• • Dir::_read_link() calling libc::readlinkat(): return check ok; pointer arg from safe, zeroed Vec; size passed properly; result then resized to return value..
• • Dir::new_unnamed_file() calling CStr::from_bytes_with_nul_unchecked(): argument is static constant and null terminated.
• • Dir::_open_file() calling libc::openat(): return check ok; pointer arg from safe Rust type.
• • Dir::_open_file() calling File::from_raw_fd(): arg was obtained via ok syscall immediately above.
• • Dir::_symlink() calling libc::symlinkat(): return check ok; pointer args obtained from safe Rust types.
• • Dir::_create_dir() calling libc::mkdirat(): return check ok; pointer arg obtained from safe Rust type.
• • Dir::_unlink() calling libc::unlinkat(): return check ok; pointer args are sane.
• • Dir::_stat() calling mem::zeroed(): used on stack allocated struct type.
• • Dir::_stat() calling libc::fstatat(): return check ok; pointer arg path obtained from safe Rust type; struct stat obtained from zeroed buffer.
• • _rename() calling libc::renameat(): return check ok; pointer args from safe Rust types.
• • _hardlink() calling libc::linkat(): return check ok; pointer args from safe Rust types.
• • _rename_flags() calling libc::syscall() for renameat(2): return check ok; pointer args from safe Rust types; (non-impl'd syscall wrapper, related to libc issue #1508).
• • impl FromRawFd for Dir {}: unsafe API.
• • impl Drop for Dir {} calling libc::close(): no checks for result, which is ok in dtor that must not fail. Checks for libc::AT_FDCWD which is used occasionally in arguments to internal APIs.
• ± Test uses unsafe API.

Other gotchas

• Symlink traversal:
  • • O_NOFOLLOW in calls to openat(2), fstatat(2).
  • • No constructor function accepts flags, so not possible to enforce selectively.
• ± Use of O_TMPFILE in Dir::new_unnamed_file(): ok-ish and issues documented.
• ± Some unsafe blocks extend over non-unsafe calls e. g. to last_os_error().
• ± Casting libc::mode_t to libc::c_uint for calls to openat(); apparently necessary on Freebsd; the rationale should be documented (see #21).
• ± Dir::symlink() reverses order of argument of the syscall. This is unexpected but documented.

list.rs

Unsafe

• ± Platform specific errno accessors.
• • DirIter::next_entry(): unsafe due to writes to errno and general MT unsafety of wrapped call to readdir(3); ok due to errno residing in TLS. Result pointer is wrapped in option type, cannot point to an invalid object, not shared across threads (DirIter is neither Send nor Sync), dropped properly, and not exposed publicly.
• • impl Iterator for DirIter {}: calls unsafe next_entry() (see above); calls unsafe CStr::from_ptr()onconst charpointer obtained earlier by call toreaddir(3)`` which guarantees null termination.
• impl Drop for DirIter {} calling libc::closedir(): is only reached for valid objects.

name.rs

• • No unsafe.
• • Implements a trait AsPath for converting various types to something useable with C APIs that take paths (CStr, CString``). Lifetime bounds ensure this can be used efficiently and safely. No fishy casts.

filetype.rs

• • No unsafe.
• • Trivially safe, if metadata.rs is.

metadata.rs

• • No unsafe.
• • Owns the struct stat, so no issue here with lifetimes.