Re: [PATCH 3/7] rust: security: add abstraction for secctx

From: Benno Lossin
Date: Thu Nov 30 2023 - 11:27:12 EST

Next message: Andy Shevchenko: "Re: [PATCH v2 01/10] gpiolib: provide gpiochip_dup_line_label()"
Previous message: Geert Uytterhoeven: "Re: [PATCH v2] riscv: errata: andes: Probe for IOCP only once in boot stage"
In reply to: Alice Ryhl: "[PATCH 3/7] rust: security: add abstraction for secctx"
Next in thread: Alice Ryhl: "[PATCH 4/7] rust: file: add `FileDescriptorReservation`"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/29/23 14:11, Alice Ryhl wrote:
> +/// A security context string.
> +///
> +/// The struct has the invariant that it always contains a valid security context.

Refactor to use the `# Invariants` section:

# Invariants
`secdata` points to a valid security context.

I also do not know what a "valid security context" is, so a link to the
definition wouldn't hurt.

> +pub struct SecurityCtx {
> + secdata: *mut core::ffi::c_char,
> + seclen: usize,
> +}
> +
> +impl SecurityCtx {
> + /// Get the security context given its id.
> + pub fn from_secid(secid: u32) -> Result<Self> {
> + let mut secdata = core::ptr::null_mut();
> + let mut seclen = 0;
> + // SAFETY: Just a C FFI call. The pointers are valid for writes.
> + unsafe {
> + to_result(bindings::security_secid_to_secctx(
> + secid,
> + &mut secdata,
> + &mut seclen,
> + ))?;
> + }
> +
> + // If the above call did not fail, then we have a valid security
> + // context, so the invariants are not violated.

Should be tagged `INVARIANT`.

> + Ok(Self {
> + secdata,
> + seclen: usize::try_from(seclen).unwrap(),
> + })
> + }
> +
> + /// Returns whether the security context is empty.
> + pub fn is_empty(&self) -> bool {
> + self.seclen == 0
> + }
> +
> + /// Returns the length of this security context.
> + pub fn len(&self) -> usize {
> + self.seclen
> + }
> +
> + /// Returns the bytes for this security context.
> + pub fn as_bytes(&self) -> &[u8] {
> + let mut ptr = self.secdata;
> + if ptr.is_null() {
> + // Many C APIs will use null pointers for strings of length zero, but

I would just write that the secctx API uses null pointers to denote a
string of length zero.

> + // `slice::from_raw_parts` doesn't allow the pointer to be null even if the length is
> + // zero. Replace the pointer with a dangling but non-null pointer in this case.
> + debug_assert_eq!(self.seclen, 0);

I am feeling a bit uncomfortable with this, why can't we just return
an empty slice in this case?

> + ptr = core::ptr::NonNull::dangling().as_ptr();
> + }
> +
> + // SAFETY: The call to `security_secid_to_secctx` guarantees that the pointer is valid for
> + // `seclen` bytes. Furthermore, if the length is zero, then we have ensured that the
> + // pointer is not null.
> + unsafe { core::slice::from_raw_parts(ptr.cast(), self.seclen) }
> + }
> +}
> +
> +impl Drop for SecurityCtx {
> + fn drop(&mut self) {
> + // SAFETY: This frees a pointer that came from a successful call to
> + // `security_secid_to_secctx`.

This should be part of the type invariant.

--
Cheers,
Benno

> + unsafe {
> + bindings::security_release_secctx(self.secdata, self.seclen as u32);
> + }
> + }
> +}
> --
> 2.43.0.rc1.413.gea7ed67945-goog
>

Next message: Andy Shevchenko: "Re: [PATCH v2 01/10] gpiolib: provide gpiochip_dup_line_label()"
Previous message: Geert Uytterhoeven: "Re: [PATCH v2] riscv: errata: andes: Probe for IOCP only once in boot stage"
In reply to: Alice Ryhl: "[PATCH 3/7] rust: security: add abstraction for secctx"
Next in thread: Alice Ryhl: "[PATCH 4/7] rust: file: add `FileDescriptorReservation`"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]