Re: [PATCH 1/3] rust: add untrusted data abstraction

From: Benno Lossin
Date: Wed Sep 18 2024 - 13:33:55 EST


On 18.09.24 19:09, Greg KH wrote:
> On Wed, Sep 18, 2024 at 03:40:54PM +0000, Benno Lossin wrote:
>>>> Yeah, we need more users of this to know the full way to express this
>>>> correctly. I would like to avoid huge refactorings in the future.
>>>
>>> I think adding it to the copy_*_user functions we already have in
>>> upstream, and then asking Alice to rebase binder should be a really solid
>>> real-world testcase. And I think currently for the things in-flight
>>> copy*user is going to be the main source of untrusted data anyway, not so
>>> much page cache folios.
>>
>> Sure. I chose tarfs as the use-case, because Greg mentioned to me that
>> it would benefit from adding this API. (I have no prior linux kernel
>> experience, so you giving me some pointers where this will be useful is
>> very helpful!)
>
> I just had tarfs as an easy example where we were reading data off the
> disk and acting on it, in a way just like C where if the data is
> corrupted we can do "not normal" things. Sorry it got tied up with

No worries! I was just under the impression that this would be common
(maybe it's common for filesystems?), so just having that clarification
now makes more sense.

> folios, that is not the normal way drivers work, they either get data
> from userspace through a char device node (ioctls) or from hardware
> (memory copies/reads/something) and for them the "untrusted data"
> abstraction should be much simpler than dealing with a folio.
>
> We don't really have any other good examples of drivers in rust yet that
> I could find other than maybe binder, but Alice has already posted her
> solution for how to handle untrusted data there (comes in through a char
> device node and/or a filesystem entry point) but it's much more complex
> and possibly harder to use as a simple example of the api ideas.

Yeah that's what I thought as well when you brought it up the first
time.

---
Cheers,
Benno