Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp434794rdb;
        Thu, 30 Nov 2023 08:27:24 -0800 (PST)
X-Google-Smtp-Source: AGHT+IFVT1rsJOms+ACL1A2RclnbRueMF3ZOeJmCgd8UMyu/SRJ+kI+iQxMjAcu9c+EsY/fIJCuc
X-Received: by 2002:a17:90a:3fc7:b0:280:37a0:69d4 with SMTP id u7-20020a17090a3fc700b0028037a069d4mr36719571pjm.19.1701361643991;
        Thu, 30 Nov 2023 08:27:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1701361643; cv=none;
        d=google.com; s=arc-20160816;
        b=NzCURhIlsGv85S2AUbrgAe292JY/SL8fzKgTBQVHDnCLXiqyzKabbqtnZEBVJZEGra
         e8R93yu6xHqH8U+7qv+24vrNRY1Tf9FLRHhXMNOhvgtDgiSaTyH0WYhe1Rbpg1e7fYzY
         63C/+x2Q/znZ8IbMRLz+odj9san/u1M6x7/iVj45Y1X9uj49ZoF8YRJlz4ASp6GhoyrI
         oZwmxnKufDIWCo7gua7/uBc5t+lcpXXD3FqlJ9jqc3pam9081WcmQuvZd3vgPrlsNKHJ
         8T0ctsXmSVmGQ+qevgzu7LrpD+sDuWEHnvdBT14A8Bz739Nxk4XokQsROQOL6sHBPQlh
         FBCA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :feedback-id:references:in-reply-to:message-id:subject:cc:from:to
         :date:dkim-signature;
        bh=mOMEDalTJ2nNUHEjuiH1o7OWgTyvdhbuWe5AEnNE+rE=;
        fh=yGC6hLtEKxG/qAMK6tCmLY72Pr3WjPw6U6qgCoktHOQ=;
        b=ykZCZ7poDfGw71HyhL8f56CTtA5FWxAmgXR0XGPP4nB9s8+1u1HPH3ihs04W93nwUn
         KisWngMoGP18p0M2DRcAZ9Y5UwnE3e2j45RY8AWLup4ZZR9LxrExBBy2eqILPmjScK0S
         XtTvEKrFullq/Y4922kL5faAYFpu/R7D53zbM/7Hf7BeGn/Z3FhibjbeASCDhIh6UWrf
         SQ3R5xk+ku/kzqmez+U+dIVKNOMimfHWC+GRpZxKNEPG4Y7eF3JHpsOh6aFaDVbQIUDT
         +K2Gz3+pTVyruolYezZjRO5s4M0PcwGZvjv+0FA1/O89yn8leCU4SxK1O5c49w7Se+//
         rs3w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@proton.me header.s=protonmail header.b=c4vHt3HJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from morse.vger.email (morse.vger.email. [23.128.96.31])
        by mx.google.com with ESMTPS id q15-20020a17090a68cf00b0028571ddddfasi3809443pjj.146.2023.11.30.08.27.23
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 30 Nov 2023 08:27:23 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@proton.me header.s=protonmail header.b=c4vHt3HJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by morse.vger.email (Postfix) with ESMTP id DDC808297C66;
	Thu, 30 Nov 2023 08:27:20 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at morse.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232100AbjK3Q1D (ORCPT <rfc822;abelvesa@gmail.com> + 99 others);
        Thu, 30 Nov 2023 11:27:03 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48104 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232005AbjK3Q1B (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 30 Nov 2023 11:27:01 -0500
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C11E01A4
        for <linux-kernel@vger.kernel.org>; Thu, 30 Nov 2023 08:27:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me;
        s=protonmail; t=1701361625; x=1701620825;
        bh=mOMEDalTJ2nNUHEjuiH1o7OWgTyvdhbuWe5AEnNE+rE=;
        h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
         Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
         Message-ID:BIMI-Selector;
        b=c4vHt3HJnr971aFPIjhH2bWoBzKLFTA107/xMOElWr2Ts62ZXLCjBr0Lb2VzbBDs7
         9UKaJv36630aCSacS1ZEgU/tQEj/4b3cVpBHjzWH+7OSFe4WriK0GoqdTfEYUwVXjC
         E05iZDseAd4T+Tc3Rfnqe9QwedU0hp52+g+m0vMKfJGDwN015ekgFMw77xnfRQqGv3
         dyJIwabpinaI7/gkzfQXZaQxnyafW0Q+X/uEEf9okalERYauEXm21rYce+4YZyXcC6
         JSeVVibmVBFv7+0FbpgBnGowPLXl5irsMbeBF+t//BbIRhtYeo5BK8YUZ2b7U7P9cB
         pG4BRgWSuydbw==
Date:   Thu, 30 Nov 2023 16:26:39 +0000
To:     Alice Ryhl <aliceryhl@google.com>
From:   Benno Lossin <benno.lossin@proton.me>
Cc:     Miguel Ojeda <ojeda@kernel.org>,
        Alex Gaynor <alex.gaynor@gmail.com>,
        Wedson Almeida Filho <wedsonaf@gmail.com>,
        Boqun Feng <boqun.feng@gmail.com>, Gary Guo <gary@garyguo.net>,
        =?utf-8?Q?Bj=C3=B6rn_Roy_Baron?= <bjorn3_gh@protonmail.com>,
        Andreas Hindborg <a.hindborg@samsung.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Christian Brauner <brauner@kernel.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        =?utf-8?Q?Arve_Hj=C3=B8nnev=C3=A5g?= <arve@android.com>,
        Todd Kjos <tkjos@android.com>,
        Martijn Coenen <maco@android.com>,
        Joel Fernandes <joel@joelfernandes.org>,
        Carlos Llamas <cmllamas@google.com>,
        Suren Baghdasaryan <surenb@google.com>,
        Dan Williams <dan.j.williams@intel.com>,
        Kees Cook <keescook@chromium.org>,
        Matthew Wilcox <willy@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Daniel Xu <dxu@dxuuu.xyz>, linux-kernel@vger.kernel.org,
        rust-for-linux@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH 3/7] rust: security: add abstraction for secctx
Message-ID: <qwxqEq_l1jj3cAKSEh7gBZCUyBGCDmThdz6JJIQiFVl94ASI4yyNB6956XLrsQXnE4ulo48QRMaKPjgt7JZoolisVEiGOUP7IyRdecdhXqw=@proton.me>
In-Reply-To: <20231129-alice-file-v1-3-f81afe8c7261@google.com>
References: <20231129-alice-file-v1-0-f81afe8c7261@google.com> <20231129-alice-file-v1-3-f81afe8c7261@google.com>
Feedback-ID: 71780778:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Thu, 30 Nov 2023 08:27:21 -0800 (PST)

On 11/29/23 14:11, Alice Ryhl wrote:
> +/// A security context string.
> +///
> +/// The struct has the invariant that it always contains a valid securit=
y context.

Refactor to use the `# Invariants` section:

    # Invariants
    `secdata` points to a valid security context.

I also do not know what a "valid security context" is, so a link to the
definition wouldn't hurt.

> +pub struct SecurityCtx {
> +    secdata: *mut core::ffi::c_char,
> +    seclen: usize,
> +}
> +
> +impl SecurityCtx {
> +    /// Get the security context given its id.
> +    pub fn from_secid(secid: u32) -> Result<Self> {
> +        let mut secdata =3D core::ptr::null_mut();
> +        let mut seclen =3D 0;
> +        // SAFETY: Just a C FFI call. The pointers are valid for writes.
> +        unsafe {
> +            to_result(bindings::security_secid_to_secctx(
> +                secid,
> +                &mut secdata,
> +                &mut seclen,
> +            ))?;
> +        }
> +
> +        // If the above call did not fail, then we have a valid security
> +        // context, so the invariants are not violated.

Should be tagged `INVARIANT`.

> +        Ok(Self {
> +            secdata,
> +            seclen: usize::try_from(seclen).unwrap(),
> +        })
> +    }
> +
> +    /// Returns whether the security context is empty.
> +    pub fn is_empty(&self) -> bool {
> +        self.seclen =3D=3D 0
> +    }
> +
> +    /// Returns the length of this security context.
> +    pub fn len(&self) -> usize {
> +        self.seclen
> +    }
> +
> +    /// Returns the bytes for this security context.
> +    pub fn as_bytes(&self) -> &[u8] {
> +        let mut ptr =3D self.secdata;
> +        if ptr.is_null() {
> +            // Many C APIs will use null pointers for strings of length =
zero, but

I would just write that the secctx API uses null pointers to denote a
string of length zero.

> +            // `slice::from_raw_parts` doesn't allow the pointer to be n=
ull even if the length is
> +            // zero. Replace the pointer with a dangling but non-null po=
inter in this case.
> +            debug_assert_eq!(self.seclen, 0);

I am feeling a bit uncomfortable with this, why can't we just return
an empty slice in this case?

> +            ptr =3D core::ptr::NonNull::dangling().as_ptr();
> +        }
> +
> +        // SAFETY: The call to `security_secid_to_secctx` guarantees tha=
t the pointer is valid for
> +        // `seclen` bytes. Furthermore, if the length is zero, then we h=
ave ensured that the
> +        // pointer is not null.
> +        unsafe { core::slice::from_raw_parts(ptr.cast(), self.seclen) }
> +    }
> +}
> +
> +impl Drop for SecurityCtx {
> +    fn drop(&mut self) {
> +        // SAFETY: This frees a pointer that came from a successful call=
 to
> +        // `security_secid_to_secctx`.

This should be part of the type invariant.

--=20
Cheers,
Benno

> +        unsafe {
> +            bindings::security_release_secctx(self.secdata, self.seclen =
as u32);
> +        }
> +    }
> +}
> --
> 2.43.0.rc1.413.gea7ed67945-goog
>