Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp1594666rdb; Sat, 2 Dec 2023 02:03:54 -0800 (PST) X-Google-Smtp-Source: AGHT+IHI4GhnlRpVTSOk9RvqHjwlzrbRjhrtXd+h41N7lAAcOcuw2Dfy8vQUda1f2grPA9edQEoE X-Received: by 2002:a17:903:25d1:b0:1d0:559e:412d with SMTP id jc17-20020a17090325d100b001d0559e412dmr333686plb.61.1701511434202; Sat, 02 Dec 2023 02:03:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701511434; cv=none; d=google.com; s=arc-20160816; b=RAdKjakA/QG4SQ7ABFwtFl4IhRsXDURhrX9HHWBAh18109rR565ZWA01Ji5gWawVSi OKW3olO1bfSgAcoCiqIgypfy76glUXfI5WNzmksVcw5QuI7jNbzN2ay3aiUCcYSvkzbO ZN8Ixq1gJKqTOL7Q5WIb9d9QF12LUOLgtGwfGPzZpT2O9jASPuT+r0U3Pyxl8ScpMXrF JJeUoueohCfv96LNZ8PB3hF1tHZ6gYErsF3e6V5syWr9ZF5COGMrUnYWnInP/m14vajK j777arna1/VuZZ01MkjRD82T9pImesXMAnvBKonooJfh2pQ0unJSnTxyk9xKHBbbunbi s51A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:dkim-signature; bh=ozFyIxYG1eV92CI6lLkyQ7Lh/CozJJPAZNA/ZOBz2dA=; fh=DCKQjgAWIxA3NWI9O2VzOBHopifTgFJfTsi5maunsFk=; b=MxS3j65zirXusG2idxfB/e75brLaLxQEhOEKKEqkb8B4lnCmUNcqFG6z+X4p/QE6Ef GB7LmOd9MWVxZE63S4BJOWsgBpKFx9VxLUH9sZp2rd/oLR8GYU/CfNCjkuFpGz7TdsFj 0aHDzxxmOm0v1H4AfQEARY+SlUaQ7LSuYOqPcALx6qf3J1vJqo7xb3ejS/VqlQd4iYH0 eXVuu7fKSi6ywFoNDaN5kQNA3qbSKJIMADVq49Y9iSRVZQjzLYZMbfxHbs7MPiB5U/Ra Jm0S0N3Tykrpv4oMZCHtCR0X9cOB6+yjUNNijB5+lmqHgL0h2hNt8Ad1BhuoesrQvcPi 7fXg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=Pdo79YX+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Return-Path: Received: from pete.vger.email (pete.vger.email. [23.128.96.36]) by mx.google.com with ESMTPS id b7-20020a170902a9c700b001d0087eecb6si4520610plr.389.2023.12.02.02.03.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 02 Dec 2023 02:03:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36; Authentication-Results: mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=Pdo79YX+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id D568E80924AE; Sat, 2 Dec 2023 02:03:51 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232554AbjLBKDg (ORCPT + 99 others); Sat, 2 Dec 2023 05:03:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35978 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232527AbjLBKDf (ORCPT ); Sat, 2 Dec 2023 05:03:35 -0500 Received: from mail-40134.protonmail.ch (mail-40134.protonmail.ch [185.70.40.134]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EB1BA19F for ; Sat, 2 Dec 2023 02:03:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me; s=protonmail; t=1701511417; x=1701770617; bh=ozFyIxYG1eV92CI6lLkyQ7Lh/CozJJPAZNA/ZOBz2dA=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=Pdo79YX+qRTRMR0IGvXzfSAgr71hSODe1JFF+1EI+szHo3hmkUFa3mkSLU1Az3+97 vA9aSUvN3TdpV0MfSvV300pt3EM+0B53g40Y45ERotqARuuKA2KGbhqK/r04UyVr8h l4HufFJ3FkCQDaPBQM15sYfMNxs18S9dNVjqWHUDRHdUJ23uYb4oVxJdy/TaaIcdKr 0VHlnhu+9MyMFeicUtZVsUDKw7Wt542zMXgOls56eeYMzBigU191GWwcgsb6DOxB/i C0eGxmOEQ3o9tjg6Z3XrqMSVIKJdi96PjfpsxrgU9evidyCcvfdWKNfF6XxMufiv2P CHeLBsr5lhFxg== Date: Sat, 02 Dec 2023 10:03:11 +0000 To: Alice Ryhl From: Benno Lossin Cc: a.hindborg@samsung.com, alex.gaynor@gmail.com, arve@android.com, bjorn3_gh@protonmail.com, boqun.feng@gmail.com, brauner@kernel.org, cmllamas@google.com, dan.j.williams@intel.com, dxu@dxuuu.xyz, gary@garyguo.net, gregkh@linuxfoundation.org, joel@joelfernandes.org, keescook@chromium.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, maco@android.com, ojeda@kernel.org, peterz@infradead.org, rust-for-linux@vger.kernel.org, surenb@google.com, tglx@linutronix.de, tkjos@android.com, viro@zeniv.linux.org.uk, wedsonaf@gmail.com, willy@infradead.org Subject: Re: [PATCH 3/7] rust: security: add abstraction for secctx Message-ID: In-Reply-To: <20231201104831.2195715-1-aliceryhl@google.com> References: <20231201104831.2195715-1-aliceryhl@google.com> Feedback-ID: 71780778:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Sat, 02 Dec 2023 02:03:52 -0800 (PST) On 12/1/23 11:48, Alice Ryhl wrote: > Benno Lossin writes: >> On 11/29/23 14:11, Alice Ryhl wrote: >>> + /// Returns the bytes for this security context. >>> + pub fn as_bytes(&self) -> &[u8] { >>> + let mut ptr =3D self.secdata; >>> + if ptr.is_null() { >>> + // Many C APIs will use null pointers for strings of lengt= h zero, but >> >> I would just write that the secctx API uses null pointers to denote a >> string of length zero. >=20 > I don't actually know whether it can ever be null, I just wanted to stay > on the safe side. I see, can someone from the C side confirm/refute this? I found the comment a bit weird, since it is phrased in a general way. If it turns out that the pointer can never be null, maybe use `NonNull` instead (I would then also move the length check into the constructor)? You can probably also do this if the pointer is allowed to be null, assuming that you then do not need to call `security_release_secctx`. >>> + // `slice::from_raw_parts` doesn't allow the pointer to be= null even if the length is >>> + // zero. Replace the pointer with a dangling but non-null = pointer in this case. >>> + debug_assert_eq!(self.seclen, 0); >> >> I am feeling a bit uncomfortable with this, why can't we just return >> an empty slice in this case? >=20 > I can do that, but to be clear, what I'm doing here is also definitely > okay. Yes it is okay, but I see this similar to avoiding `unsafe` code when it can be done safely. In this example we are not strictly avoiding any `unsafe` code, but we are avoiding a codepath with `unsafe` code. You should of course still keep the `debug_assert_eq`. --=20 Cheers, Benno