Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp2448786rdb; Fri, 8 Dec 2023 08:23:18 -0800 (PST) X-Google-Smtp-Source: AGHT+IEcabVEQuRgC/r48BKqp5DSTJKYxziY1db11uwX/8R4XNSMWPcgyvxr6Uq/IwNpbVICpkDa X-Received: by 2002:a05:6870:6113:b0:1fa:fef2:a77b with SMTP id s19-20020a056870611300b001fafef2a77bmr388355oae.29.1702052598335; Fri, 08 Dec 2023 08:23:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702052598; cv=none; d=google.com; s=arc-20160816; b=cw3n+mv3d8Bd1slTpFy0x/oyouzjF3lZbtYj6EEn/8Pv1AeIMISEcv8o1xsYTqdSrW KpuIfG8gQ7NYyLfNTkcO8KXn8umEZwaWWPZ/wBfV+5oI/bwuCOslcR0H1XbmX+j5gCyp jcEDUOCR0O3WL+zbeqGclHfX7RVxxqnDB6Evgt8sEprYyyM4qmLWoTZqRCxqcMQEZOAa r4h/0fx+13G9OWYoL3yFIdVHt40Qdg8iMsN1ZEeQ6AYhYLoLkPWNzojvipfUedJMRnt8 ss+WpYovtEIqoT5Wqw7Jt6OtrROMFAPZOMtIRGnW+r2k7zOlvSYfe1ckzmMk+O+DSeWZ pgZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:dkim-signature; bh=09cIzzcTTW19QYNpR3uVKQ8ubxQmSzjsq6tAhHqkl1o=; fh=yGC6hLtEKxG/qAMK6tCmLY72Pr3WjPw6U6qgCoktHOQ=; b=ci+dlOOcP2ulcImlkKP3Yg5/wznpwwD7m/mIdwXjPfqSdCGJ/RcSXSc3V1dMsBAWlQ UxA6D6p8HkqUxG9pZxqmAzrk9nRQ09pAbJZe+PBQ3ilGU+jLdVSsrLUGu2WCUf15QMVm B/Pmy3jCxsLJJKiE2qqpKTgMYaHDdUKE4/rPm6zv/ntimZgSBJ2QNjJIt/QYF1MLyu2J zN/cTueDMyuzNgR0go6VQtLjDp4iCdilIVoV1zyWIj/sPcmLLaVKHBs6tc+J2sDL1k6P nhLT1pi99b+FaukHRbbs+1dRIlg5teQGdO3hbjBu2tdUJd1HrZUlmuzI+FhfUt5LafYL enIQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@proton.me header.s=bl7oekikwvbkhhq4nzdqaedpky.protonmail header.b=QL7tC3OW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Return-Path: Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1]) by mx.google.com with ESMTPS id by3-20020a056a02058300b005b9a467330esi1894107pgb.707.2023.12.08.08.23.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 Dec 2023 08:23:18 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1; Authentication-Results: mx.google.com; dkim=pass header.i=@proton.me header.s=bl7oekikwvbkhhq4nzdqaedpky.protonmail header.b=QL7tC3OW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id EBE74837E66D; Fri, 8 Dec 2023 08:23:15 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233647AbjLHQXB (ORCPT + 99 others); Fri, 8 Dec 2023 11:23:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37964 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233618AbjLHQXA (ORCPT ); Fri, 8 Dec 2023 11:23:00 -0500 Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6C65A1989; Fri, 8 Dec 2023 08:23:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me; s=bl7oekikwvbkhhq4nzdqaedpky.protonmail; t=1702052582; x=1702311782; bh=09cIzzcTTW19QYNpR3uVKQ8ubxQmSzjsq6tAhHqkl1o=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=QL7tC3OWmhjbkW9UhAlFm+Nhu+97KWzvZ9kGUqtM7EvSXhDQ8ITlZl3+CQ4PMm/VI rB2+oExNW5SXa5arRInKnsfENrZqxSdWFmmKEl976xU8H6XoChMSUEfln0RKiEfru2 sw7l7Jm9gWqj8gRGeweJAQ6s7ifrqKP9s06OInGkBbZFTHbuW0Qo99y3r4MoFPXV/E 4sDw9FiIJ7dZYqoddh6JbVD5j0X/QgGGzyRiRZUwEUOabiiTm4m9xoAaF5zDQKapSI cHSSH3NGfE5M3+pl+uyehI3RjWRocNkxCwj6Esuv1ossSJKeXw6+/nB7+JYE2A1tj7 HGYOBhFH1Vm0A== Date: Fri, 08 Dec 2023 16:22:48 +0000 To: Alice Ryhl From: Benno Lossin Cc: Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , Boqun Feng , Gary Guo , =?utf-8?Q?Bj=C3=B6rn_Roy_Baron?= , Andreas Hindborg , Peter Zijlstra , Alexander Viro , Christian Brauner , Greg Kroah-Hartman , =?utf-8?Q?Arve_Hj=C3=B8nnev=C3=A5g?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Carlos Llamas , Suren Baghdasaryan , Dan Williams , Kees Cook , Matthew Wilcox , Thomas Gleixner , Daniel Xu , linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: Re: [PATCH v2 3/7] rust: security: add abstraction for secctx Message-ID: In-Reply-To: <20231206-alice-file-v2-3-af617c0d9d94@google.com> References: <20231206-alice-file-v2-0-af617c0d9d94@google.com> <20231206-alice-file-v2-3-af617c0d9d94@google.com> Feedback-ID: 71780778:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Fri, 08 Dec 2023 08:23:16 -0800 (PST) On 12/6/23 12:59, Alice Ryhl wrote: > +impl SecurityCtx { > + /// Get the security context given its id. > + pub fn from_secid(secid: u32) -> Result { > + let mut secdata =3D core::ptr::null_mut(); > + let mut seclen =3D 0u32; > + // SAFETY: Just a C FFI call. The pointers are valid for writes. > + unsafe { > + to_result(bindings::security_secid_to_secctx( > + secid, > + &mut secdata, > + &mut seclen, > + ))?; > + } Can you move the `unsafe` block inside of the `to_result` call? That way we only have the unsafe operation in the unsafe block. Additionally, on my side it fits perfectly into 100 characters. > + // INVARIANT: If the above call did not fail, then we have a val= id security context. > + Ok(Self { > + secdata, > + seclen: seclen as usize, > + }) > + } [...] > + /// Returns the bytes for this security context. > + pub fn as_bytes(&self) -> &[u8] { > + let ptr =3D self.secdata; > + if ptr.is_null() { > + // We can't pass a null pointer to `slice::from_raw_parts` e= ven if the length is zero. > + debug_assert_eq!(self.seclen, 0); Would this be interesting enough to emit some kind of log message when this fails? > + return &[]; > + } > + > + // SAFETY: The call to `security_secid_to_secctx` guarantees tha= t the pointer is valid for > + // `seclen` bytes. Furthermore, if the length is zero, then we h= ave ensured that the > + // pointer is not null. > + unsafe { core::slice::from_raw_parts(ptr.cast(), self.seclen) } > + } > +} > + > +impl Drop for SecurityCtx { > + fn drop(&mut self) { > + // SAFETY: This frees a pointer that came from a successful call= to > + // `security_secid_to_secctx` and has not yet been destroyed by = `security_release_secctx`. > + unsafe { > + bindings::security_release_secctx(self.secdata, self.seclen = as u32); > + } If you move the `;` to the outside of the `unsafe` block this also fits on a single line. --=20 Cheers, Benno > + } > +}