Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp4050895rdb;
        Mon, 11 Dec 2023 07:34:59 -0800 (PST)
X-Google-Smtp-Source: AGHT+IFdvFKnCmR/boR+8eTLQ9d+whwq239vFcKxtfPLRY7+Hy+vADsrym76z1O0mNMHpgto6+O8
X-Received: by 2002:a17:902:f547:b0:1d0:ab0e:9150 with SMTP id h7-20020a170902f54700b001d0ab0e9150mr2135980plf.119.1702308899371;
        Mon, 11 Dec 2023 07:34:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1702308899; cv=none;
        d=google.com; s=arc-20160816;
        b=ty9rH2e3PDjGXYqA4WUas497MU7z+7nuBWeE/KCyU6XtOcczuAailaDvztAYeU1MRU
         2EaDpynKKspwFMA+Ya36+S+HX/x0O0RpFJv5oSiiy/L5mFthdcMIjWCN2ecElDzPrGxu
         feqtlnSn2cmf6xoGTdkjtfOWnwGp45WwA6OD+RUPnbX8iktRnIgXDL1dh1lyLf0F0uX0
         b65gTn0zLnnfHHy8rr0PSrC8bd1UzXf3kg0JZuhdSAvopcLm/IQ4AhBtTlIUqSYRV5Xy
         xNqBXxlMHVCUvBzRSEnWpNKwuH52JzjuhmnBhy8Vr0kGwfH0k+ViT+hOFazLWvefRaou
         IReA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:dkim-signature;
        bh=yUIMj7SokYe9+NucCQM3I+38l8wF3qwhiLyrCEXuHf4=;
        fh=0N28rIzUFNBR4G6i0VFfK8yvbIIcOQTClwSpqXp6U/Y=;
        b=hqaeDyhQnJJUOnIpYhUjPGhaFnA2ZrBORgAki1CWdcxtOU7SfoaFVsR9vebGm1NVhO
         HvGE/N1C0j7/l+1MS1BDYHv00+PKXU6X/PRZI7KwOxdV+havXTnhMCf+rp6H9b8Ua1y4
         4RGjoIAw8autSwuxmv+q0q+7927ltBelxdCtICN9gX6ZSZewx49htFXUkpNDz4kt8Pc0
         E+bVNcDb5S1gNEfdoB82eJbfGplphJgOEi0qvdCKxNbXweTfrEsBeEOTOqNmBerrarw6
         9E6ApZZFDDC50zddjz1gzRwdnzb02+l+M5G5RX44C1+MuSxBuQyWlraS1cVxlkn9aLBq
         TgZQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=onmjAnwQ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from groat.vger.email (groat.vger.email. [23.128.96.35])
        by mx.google.com with ESMTPS id fd3-20020a056a002e8300b006cddc634540si6302586pfb.25.2023.12.11.07.34.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 11 Dec 2023 07:34:59 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=onmjAnwQ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by groat.vger.email (Postfix) with ESMTP id 1FDE68096FDF;
	Mon, 11 Dec 2023 07:34:55 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at groat.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1344179AbjLKPei (ORCPT
        <rfc822;aditya.jainadityajain.jain@gmail.com> + 99 others);
        Mon, 11 Dec 2023 10:34:38 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39616 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1344128AbjLKPec (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 11 Dec 2023 10:34:32 -0500
Received: from mail-lj1-x24a.google.com (mail-lj1-x24a.google.com [IPv6:2a00:1450:4864:20::24a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8F2DCED
        for <linux-kernel@vger.kernel.org>; Mon, 11 Dec 2023 07:34:36 -0800 (PST)
Received: by mail-lj1-x24a.google.com with SMTP id 38308e7fff4ca-2c9fdb15388so36842781fa.2
        for <linux-kernel@vger.kernel.org>; Mon, 11 Dec 2023 07:34:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1702308875; x=1702913675; darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=yUIMj7SokYe9+NucCQM3I+38l8wF3qwhiLyrCEXuHf4=;
        b=onmjAnwQv7+u5hvxUkl+WhxGESLzgQ6hPoJnPE/UULqdsqTQgqxZfF1w2NoiLXJYoj
         BIAROyXskTwjZo2Npvuhux+xZMuWoZg0HTYQqQEQQXYa1An+2shh7qzPThqdrum8qZju
         oBADg9fP3JnmbedB2pgrD/BS58tUnPZrpXjln0A4pXOsSFC1KNSUljJZnkwbDUY3htby
         2ZTjJr6AcpZJD+wRoSojx1GA61cai4jBo57ut6b7/0kLV1iN5kH7jpfg8vxJwY3T0iQB
         nK57bM+oMrQ4YeLTWW3PyWBCYpObMVqp/i56DOiPKz/9CzSa2/NO9vsA1Qt6oFy6E9iG
         zetw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1702308875; x=1702913675;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=yUIMj7SokYe9+NucCQM3I+38l8wF3qwhiLyrCEXuHf4=;
        b=BLpU1knBkMAbS+wlql5OiS1Z/IshF1DlkclThArPu0orYlNRO0iYfOsMBEViMw05vt
         2aFhxqcA/PCiLeaGFi1yCzK3T3f3ghLbyhwp0+xplfFuNola971MjQPI+SsSJSHNVv2i
         r+9DHJlVjw6b/WnuleVtRHiGbJpXJrcXm10H4P/YhtHrNIIpsgF5Xd8X3xRBkqdqrstB
         lD+ONNry1pHUxadHpnSehKt4qBtYPOKhyKDWP8b0RCzd0Kz4ZevL5FkzQ8CtKLG24vjx
         8BiyWICRwF1l/My0gV/A734d1b1089IDOmxBPFrukDLfvbv7zCFhGbIj/HV4LyKTPiPa
         iY+Q==
X-Gm-Message-State: AOJu0YwdhNGqAexNuvql6l2dbDEIOPjTOchKtPGPi7P4uOJL4rknjiC/
        pGECKrnV9Wj+vpOLPpxZmco2167D+vDSf4Q=
X-Received: from aliceryhl2.c.googlers.com ([fda3:e722:ac3:cc00:68:949d:c0a8:572])
 (user=aliceryhl job=sendgmr) by 2002:a2e:a592:0:b0:2cb:2bc8:5fca with SMTP id
 m18-20020a2ea592000000b002cb2bc85fcamr37033ljp.7.1702308874720; Mon, 11 Dec
 2023 07:34:34 -0800 (PST)
Date:   Mon, 11 Dec 2023 15:34:32 +0000
In-Reply-To: <bynTQw4ZTfXBA0m3PYPL50jFnGQIzZnONT_L0TUNuWGtLwJhk6m0jeYQktfEIRmcVZIvKX9MOHwu4RgLWuH3nm5E_AiWNDKuKt_D2HSqsQw=@proton.me>
Mime-Version: 1.0
References: <bynTQw4ZTfXBA0m3PYPL50jFnGQIzZnONT_L0TUNuWGtLwJhk6m0jeYQktfEIRmcVZIvKX9MOHwu4RgLWuH3nm5E_AiWNDKuKt_D2HSqsQw=@proton.me>
X-Mailer: git-send-email 2.43.0.472.g3155946c3a-goog
Message-ID: <20231211153432.4161918-1-aliceryhl@google.com>
Subject: Re: [PATCH v2 3/7] rust: security: add abstraction for secctx
From:   Alice Ryhl <aliceryhl@google.com>
To:     benno.lossin@proton.me
Cc:     a.hindborg@samsung.com, alex.gaynor@gmail.com,
        aliceryhl@google.com, arve@android.com, bjorn3_gh@protonmail.com,
        boqun.feng@gmail.com, brauner@kernel.org, cmllamas@google.com,
        dan.j.williams@intel.com, dxu@dxuuu.xyz, gary@garyguo.net,
        gregkh@linuxfoundation.org, joel@joelfernandes.org,
        keescook@chromium.org, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org, maco@android.com, ojeda@kernel.org,
        peterz@infradead.org, rust-for-linux@vger.kernel.org,
        surenb@google.com, tglx@linutronix.de, tkjos@android.com,
        viro@zeniv.linux.org.uk, wedsonaf@gmail.com, willy@infradead.org
Content-Type: text/plain; charset="utf-8"
X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,
	USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Mon, 11 Dec 2023 07:34:55 -0800 (PST)

Benno Lossin <benno.lossin@proton.me> writes:
> On 12/6/23 12:59, Alice Ryhl wrote:
> > +impl SecurityCtx {
> > +    /// Get the security context given its id.
> > +    pub fn from_secid(secid: u32) -> Result<Self> {
> > +        let mut secdata = core::ptr::null_mut();
> > +        let mut seclen = 0u32;
> > +        // SAFETY: Just a C FFI call. The pointers are valid for writes.
> > +        unsafe {
> > +            to_result(bindings::security_secid_to_secctx(
> > +                secid,
> > +                &mut secdata,
> > +                &mut seclen,
> > +            ))?;
> > +        }
> 
> Can you move the `unsafe` block inside of the `to_result` call? That way
> we only have the unsafe operation in the unsafe block. Additionally, on
> my side it fits perfectly into 100 characters.

Will do.

> > +    /// Returns the bytes for this security context.
> > +    pub fn as_bytes(&self) -> &[u8] {
> > +        let ptr = self.secdata;
> > +        if ptr.is_null() {
> > +            // We can't pass a null pointer to `slice::from_raw_parts` even if the length is zero.
> > +            debug_assert_eq!(self.seclen, 0);
> 
> Would this be interesting enough to emit some kind of log message when
> this fails?

I'm not convinced that makes sense. I'm pretty sure that if this API
returns a null pointer under any circumstances, then we're in some sort
of context where security contexts don't exist at all, and then they
would be hard-coded to use a length zero as well.

> > +            return &[];
> > +        }
> > +
> > +        // SAFETY: The call to `security_secid_to_secctx` guarantees that the pointer is valid for
> > +        // `seclen` bytes. Furthermore, if the length is zero, then we have ensured that the
> > +        // pointer is not null.
> > +        unsafe { core::slice::from_raw_parts(ptr.cast(), self.seclen) }
> > +    }
> > +}
> > +
> > +impl Drop for SecurityCtx {
> > +    fn drop(&mut self) {
> > +        // SAFETY: This frees a pointer that came from a successful call to
> > +        // `security_secid_to_secctx` and has not yet been destroyed by `security_release_secctx`.
> > +        unsafe {
> > +            bindings::security_release_secctx(self.secdata, self.seclen as u32);
> > +        }
> 
> If you move the `;` to the outside of the `unsafe` block this also fits
> on a single line.

Will do.

Alice