| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Dec 2023 15:34:32 +0000
From: Alice Ryhl <aliceryhl@...gle.com>
To: benno.lossin@...ton.me
Cc: a.hindborg@...sung.com, alex.gaynor@...il.com,
aliceryhl@...gle.com, arve@...roid.com, bjorn3_gh@...tonmail.com,
boqun.feng@...il.com, brauner@...nel.org, cmllamas@...gle.com,
dan.j.williams@...el.com, dxu@...uu.xyz, gary@...yguo.net,
gregkh@...uxfoundation.org, joel@...lfernandes.org,
keescook@...omium.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, maco@...roid.com, ojeda@...nel.org,
peterz@...radead.org, rust-for-linux@...r.kernel.org,
surenb@...gle.com, tglx@...utronix.de, tkjos@...roid.com,
viro@...iv.linux.org.uk, wedsonaf@...il.com, willy@...radead.org
Subject: Re: [PATCH v2 3/7] rust: security: add abstraction for secctx
Benno Lossin <benno.lossin@...ton.me> writes:
> On 12/6/23 12:59, Alice Ryhl wrote:
> > +impl SecurityCtx {
> > + /// Get the security context given its id.
> > + pub fn from_secid(secid: u32) -> Result<Self> {
> > + let mut secdata = core::ptr::null_mut();
> > + let mut seclen = 0u32;
> > + // SAFETY: Just a C FFI call. The pointers are valid for writes.
> > + unsafe {
> > + to_result(bindings::security_secid_to_secctx(
> > + secid,
> > + &mut secdata,
> > + &mut seclen,
> > + ))?;
> > + }
>
> Can you move the `unsafe` block inside of the `to_result` call? That way
> we only have the unsafe operation in the unsafe block. Additionally, on
> my side it fits perfectly into 100 characters.
Will do.
> > + /// Returns the bytes for this security context.
> > + pub fn as_bytes(&self) -> &[u8] {
> > + let ptr = self.secdata;
> > + if ptr.is_null() {
> > + // We can't pass a null pointer to `slice::from_raw_parts` even if the length is zero.
> > + debug_assert_eq!(self.seclen, 0);
>
> Would this be interesting enough to emit some kind of log message when
> this fails?
I'm not convinced that makes sense. I'm pretty sure that if this API
returns a null pointer under any circumstances, then we're in some sort
of context where security contexts don't exist at all, and then they
would be hard-coded to use a length zero as well.
> > + return &[];
> > + }
> > +
> > + // SAFETY: The call to `security_secid_to_secctx` guarantees that the pointer is valid for
> > + // `seclen` bytes. Furthermore, if the length is zero, then we have ensured that the
> > + // pointer is not null.
> > + unsafe { core::slice::from_raw_parts(ptr.cast(), self.seclen) }
> > + }
> > +}
> > +
> > +impl Drop for SecurityCtx {
> > + fn drop(&mut self) {
> > + // SAFETY: This frees a pointer that came from a successful call to
> > + // `security_secid_to_secctx` and has not yet been destroyed by `security_release_secctx`.
> > + unsafe {
> > + bindings::security_release_secctx(self.secdata, self.seclen as u32);
> > + }
>
> If you move the `;` to the outside of the `unsafe` block this also fits
> on a single line.
Will do.
Alice
Powered by blists - more mailing lists