| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 May 2024 14:58:08 +0200 From: Alice Ryhl <aliceryhl@...gle.com> To: Christian Brauner <brauner@...nel.org> Cc: a.hindborg@...sung.com, alex.gaynor@...il.com, arve@...roid.com, benno.lossin@...ton.me, bjorn3_gh@...tonmail.com, boqun.feng@...il.com, cmllamas@...gle.com, dan.j.williams@...el.com, dxu@...uu.xyz, gary@...yguo.net, gregkh@...uxfoundation.org, joel@...lfernandes.org, keescook@...omium.org, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, maco@...roid.com, ojeda@...nel.org, peterz@...radead.org, rust-for-linux@...r.kernel.org, surenb@...gle.com, tglx@...utronix.de, tkjos@...roid.com, tmgross@...ch.edu, viro@...iv.linux.org.uk, wedsonaf@...il.com, willy@...radead.org, yakoyoku@...il.com Subject: Re: [PATCH v6 3/8] rust: file: add Rust abstraction for `struct file` On Wed, May 29, 2024 at 10:17 AM Christian Brauner <brauner@...nel.org> wrote: > > > Is it honestly worth encoding all that complexity into rust's file > > > implementation itself right now? It's barely understandable to > > > non-rust experts as it is right now. :) > > > > > > Imho, it would seem a lot more prudent to just have something simpler > > > for now. > > > > The purpose of the changes I've made are to prevent data races on the > > file position. If we go back to what we had before, then the API does > > not make it impossible for users of the API to cause such data races. > > > > That is the tradeoff. > > Right. Sorry, there's some back and forth here. But we're all navigating > this new territory here and it's not always trivial to see what the > correct approach is. Yeah of course. You've been very helpful in that regard, and I'm grateful for that. > I wonder what's better for now. It seems that the binder code isn't > really subject to the races we discussed. So maybe we should start with > the simpler approach for now to not get bogged down in encoding all > subtle details into rust's file wrapper just yet? Yeah, maybe. But I think that if we can accurately represent the requirements of the interface, then that would be preferable. Perhaps we can tweak it to make it easier to understand, without giving up accuracy? One of the reasons that the current API is confusing is that the types are called `File<NoFdgetPos>` and `File<MaybeFdgetPos>`. These names _sound_ like their purpose is to keep track of whether or not the file came from an `fdget_pos` call or not, but that is not the case. Instead, let's call them something else. We can have two files: File and LocalFile. This name accurately conveys the main difference between them. File can be transferred across thread boundaries. LocalFile cannot. Now, it is still the case that `fget` will return a `LocalFile`, which may be confusing. But we can document it like this: 1. On `fget`'s docs, we explain that to get a `File`, you need to convert it using the `assume_not_in_fdget_pos_scope` function. We do not explain why in the docs for `fget`. 2. We can put an explanation of why in the docs for the function `assume_not_in_fdget_pos_scope`. I think it's possible to design an API like this where the complexities about `fdget_pos` are only relevant in a few places. In the rest of the implementation, we simplify the situation to "file is threadsafe" or "file is not threadsafe", and that distinction should be easier to understand than nuances related to `fdget_pos`. Alice
Powered by blists - more mailing lists