On 12/6/23 12:59, Alice Ryhl wrote:
> +impl SecurityCtx {
> + /// Get the security context given its id.
> + pub fn from_secid(secid: u32) -> Result<Self> {
> + let mut secdata = core::ptr::null_mut();
> + let mut seclen = 0u32;
> + // SAFETY: Just a C FFI call. The pointers are valid for writes.
> + unsafe {
> + to_result(bindings::security_secid_to_secctx(
> + secid,
> + &mut secdata,
> + &mut seclen,
> + ))?;
> + }
Can you move the `unsafe` block inside of the `to_result` call? That way
we only have the unsafe operation in the unsafe block. Additionally, on
my side it fits perfectly into 100 characters.
> + // INVARIANT: If the above call did not fail, then we have a valid security context.
> + Ok(Self {
> + secdata,
> + seclen: seclen as usize,
> + })
> + }
[...]
> + /// Returns the bytes for this security context.
> + pub fn as_bytes(&self) -> &[u8] {
> + let ptr = self.secdata;
> + if ptr.is_null() {
> + // We can't pass a null pointer to `slice::from_raw_parts` even if the length is zero.
> + debug_assert_eq!(self.seclen, 0);
Would this be interesting enough to emit some kind of log message when
this fails?
> + return &[];
> + }
> +
> + // SAFETY: The call to `security_secid_to_secctx` guarantees that the pointer is valid for
> + // `seclen` bytes. Furthermore, if the length is zero, then we have ensured that the
> + // pointer is not null.
> + unsafe { core::slice::from_raw_parts(ptr.cast(), self.seclen) }
> + }
> +}
> +
> +impl Drop for SecurityCtx {
> + fn drop(&mut self) {
> + // SAFETY: This frees a pointer that came from a successful call to
> + // `security_secid_to_secctx` and has not yet been destroyed by `security_release_secctx`.
> + unsafe {
> + bindings::security_release_secctx(self.secdata, self.seclen as u32);
> + }
If you move the `;` to the outside of the `unsafe` block this also fits
on a single line.
--
Cheers,
Benno
> + }
> +}
