The Linux kernel has to handle many different sources of data that should not be trusted: user space, network connections, and removable storage, to name a few. The kernel has to remain secure even if one of these sends garbled (or malicious) data. Benno Lossin has been working on an API for kernel Rust code that makes it harder to accidentally make decisions based on data from user space. That work is now on its fourth revision, and Lossin has asked kernel developers to experiment with it and see where problems remain, making this a good time to look at the proposed API.
Linux 内核必须处理许多不可信的数据来源:用户空间、网络连接和可移动存储设备,仅举几例。即使这些来源发送了乱码(或恶意)数据,内核也必须保持安全。Benno Lossin 一直在为内核中的 Rust 代码开发一个 API,使得开发人员更难在无意中基于用户空间数据做出决策。这项工作目前已经进入第四个修订版,Lossin 已经邀请内核开发者进行实验并寻找问题所在,因此现在正是深入了解该提议 API 的好时机。
The core approach, as with so many things in Rust, centers on the type system. Lossin's patch set introduces a new type, Untrusted, that marks data as originating from an untrusted source, and therefore requiring special caution. Trying to access a value wrapped by Untrusted is forbidden by Rust. The type is a "transparent" structure, meaning that it will be laid out in memory exactly like the type that it wraps. An Untrusted is a single byte, for example. The type therefore has no run-time overhead, so it can be used as a kind of marker in the type system for data that has come from user space without being validated. That makes it impossible to pass into functions that expect normal kernel data by accident.
与 Rust 中的许多机制一样,其核心方法依赖于类型系统。Lossin 的补丁集引入了一种新类型 Untrusted,用于标记数据来源不可信,因此需要特别小心。Rust 禁止直接访问被 Untrusted 包裹的值。该类型是一个“透明”结构,意味着它在内存中的布局与其所包裹的类型完全一致。例如,Untrusted 就是单个字节。因此该类型在运行时没有额外开销,可以用作类型系统中的一种标记,表示数据源自用户空间但尚未验证。这使得它无法被意外传递到需要正常内核数据的函数中。
T