Mark the highlevel functions as unsafe. #24
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Following @RalfJung's comment here: #8 (comment) as long as the functions are still taking integer file descriptor arguments, we should mark the APIs here `unsafe`. This is particularly interesting in the context of WASI, as it aligns with the OCap security model -- Rust's `std::fs::File` is an unforgeable handle in safe Rust. So while there are still integer file descriptors at the wasm level for now, programs compiled from safe Rust still have fine-grained isolation (with the caveat that until reference types are possible, this property isn't encoded in wasm in a verifiable way).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Following @RalfJung's comment here:
#8 (comment)
as long as the functions are still taking integer file descriptor
arguments, we should mark the APIs here
unsafe.This is particularly interesting in the context of WASI, as it aligns with
the OCap security model -- Rust's
std::fs::Fileis an unforgeablehandle in safe Rust. So while there are still integer file descriptors at
the wasm level for now, programs compiled from safe Rust still have
fine-grained isolation (with the caveat that until reference types are
possible, this property isn't encoded in wasm in a verifiable way).