From 5ae95fa89a87a643ec74d5c164246146c8188228 Mon Sep 17 00:00:00 2001 From: Dan Gohman Date: Tue, 7 Jun 2022 09:36:34 -0700 Subject: [PATCH 1/9] Document Rust's stance on `/proc/self/mem` Add documentation to `std::os::unix::io` describing Rust's stance on `/proc/self/mem`, treating it as an external entity which is outside the scope of Rust's safety guarantees. --- library/std/src/os/unix/io/mod.rs | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/library/std/src/os/unix/io/mod.rs b/library/std/src/os/unix/io/mod.rs index 0fd9591b0165a..d2c5f74132458 100644 --- a/library/std/src/os/unix/io/mod.rs +++ b/library/std/src/os/unix/io/mod.rs @@ -44,6 +44,26 @@ //! Like boxes, `OwnedFd` values conceptually own the resource they point to, //! and free (close) it when they are dropped. //! +//! ## What about `/proc/self/mem` and similar OS features? +//! +//! Some platforms have a feature known as `/proc/self/mem`, which is a +//! filesystem path that can be opened, producing a file descriptor that, when +//! read from or written to, reads and writes the process's memory. These reads +//! and writes happen outside the control of the Rust compiler, so they do not +//! uphold Rust's memory safety guarantees. +//! +//! Does this mean that all APIs that might allow `/proc/self/mem` to be opened +//! and read from or written to must be `unsafe`? No. Rust's safety guarantees +//! only cover what the program itself can do, and not what entities outside +//! the program can do to it. `/proc/self/mem` is considered to be such an +//! external entity, along with debugggers and people with physical access to +//! the hardware. This is true even in cases where the program is controling +//! the external entity. +//! +//! If you desire to comprehensively prevent programs from reaching out and +//! causing external entities to reach back in and violate memory safety, it's +//! necessary to use *sandboxing*, which is outside the scope of `std`. +//! //! [`BorrowedFd<'a>`]: crate::os::unix::io::BorrowedFd #![stable(feature = "rust1", since = "1.0.0")] From fbb59e706287525a9157edc65944030f9cd251fd Mon Sep 17 00:00:00 2001 From: Dan Gohman Date: Tue, 7 Jun 2022 09:53:26 -0700 Subject: [PATCH 2/9] Update library/std/src/os/unix/io/mod.rs Co-authored-by: Sean Stangl --- library/std/src/os/unix/io/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/std/src/os/unix/io/mod.rs b/library/std/src/os/unix/io/mod.rs index d2c5f74132458..73cb3d31a7b00 100644 --- a/library/std/src/os/unix/io/mod.rs +++ b/library/std/src/os/unix/io/mod.rs @@ -56,7 +56,7 @@ //! and read from or written to must be `unsafe`? No. Rust's safety guarantees //! only cover what the program itself can do, and not what entities outside //! the program can do to it. `/proc/self/mem` is considered to be such an -//! external entity, along with debugggers and people with physical access to +//! external entity, along with debuggers and people with physical access to //! the hardware. This is true even in cases where the program is controling //! the external entity. //! From 52cb18b664fe594bfac03aaf5b3fb84986d74f02 Mon Sep 17 00:00:00 2001 From: Dan Gohman Date: Tue, 7 Jun 2022 09:53:34 -0700 Subject: [PATCH 3/9] Update library/std/src/os/unix/io/mod.rs Co-authored-by: Sean Stangl --- library/std/src/os/unix/io/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/std/src/os/unix/io/mod.rs b/library/std/src/os/unix/io/mod.rs index 73cb3d31a7b00..139accf3f8d4d 100644 --- a/library/std/src/os/unix/io/mod.rs +++ b/library/std/src/os/unix/io/mod.rs @@ -57,7 +57,7 @@ //! only cover what the program itself can do, and not what entities outside //! the program can do to it. `/proc/self/mem` is considered to be such an //! external entity, along with debuggers and people with physical access to -//! the hardware. This is true even in cases where the program is controling +//! the hardware. This is true even in cases where the program is controlling //! the external entity. //! //! If you desire to comprehensively prevent programs from reaching out and From 27d9ab447b4a7b92565d1c2be9e45f58f0243731 Mon Sep 17 00:00:00 2001 From: Dan Gohman Date: Tue, 7 Jun 2022 10:38:31 -0700 Subject: [PATCH 4/9] Update library/std/src/os/unix/io/mod.rs Co-authored-by: Josh Triplett --- library/std/src/os/unix/io/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/std/src/os/unix/io/mod.rs b/library/std/src/os/unix/io/mod.rs index 139accf3f8d4d..610a5da77781d 100644 --- a/library/std/src/os/unix/io/mod.rs +++ b/library/std/src/os/unix/io/mod.rs @@ -46,7 +46,7 @@ //! //! ## What about `/proc/self/mem` and similar OS features? //! -//! Some platforms have a feature known as `/proc/self/mem`, which is a +//! Some platforms have special files, such as `/proc/self/mem`, which is a //! filesystem path that can be opened, producing a file descriptor that, when //! read from or written to, reads and writes the process's memory. These reads //! and writes happen outside the control of the Rust compiler, so they do not From f9662f2c18208727706c41848715b7400c9e4fe0 Mon Sep 17 00:00:00 2001 From: Dan Gohman Date: Tue, 7 Jun 2022 11:16:32 -0700 Subject: [PATCH 5/9] Update library/std/src/os/unix/io/mod.rs Co-authored-by: Josh Triplett --- library/std/src/os/unix/io/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/std/src/os/unix/io/mod.rs b/library/std/src/os/unix/io/mod.rs index 610a5da77781d..bc2f6b7659ff7 100644 --- a/library/std/src/os/unix/io/mod.rs +++ b/library/std/src/os/unix/io/mod.rs @@ -56,7 +56,7 @@ //! and read from or written to must be `unsafe`? No. Rust's safety guarantees //! only cover what the program itself can do, and not what entities outside //! the program can do to it. `/proc/self/mem` is considered to be such an -//! external entity, along with debuggers and people with physical access to +//! external entity, along with debugging interfaces, and people with physical access to //! the hardware. This is true even in cases where the program is controlling //! the external entity. //! From 7656e085e3d056f0f0f35a9112727478a848350f Mon Sep 17 00:00:00 2001 From: Dan Gohman Date: Wed, 8 Jun 2022 08:24:28 -0700 Subject: [PATCH 6/9] Reword a question into a statement. --- library/std/src/os/unix/io/mod.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/std/src/os/unix/io/mod.rs b/library/std/src/os/unix/io/mod.rs index bc2f6b7659ff7..8935f303081ca 100644 --- a/library/std/src/os/unix/io/mod.rs +++ b/library/std/src/os/unix/io/mod.rs @@ -52,8 +52,8 @@ //! and writes happen outside the control of the Rust compiler, so they do not //! uphold Rust's memory safety guarantees. //! -//! Does this mean that all APIs that might allow `/proc/self/mem` to be opened -//! and read from or written to must be `unsafe`? No. Rust's safety guarantees +//! However, this does not mean that all APIs that might allow `/proc/self/mem` +//! to be opened and read from or written must be `unsafe`. Rust's safety guarantees //! only cover what the program itself can do, and not what entities outside //! the program can do to it. `/proc/self/mem` is considered to be such an //! external entity, along with debugging interfaces, and people with physical access to From e89ec68d5db9aa58b8170b351e730d45304c812b Mon Sep 17 00:00:00 2001 From: Dan Gohman Date: Wed, 8 Jun 2022 08:26:56 -0700 Subject: [PATCH 7/9] Update library/std/src/os/unix/io/mod.rs Co-authored-by: Mara Bos --- library/std/src/os/unix/io/mod.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/library/std/src/os/unix/io/mod.rs b/library/std/src/os/unix/io/mod.rs index 8935f303081ca..0a9c95fd409af 100644 --- a/library/std/src/os/unix/io/mod.rs +++ b/library/std/src/os/unix/io/mod.rs @@ -46,9 +46,8 @@ //! //! ## What about `/proc/self/mem` and similar OS features? //! -//! Some platforms have special files, such as `/proc/self/mem`, which is a -//! filesystem path that can be opened, producing a file descriptor that, when -//! read from or written to, reads and writes the process's memory. These reads +//! Some platforms have special files, such as `/proc/self/mem`, which +//! provide read and write access to the process's memory. Such reads //! and writes happen outside the control of the Rust compiler, so they do not //! uphold Rust's memory safety guarantees. //! From 158ff5cdd47b72d4ef9f04c4a3145c0b74bdba25 Mon Sep 17 00:00:00 2001 From: Dan Gohman Date: Wed, 8 Jun 2022 08:27:32 -0700 Subject: [PATCH 8/9] Reword the question in the section header too. This adopts the wording suggested in https://github.com/rust-lang/rust/pull/97837#discussion_r892524129. --- library/std/src/os/unix/io/mod.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/std/src/os/unix/io/mod.rs b/library/std/src/os/unix/io/mod.rs index 0a9c95fd409af..044cfb221b2f5 100644 --- a/library/std/src/os/unix/io/mod.rs +++ b/library/std/src/os/unix/io/mod.rs @@ -44,14 +44,14 @@ //! Like boxes, `OwnedFd` values conceptually own the resource they point to, //! and free (close) it when they are dropped. //! -//! ## What about `/proc/self/mem` and similar OS features? +//! ## `/proc/self/mem` and similar OS features //! //! Some platforms have special files, such as `/proc/self/mem`, which //! provide read and write access to the process's memory. Such reads //! and writes happen outside the control of the Rust compiler, so they do not //! uphold Rust's memory safety guarantees. //! -//! However, this does not mean that all APIs that might allow `/proc/self/mem` +//! This does not mean that all APIs that might allow `/proc/self/mem` //! to be opened and read from or written must be `unsafe`. Rust's safety guarantees //! only cover what the program itself can do, and not what entities outside //! the program can do to it. `/proc/self/mem` is considered to be such an From 69594414bfac4d0ae10da65ccffad6ab4b0fa05a Mon Sep 17 00:00:00 2001 From: Dan Gohman Date: Wed, 8 Jun 2022 08:40:34 -0700 Subject: [PATCH 9/9] Fix trailing whitespace. --- library/std/src/os/unix/io/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/std/src/os/unix/io/mod.rs b/library/std/src/os/unix/io/mod.rs index 044cfb221b2f5..d1732fbfdfe60 100644 --- a/library/std/src/os/unix/io/mod.rs +++ b/library/std/src/os/unix/io/mod.rs @@ -46,7 +46,7 @@ //! //! ## `/proc/self/mem` and similar OS features //! -//! Some platforms have special files, such as `/proc/self/mem`, which +//! Some platforms have special files, such as `/proc/self/mem`, which //! provide read and write access to the process's memory. Such reads //! and writes happen outside the control of the Rust compiler, so they do not //! uphold Rust's memory safety guarantees.