Standardise and add safety comments.
These will soon be required by a lint.
Bug: 290018030
Test: m rust
Change-Id: If62281a5eb2160061a11f28588b7a14e32ce265b
diff --git a/microdroid_manager/src/dice.rs b/microdroid_manager/src/dice.rs
index bacefcd..8e078ea 100644
--- a/microdroid_manager/src/dice.rs
+++ b/microdroid_manager/src/dice.rs
@@ -78,7 +78,7 @@
let mmap_size =
file.read_u64::<NativeEndian>()
.map_err(|error| Error::new(error).context("Reading driver"))? as usize;
- // It's safe to map the driver as the service will only create a single
+ // SAFETY: It's safe to map the driver as the service will only create a single
// mapping per process.
let mmap_addr = unsafe {
let fd = file.as_raw_fd();
@@ -87,10 +87,10 @@
if mmap_addr == MAP_FAILED {
bail!("Failed to mmap {:?}", driver_path);
}
- // The slice is created for the region of memory that was just
+ let mmap_buf =
+ // SAFETY: The slice is created for the region of memory that was just
// successfully mapped into the process address space so it will be
// accessible and not referenced from anywhere else.
- let mmap_buf =
unsafe { slice::from_raw_parts((mmap_addr as *const u8).as_ref().unwrap(), mmap_size) };
let bcc_handover =
bcc_handover_parse(mmap_buf).map_err(|_| anyhow!("Failed to parse Bcc Handover"))?;
@@ -149,9 +149,9 @@
impl Drop for DiceDriver<'_> {
fn drop(&mut self) {
if let &mut Self::Real { mmap_addr, mmap_size, .. } = self {
- // All references to the mapped region have the same lifetime as self. Since self is
- // being dropped, so are all the references to the mapped region meaning its safe to
- // unmap.
+ // SAFETY: All references to the mapped region have the same lifetime as self. Since
+ // self is being dropped, so are all the references to the mapped region meaning it's
+ // safe to unmap.
let ret = unsafe { munmap(mmap_addr, mmap_size) };
if ret != 0 {
log::warn!("Failed to munmap ({})", ret);
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index 1cdcde1..9548936 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -193,7 +193,7 @@
/// Prepares a socket file descriptor for the vm payload service.
///
-/// # Safety requirement
+/// # Safety
///
/// The caller must ensure that this function is the only place that claims ownership
/// of the file descriptor and it is called only once.
@@ -267,6 +267,8 @@
if Path::new(ENCRYPTEDSTORE_BACKING_DEVICE).exists() {
let mountpoint = CString::new(ENCRYPTEDSTORE_MOUNTPOINT).unwrap();
+ // SAFETY: `mountpoint` is a valid C string. `syncfs` and `close` are safe for any parameter
+ // values.
let ret = unsafe {
let dirfd = libc::open(
mountpoint.as_ptr(),
diff --git a/microdroid_manager/src/swap.rs b/microdroid_manager/src/swap.rs
index 2f4d176..c2b20ac 100644
--- a/microdroid_manager/src/swap.rs
+++ b/microdroid_manager/src/swap.rs
@@ -48,7 +48,7 @@
.checked_mul(512)
.ok_or_else(|| anyhow!("sysfs_size too large"))?;
- // safe because we give a constant and known-valid sysconf parameter
+ // SAFETY: We give a constant and known-valid sysconf parameter.
let pagesize = unsafe { libc::sysconf(libc::_SC_PAGE_SIZE) as u64 };
let mut f = OpenOptions::new().read(false).write(true).open(format!("/dev/{}", dev))?;
@@ -75,7 +75,7 @@
/// Simple "swapon", using libc:: wrapper.
fn swapon(dev: &str) -> Result<()> {
let swapon_arg = std::ffi::CString::new(format!("/dev/{}", dev))?;
- // safe because we give a nul-terminated string and check the result
+ // SAFETY: We give a nul-terminated string and check the result.
let res = unsafe { libc::swapon(swapon_arg.as_ptr(), 0) };
if res != 0 {
return Err(anyhow!("Failed to swapon: {}", Error::last_os_error()));