Rust-for-Linux VS no-panic

Rust is backwards compatible when you stick to stable features, but the kernel uses unstable features that can and do incur breaking changes.

https://github.com/Rust-for-Linux/linux/issues/2

> How would this work?

Don't know exactly what you're asking.

> And why would it be a better idea?

Poorly written device drivers are a significant attack vector. It's one of the reasons Linux is now exploring using Rust for its own device drivers.[0] You may be asking -- why Rust and not some other language? Rust has many of the performance and interoperability advantages of C and C++, but as noted, makes certain classes of memory safety issues impossible. Rust also has significant mindshare among systems programming communities.

[0]: https://rust-for-linux.com

Ctrl-F "rust"

https://rust-for-linux.com/ links to LWN articles at https://lwn.net/Kernel/Index/#Development_tools-Rust that suggest that only basic modules are yet possible with the rust support in Linux kernels 6.2 and 6.3.

Rust-for-linux links to the Android binder module though:

> Android Binder Driver: This project is an effort to rewrite Android's Binder kernel driver in Rust.

> Motivation: Binder is one of the most security and performance critical components of Android. Android isolates apps from each other and the system by assigning each app a unique user ID (UID). This is called "application sandboxing", and is a fundamental tenet of the Android Platform Security Model.

> The majority of inter-process communication (IPC) on Android goes through Binder. Thus, memory unsafety vulnerabilities are especially critical when they happen in the Binder driver

... "Rust in the Linux kernel" (2021) https://security.googleblog.com/2021/04/rust-in-linux-kernel... :

> [...] We also need designs that allow code in the two languages to interact with each other: we're particularly interested in safe, zero-cost abstractions that allow Rust code to use kernel functionality written in C, and how to implement functionality in idiomatic Rust that can be called seamlessly from the C portions of the kernel.

> Since Rust is a new language for the kernel, we also have the opportunity to enforce best practices in terms of documentation and uniformity. For example, we have specific machine-checked requirements around the usage of unsafe code: for every unsafe function, the developer must document the requirements that need to be satisfied by callers to ensure that its usage is safe; additionally, for every call to unsafe functions (or usage of unsafe constructs like dereferencing a raw pointer), the developer must document the justification for why it is safe to do so.

> We'll now show how such a driver would be implemented in Rust, contrasting it with a C implementation. [...]

This guide with unsafe rust that calls into the C, and then with next gen much safer rust right next to it would be a helpful resource too.

What of the post-docker container support (with userspaces also written in go) should be cloned to rust first?

Rust-for-Linux issue tracker

Yes, I definitely agree that it's a problem that pr_info implicitly wraps its arguments in unsafe {}. I wrote my own Pull Request with a trival fix.

Note that this template won't work with Linux 6.1, which has very minimal Rust support. You'll want the RustForLinux tree, or maybe Linux 6.2.

You can join Rust for Linux zulip chat by requesting invite using the link in https://github.com/Rust-for-Linux/linux 's README.

I discovered a crate called no_panic that prevents a function from compiling, unless the compiler can proof that this function can't panic.

/u/dtolnay has a no-panic macro, I don't know its limitations but in older comments they note it pretty much has to be used in release mode, as there are lots of panic codepaths which get optimised out.

'Hacks' such as https://github.com/dtolnay/no-panic, https://crates.io/crates/no-panics-whatsoever that ensure any calls to panic handling will result in link errors. Not really reliable in terms of being able to abort instead, but a possible tool.

nope. Unfortunately, no mainstream language has this yet. We need an Algebraic effects typesystem to do this properly. There are a few temporary band-aid solutions like https://github.com/dtolnay/no-panic

This kind of already exists in the form of #[no_panic] [1]?

> If the function does panic (or the compiler fails to prove that the function cannot panic), the program fails to compile with a linker error that identifies the function name.

1: https://github.com/dtolnay/no-panic

I really think that Rust needs an official #[no_panic] macro that can validate these sort of things (like dtolnay’s crate, I’m not sure why it was archived)

Because it's convenient and familiar to most programmers. Not providing bounds-checked indexing makes some kinds of code very hard to write.

But note his problem also happens with integer division.

In Rust, a[x] on an array or vec is really a roughly a shortand for a.get(x).unwrap() (with a different error message)

Likewise, a / b on integers is a kind of a shortand for a.checked_div(b).unwrap()

The thing is, if the index ever is out of bounds, or if the denominator is zero, the program has a bug, 100% of time. And if you catch a bug using an assertion there is seldom anything better than interrupting the execution (the only thing I can think of is restarting the program or the subsystem). If you continue execution past a programming error, you may sometimes corrupt data structures or introduce bizarre, hard to debug situations.

Doing a pattern match on a.get(x) doesn't help because if it's ever None (and your program logic expects that x is in bounds) then you are kind of forced to bail.

The downside here is that we aren't catching this bug at compile time. And it's true that sometimes we can rewrite the program to not have an indexing operation, usually using iterators (eliding the bounds check will make the program run faster, too). But in general this is not possible, at least not without bringing formal methods. But that's what tests are for, to ensure the correctness of stuff type errors can't catch.

Now, there are some crates like https://github.com/dtolnay/no-panic or https://github.com/facebookexperimental/MIRAI that will check that your code is panic free. The first one is based on the fact that llvm optimizations can often remove dead code and thus remove the panic from a[x] or a / b - if it doesn't, then compilation fails. The second one employs formal methods to mathematically prove that there is no panic. I guess those techniques will eventually be ported to the kernel even if panics happen differently there (by hooking on the BUG mechanism or whatever)

Hmm, yeah as you mentioned, looks like a surprising amount of stuff is already done in the rust for the linux kernel project: https://github.com/Rust-for-Linux/linux/tree/rust/rust/. It's also MIT/Apache licensed, but I was expecting gpl, so I can actually use it. It's still a lot to trim down on, so might be easier to just build up as needed. Additionally I just saw /u/dtolnay's #[no_panic] attribute which at least makes it a compiler error if it's accidentally done.

Obviously, in bare metal systems, in the kernel, etc, you always want to use the second style. In this patch series, the first type had been stubbed out to panic, but Linus doesn't want any chance of panicking, he wants it to be a compile time error if anyone tries to call these methods from within the kernel, for example by not providing the symbols and failing to link if someone did try to use them. There is already precedent for doing that in the Rust ecosystem, so it's planned to do that in this patch series, but the authors hadn't gotten to that yet.