Add the safe_ffi macro

vrmiguel · vrmiguel · commit 144fcd627946 · 2022-05-12T15:02:08.000-03:00
diff --git a/src/kill.rs b/src/kill.rs
@@ -8,7 +8,7 @@ use libc::{EINVAL, EPERM, ESRCH, SIGKILL, SIGTERM};
 use crate::errno::errno;
 use crate::error::{Error, Result};
 use crate::process::Process;
-use crate::{cli, utils};
+use crate::{cli, safe_ffi, utils};
 
 pub fn choose_victim(
     proc_buf: &mut [u8],
@@ -101,7 +101,7 @@ pub fn choose_victim(
 }
 
 pub fn kill_process(pid: i32, signal: i32) -> Result<()> {
-    let res = unsafe { kill(pid, signal) };
+    let res = safe_ffi! { kill(pid, signal) };
 
     if res == -1 {
         return Err(match errno() {
diff --git a/src/memory/mem_info.rs b/src/memory/mem_info.rs
@@ -4,6 +4,7 @@ use libc::sysinfo;
 
 use crate::{
     error::{Error, Result},
+    safe_ffi,
     utils::bytes_to_megabytes,
 };
 
@@ -23,7 +24,7 @@ fn sys_info() -> Result<sysinfo> {
     let mut sys_info: sysinfo = unsafe { mem::zeroed() };
 
     // Safety: sysinfo() is safe and must not fail when passed a valid reference
-    let ret_val = unsafe { libc::sysinfo(&mut sys_info) };
+    let ret_val = safe_ffi! { libc::sysinfo(&mut sys_info) };
 
     if ret_val != 0 {
         // The only error that sysinfo() can have happens when
diff --git a/src/memory/mem_lock.rs b/src/memory/mem_lock.rs
@@ -4,14 +4,14 @@ use libc::{MCL_CURRENT, MCL_FUTURE};
 
 use crate::errno::errno;
 use crate::error::{Error, Result};
+use crate::safe_ffi;
 
 extern "C" {
     pub static _MCL_ONFAULT: libc::c_int;
 }
 
 pub fn _mlockall_wrapper(flags: c_int) -> Result<()> {
-    // Safety: mlockall is safe
-    let err = unsafe { mlockall(flags) };
+    let err = safe_ffi! { mlockall(flags) };
     if err == 0 {
         return Ok(());
     }
@@ -38,7 +38,7 @@ pub fn lock_memory_pages() -> Result<()> {
     // TODO: check for _MCL_ONFAULT == -1
 
     #[allow(non_snake_case)]
-    let MCL_ONFAULT: c_int = unsafe { _MCL_ONFAULT };
+    let MCL_ONFAULT: c_int = safe_ffi! { _MCL_ONFAULT };
     match _mlockall_wrapper(MCL_CURRENT | MCL_FUTURE | MCL_ONFAULT) {
         Err(err) => {
             eprintln!("First try at mlockall failed: {:?}", err);
diff --git a/src/process.rs b/src/process.rs
@@ -3,6 +3,7 @@ use std::io::Write;
 
 use libc::getpgid;
 
+use crate::safe_ffi;
 use crate::{
     error::{Error, Result},
     utils::{self, str_from_u8},
@@ -35,7 +36,7 @@ impl Process {
     /// TODO: would it be better to check for /proc/<PID>/ in here?
     pub fn is_alive_from_pid(pid: u32) -> bool {
         // Safety: `getpgid` is memory safe
-        let group_id = unsafe { getpgid(pid as i32) };
+        let group_id = safe_ffi! { getpgid(pid as i32) };
 
         group_id > 0
     }
diff --git a/src/uname.rs b/src/uname.rs
@@ -3,6 +3,7 @@ use std::mem;
 
 use crate::error::{Error, Result};
 use crate::linux_version::LinuxVersion;
+use crate::safe_ffi;
 use crate::utils::str_from_u8;
 use libc::{uname, utsname};
 
@@ -16,8 +17,7 @@ impl Uname {
         //         can be safely zeroed.
         let mut uts_struct: utsname = unsafe { mem::zeroed() };
 
-        // No memory unsafety can arise from this call of `uname`
-        let ret_val = unsafe { uname(&mut uts_struct) };
+        let ret_val = safe_ffi! { uname(&mut uts_struct) };
 
         // uname returns a negative number upon failure
         if ret_val < 0 {
@@ -30,7 +30,6 @@ impl Uname {
     pub fn print_info(&self) -> Result<()> {
         // Safety: dereference of these raw pointers are safe since we know they're not NULL, since
         // the buffers in struct utsname are all correctly allocated in the stack at this moment
-
         let sysname = unsafe { CStr::from_ptr(self.uts_struct.sysname.as_ptr()) };
         let hostname = unsafe { CStr::from_ptr(self.uts_struct.nodename.as_ptr()) };
         let release = unsafe { CStr::from_ptr(self.uts_struct.release.as_ptr()) };
diff --git a/src/utils.rs b/src/utils.rs
@@ -8,17 +8,26 @@ use libc::{getpwuid_r, passwd};
 use crate::errno::errno;
 use crate::error::{Error, Result};
 
+/// This macro is used whenever we call a C function but
+/// strongly believe that it cannot cause any memory unsafety.
+#[macro_export]
+macro_rules! safe_ffi {
+    ($e: expr) => {
+        unsafe { $e }
+    };
+}
+
 /// Gets the effective user ID of the calling process
 fn effective_user_id() -> u32 {
     // Safety: the POSIX Programmer's Manual states that
     // geteuid will always be successful.
-    unsafe { libc::geteuid() }
+    safe_ffi! { libc::geteuid() }
 }
 
 /// Gets the process group of the process
 /// with the given PID.
 pub fn get_process_group(pid: i32) -> Result<i32> {
-    let pgid = unsafe { getpgid(pid) };
+    let pgid = safe_ffi! { getpgid(pid) };
     if pgid == -1 {
         return Err(match errno() {
             EPERM => Error::NoPermission,
