kernel::utilities::capability_ptr

Struct CapabilityPtr

Source 
pub struct CapabilityPtr { /* private fields */ }
Expand description

A pointer to userspace memory with implied authority.

A CapabilityPtr points to memory a userspace process may be permitted to read, write, or execute. It is sized exactly to a CPU register that can pass values between userspace and the kernel 1. Operations on the pointer may affect permissions, e.g. offsetting the pointer beyond the bounds of the memory object may invalidate it.

CapabilityPtr should be used to store or pass a value between the kernel and userspace that may represent a valid userspace reference, when one party intends the other to access it.

  1. Depending on the architecture, the size of a CapabilityPtr may be a word size or larger, e.g., if registers can store metadata such as access permissions. 

Implementations§

Source§

impl CapabilityPtr

Source

pub fn addr(self) -> usize

Returns the address of this pointer. Does not expose provenance.

Source

pub fn as_ptr<T>(&self) -> *const T

Returns the pointer component of a CapabilityPtr but without any of the authority.

Source

pub unsafe fn new_with_authority( ptr: *const (), _base: usize, _length: usize, _perms: CapabilityPtrPermissions, ) -> Self

Construct a CapabilityPtr from a raw pointer, with authority ranging over [base, base + length) and permissions perms.

Provenance note: may derive from a pointer other than the input to provide something with valid provenance to justify the other arguments.

§Safety

Constructing a CapabilityPtr with metadata may convey authority to dereference this pointer, such as in userspace. When these pointers serve as the only memory isolation primitive in the system, this method can thus break Tock’s isolation model. As semi-trusted kernel code can name this type and method, it is thus marked as unsafe.

Source

pub fn map_or<U, F>(&self, default: U, f: F) -> U
where F: FnOnce(&Self) -> U,

If the CapabilityPtr is null returns default, otherwise applies f to self.

Source

pub fn map_or_else<U, D, F>(&self, default: D, f: F) -> U
where D: FnOnce() -> U, F: FnOnce(&Self) -> U,

If the CapabilityPtr is null returns default, otherwise applies f to self. default is only evaluated if self is not null.

Trait Implementations§

Source§

impl AddAssign<usize> for CapabilityPtr

Source§

fn add_assign(&mut self, rhs: usize)

Increments the address of a CapabilityPtr. If the pointer is offset past its bounds, its authority may be invalidated.

Source§

impl Clone for CapabilityPtr

Source§

fn clone(&self) -> CapabilityPtr

Returns a copy of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for CapabilityPtr

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for CapabilityPtr

Source§

fn default() -> Self

Returns a null CapabilityPtr.

Source§

impl From<CapabilityPtr> for MachineRegister

Source§

fn from(from: CapabilityPtr) -> Self

Creates a MachineRegister containing this CapabilityPtr, including its provenance.

Source§

impl From<usize> for CapabilityPtr

Source§

fn from(from: usize) -> Self

Constructs a CapabilityPtr with a given address but no authority or provenance.

Source§

impl Hash for CapabilityPtr

Source§

fn hash<__H: Hasher>(&self, state: &mut __H)

Feeds this value into the given Hasher. Read more
1.3.0 · Source§

fn hash_slice<H>(data: &[Self], state: &mut H)
where H: Hasher, Self: Sized,

Feeds a slice of this type into the given Hasher. Read more
Source§

impl LowerHex for CapabilityPtr

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Ord for CapabilityPtr

Source§

fn cmp(&self, other: &CapabilityPtr) -> Ordering

This method returns an Ordering between self and other. Read more
1.21.0 · Source§

fn max(self, other: Self) -> Self
where Self: Sized,

Compares and returns the maximum of two values. Read more
1.21.0 · Source§

fn min(self, other: Self) -> Self
where Self: Sized,

Compares and returns the minimum of two values. Read more
1.50.0 · Source§

fn clamp(self, min: Self, max: Self) -> Self
where Self: Sized,

Restrict a value to a certain interval. Read more
Source§

impl PartialEq for CapabilityPtr

Source§

fn eq(&self, other: &CapabilityPtr) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl PartialOrd for CapabilityPtr

Source§

fn partial_cmp(&self, other: &CapabilityPtr) -> Option<Ordering>

This method returns an ordering between self and other values if one exists. Read more
1.0.0 · Source§

fn lt(&self, other: &Rhs) -> bool

Tests less than (for self and other) and is used by the < operator. Read more
1.0.0 · Source§

fn le(&self, other: &Rhs) -> bool

Tests less than or equal to (for self and other) and is used by the <= operator. Read more
1.0.0 · Source§

fn gt(&self, other: &Rhs) -> bool

Tests greater than (for self and other) and is used by the > operator. Read more
1.0.0 · Source§

fn ge(&self, other: &Rhs) -> bool

Tests greater than or equal to (for self and other) and is used by the >= operator. Read more
Source§

impl UpperHex for CapabilityPtr

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Copy for CapabilityPtr

Source§

impl Eq for CapabilityPtr

Source§

impl StructuralPartialEq for CapabilityPtr

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dst: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dst. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.