Struct kernel::utilities::capability_ptr::CapabilityPtr

source · 
pub struct CapabilityPtr { /* private fields */ }
Expand description

A pointer to userspace memory with implied authority.

A CapabilityPtr points to memory a userspace process may be permitted to read, write, or execute. It is sized exactly to a CPU register that can pass values between userspace and the kernel. Because it is register sized, CapabilityPtr is guaranteed to be at least the size of a word (usize) 1. Operations on the pointer may affect permissions, e.g. offsetting the pointer beyond the bounds of the memory object invalidates it. Like a *const (), a CapabilityPtr may also “hide” information by storing a word of data with no memory access permissions.

CapabilityPtr should be used to store or pass a value between the kernel and userspace that may represent a valid userspace reference, when one party intends the other to access it.

  1. Depending on the architecture, the size of a CapabilityPtr may be a word size or larger, e.g., if registers can store metadata such as access permissions. 

Implementations§

source§

impl CapabilityPtr

source

pub fn as_ptr<T>(&self) -> *const T

Returns the pointer component of a CapabilityPtr but without any of the authority.

source

pub unsafe fn new_with_authority( ptr: *const (), _base: usize, _length: usize, _perms: CapabilityPtrPermissions, ) -> Self

Construct a CapabilityPtr from a raw pointer, with authority ranging over [base, base + length) and permissions perms.

Provenance note: may derive from a pointer other than the input to provide something with valid provenance to justify the other arguments.

§Safety

Constructing a CapabilityPtr with metadata may convey authority to dereference this pointer, such as in userspace. When these pointers serve as the only memory isolation primitive in the system, this method can thus break Tock’s isolation model. As semi-trusted kernel code can name this type and method, it is thus marked as unsafe.

source

pub fn map_or<U, F>(&self, default: U, f: F) -> U
where F: FnOnce(&Self) -> U,

If the CapabilityPtr is null returns default, otherwise applies f to self.

source

pub fn map_or_else<U, D, F>(&self, default: D, f: F) -> U
where D: FnOnce() -> U, F: FnOnce(&Self) -> U,

If the CapabilityPtr is null returns default, otherwise applies f to self. default is only evaluated if self is not null.

Trait Implementations§

source§

impl AddAssign<usize> for CapabilityPtr

source§

fn add_assign(&mut self, rhs: usize)

Increments the address of a CapabilityPtr

source§

impl Clone for CapabilityPtr

source§

fn clone(&self) -> CapabilityPtr

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for CapabilityPtr

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
source§

impl Default for CapabilityPtr

source§

fn default() -> Self

Returns the “default value” for a type. Read more
source§

impl From<CapabilityPtr> for usize

source§

fn from(from: CapabilityPtr) -> Self

Returns the address of the CapabilityPtr. Provenance note: may not expose provenance.

source§

impl From<usize> for CapabilityPtr

source§

fn from(from: usize) -> Self

Constructs a CapabilityPtr with a given address and no authority

Provenance note: may have null provenance.

source§

impl Hash for CapabilityPtr

source§

fn hash<__H: Hasher>(&self, state: &mut __H)

Feeds this value into the given Hasher. Read more
1.3.0 · source§

fn hash_slice<H>(data: &[Self], state: &mut H)
where H: Hasher, Self: Sized,

Feeds a slice of this type into the given Hasher. Read more
source§

impl LowerHex for CapabilityPtr

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Format the capability as a lowercase hex string. Will print at least the address, and any platform specific metadata if it exists.

source§

impl Ord for CapabilityPtr

source§

fn cmp(&self, other: &CapabilityPtr) -> Ordering

This method returns an Ordering between self and other. Read more
1.21.0 · source§

fn max(self, other: Self) -> Self
where Self: Sized,

Compares and returns the maximum of two values. Read more
1.21.0 · source§

fn min(self, other: Self) -> Self
where Self: Sized,

Compares and returns the minimum of two values. Read more
1.50.0 · source§

fn clamp(self, min: Self, max: Self) -> Self
where Self: Sized + PartialOrd,

Restrict a value to a certain interval. Read more
source§

impl PartialEq for CapabilityPtr

source§

fn eq(&self, other: &CapabilityPtr) -> bool

This method tests for self and other values to be equal, and is used by ==.
1.0.0 · source§

fn ne(&self, other: &Rhs) -> bool

This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
source§

impl PartialOrd for CapabilityPtr

source§

fn partial_cmp(&self, other: &CapabilityPtr) -> Option<Ordering>

This method returns an ordering between self and other values if one exists. Read more
1.0.0 · source§

fn lt(&self, other: &Rhs) -> bool

This method tests less than (for self and other) and is used by the < operator. Read more
1.0.0 · source§

fn le(&self, other: &Rhs) -> bool

This method tests less than or equal to (for self and other) and is used by the <= operator. Read more
1.0.0 · source§

fn gt(&self, other: &Rhs) -> bool

This method tests greater than (for self and other) and is used by the > operator. Read more
1.0.0 · source§

fn ge(&self, other: &Rhs) -> bool

This method tests greater than or equal to (for self and other) and is used by the >= operator. Read more
source§

impl UpperHex for CapabilityPtr

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Format the capability as an uppercase hex string. Will print at least the address, and any platform specific metadata if it exists.

source§

impl Copy for CapabilityPtr

source§

impl Eq for CapabilityPtr

source§

impl StructuralPartialEq for CapabilityPtr

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> CloneToUninit for T
where T: Clone,

source§

default unsafe fn clone_to_uninit(&self, dst: *mut T)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dst. Read more
source§

impl<T> CloneToUninit for T
where T: Copy,

source§

unsafe fn clone_to_uninit(&self, dst: *mut T)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dst. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.