tag_safe custom_attribute for ocap discipline

[dckc]

Feel free to close this as out of scope, but the idea is:

1. tag functions that are designed to follow ocap discipline:

#[tagged_safe(ocap="tagsafe_std_ocap.txt")]
extern crate std as _std;

#[tag_safe(ocap)]
fn cap_main<W>(out: &mut W) -> io::Result<()>

2. tag functions that use ambient authority as unsafe w.r.t. ocap discipline. The tagsafe_std_ocap.txt file db would express the equivalent of:

#[tag_unsafe(ocap)]
use std::fs::File::open;

3. Use the tag_safe linter to go BZZZT if an ocap safe function calls, directly or indirectly, an ocap unsafe function.

refs from around Nov 2016:
thepowersgang/tag_safe#1
https://github.com/dckc/larust-tame
dckc/rust#2 (comment)

[sunfishcode]

I'm not familiar with tag_safe or the rustc plugin system, but this sounds like something interesting to pursue. Would you be interested in putting together a small version of this, that just marks a small number of functions, to show how it work work?

[dckc]

I'm interested, yes; whether I'm available is another question. :-/

Here's hoping.

[sunfishcode]

It seems the #![plugin] mechanism that tag_safe is built on is deprecated.

cargo-geiger is a project that similarly builds a custom static analysis, but uses syn rather than being a rustc plugin, which may be something to look into.

And on a related note, I posted here about a possible change to Rust's std which would help distinguish the parts of the API that use ambient filesystem authorities from the parts that don't.

[sunfishcode]

With the switch to the ambient-authority crate to model ambient authority, another option is to use clippy. A clippy config file for scanning for ambient_authority() or any of the known functions in std, tempfile, rand, directories_next, or fs_set_times, is here:

https://github.com/sunfishcode/ambient-authority/blob/main/clippy.toml

[dckc]

fantastic!