ImmutableFd

safe_mmap

Struct ImmutableFd 

Source 
pub struct ImmutableFd<F: AsFd> { /* private fields */ }
Expand description

A file descriptor for an immutable file

A file is “immutable” if it cannot possibly change size or content, ever. This means that it’s impossible for the length or content of the file to be changed from either inside or outside of the program. This goes beyond the usual “file is read-only” or even chattr +i measures because they are reversible.

The only thing that can be done with an immutable file is unlinking it, but it will continue to exist (and continue to be immutable) for as long as any open file descriptors refer to it.

There are a number of ways to obtain an immutable file descriptor:

  • from an fd for a fs-verity enabled file (these files can never be modified once their fs-verity status is enabled)
  • from an fd for a sealed memfd (which can also never be modified)
  • from any fd, unsafely

Implementations§

Source§

impl<F: AsFd> ImmutableFd<F>

Source

pub unsafe fn from_fd(fd: F) -> Self

Produces an ImmutableFd from any file descriptor, unsafely.

§Safety

This function is only safe if the caller takes the responsibility for verifying that the underlying file descriptor points to an immutable file. This means that it’s impossible for the length or content of the file to be changed from either inside or outside of the program.

Source

pub fn from_fs_verity_file(fd: F) -> Result<Self, ImmutableFdError>

Produces an ImmutableFd from an fd pointing to an fs-verity-enabled file

This function confirms that the file is fs-verity enabled before returning. If this could not be determined, then an error is returned.

Source

pub fn from_sealed_memfd(fd: F) -> Result<Self, ImmutableFdError>

Produces an ImmutableFd from a memfd which is sealed for “grow”, “shrink”, and “write”.

This function confirms that the memfd is sealed. If this could not be determined, then an error is returned.

Source

pub unsafe fn mmap_with_length_and_offset( &self, len: usize, offset: u64, ) -> Result<Mapping>

Produces a read-only memory mapping of the given length from the given offset into the given immutable file descriptor.

The offset must be a multiple of the page size. The length does not need to be a multiple of the page size. When performing the mapping, the length is rounded-up by the kernel to the next page-size boundary, but the returned Mapping will have the exact length as given.

This function corresponds exactly to a single mmap() syscall. There is no extra validation performed on the arguments. The returned Mapping object has a Drop impl which will call munmap().

§Safety

This function is only safe if the specified byte range is not actually available in the underlying file, you may receive a SIGBUS signal when attempting to access the memory. It is the responsibility of the caller to ensure that the passed range is valid. Calling this function on a range that doesn’t exist inside of the file produces undefined behaviour.

Source

pub fn mmap_with_offset(&self, offset: u64) -> Result<Mapping>

Produces a read-only memory mapping from the given offset into the given immutable file descriptor.

This function uses fstat() to query the size of the file descriptor before mapping it. The produced mapping is for the range from the given offset to the end of the file.

As a convenience, if the size of the file is exactly equal to offset parameter then this will produce a fake empty mapping. This is done to improve the ergonomics of the API when dealing with empty files: it’s not valid to call mmap() for a zero-byte range.

Source

pub fn mmap(&self) -> Result<Mapping>

Produces a read-only memory mapping from the given immutable file descriptor.

This function uses fstat() to query the size of the file descriptor before mapping it. The produced mapping covers the complete file.

As a convenience, this will produce a fake empty mapping for empty files. This is done to improve the ergonomics of the API when dealing with empty files: it’s not valid to call mmap() for a zero-byte range.

Trait Implementations§

Source§

impl<F: Debug + AsFd> Debug for ImmutableFd<F>

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

§

impl<F> Freeze for ImmutableFd<F>
where F: Freeze,

§

impl<F> RefUnwindSafe for ImmutableFd<F>
where F: RefUnwindSafe,

§

impl<F> Send for ImmutableFd<F>
where F: Send,

§

impl<F> Sync for ImmutableFd<F>
where F: Sync,

§

impl<F> Unpin for ImmutableFd<F>
where F: Unpin,

§

impl<F> UnwindSafe for ImmutableFd<F>
where F: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.