pub struct RightsRequest {
    pub at_most: Operations,
    pub at_least: Operations,
    pub resolution: RightsResolution,
}
Expand description

Options for requesting rights on the new connection.

Rights Hierarchy

Respecting principles of least privileges, rights in general must meet the following restrictions:

  • A connection must have nonzero rights.
  • From the perspective of a client, rights must never increase in a derived connection.
  • From the perspective of a directory proxy, it must ensure that new connections opened through it cannot have more rights than the connection where the proxy received the Open/Reopen call.

The proper enforcement of the rights hierarchy is a powerful refinement over the existing access control facilities offered by directory sandboxing.

Rights vs Abilities

The rights on a connection limits the set of operations allowed on that connection, but does not guarantee their availability, because the object may not support it.

See [Rights] and [Abilities].

Implementation Notes

When a directory proxy encounters an absent rights field, let r be the rights on the connection where it received this request, the proxy should fill in this field with the following:

RightsRequest {
    at_most: r,
    at_least: 0,
    resolution: RightsResolution.MAXIMIZE,
}

before forwarding the request to the remote party.

Because opening a new connection may involve multiple hops through directory proxies, we require the client to set an upper bound and lower bound on the rights request, and intermediate proxies to refine these bounds.

The rights manipulation should be implemented mechanically without knowledge of any specific rights, and servers should propagate unknown bits members, to gracefully handle future rights extensions.

Implementation Notes

It could be common for a client to request an exact set of rights. We recommend client libraries to define a helper function like follows:

fn Exact(exact_rights: Rights) -> RightsRequest {
    RightsRequest {
        at_most: exact_rights,
        at_least: exact_rights,
        resolution: RightsResolution.MAXIMIZE,
    }
}

Fields§

§at_most: Operations

Sets an upper bound on the resulting rights. The exact rights will depend on resolution.

Implementation Notes

When a directory proxy encounters this variant, it should compute the intersection between this and the rights on the connection where it received the request, to shrink the rights.

  • If the intersection is empty, or not a superset of at_least, the proxy should close object_request with the ZX_ERR_ACCESS_DENIED epitaph.
  • Otherwise, the proxy should forward the Open call as usual, but update at_most with the shrunk rights.
§at_least: Operations

Sets a lower bound on the resulting rights. The exact rights will depend on resolution.

  • During [Directory.Open], you may only specify the same rights as what the directory connection already has, or a subset of those.
  • During [Node.Reopen], similarly, you may only specify the same or a subset of rights possessed by the original connection.
  • Exceeding those rights causes object_request to be closed with a ZX_ERR_ACCESS_DENIED epitaph.

Therefore there are these invariants which should be maintained:

at_most ⊋ {}
at_most ⊃ at_least
rights_on_connection_where_open_is_received ⊋ {}
rights_on_connection_where_open_is_received ⊃ at_least

using the superset (), proper superset (), and empty set ({}) notations.

§resolution: RightsResolution

When an Open/Reopen request reaches its final remote server, it should assign rights on the new connection based on one of these modes.

Trait Implementations§

source§

impl Clone for RightsRequest

source§

fn clone(&self) -> RightsRequest

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for RightsRequest

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
source§

impl Decode<RightsRequest> for RightsRequest

source§

fn new_empty() -> Self

Creates a valid instance of Self. The specific value does not matter, since it will be overwritten by decode.
source§

unsafe fn decode( &mut self, decoder: &mut Decoder<'_>, offset: usize, depth: Depth ) -> Result<()>

Decodes an object of type T from the decoder’s buffers into self. Read more
source§

impl Encode<RightsRequest> for &RightsRequest

source§

unsafe fn encode( self, encoder: &mut Encoder<'_>, offset: usize, depth: Depth ) -> Result<()>

Encodes the object into the encoder’s buffers. Any handles stored in the object are swapped for Handle::INVALID. Read more
source§

impl<T0: Encode<Operations>, T1: Encode<Operations>, T2: Encode<RightsResolution>> Encode<RightsRequest> for (T0, T1, T2)

source§

unsafe fn encode( self, encoder: &mut Encoder<'_>, offset: usize, depth: Depth ) -> Result<()>

Encodes the object into the encoder’s buffers. Any handles stored in the object are swapped for Handle::INVALID. Read more
source§

impl Hash for RightsRequest

source§

fn hash<__H: Hasher>(&self, state: &mut __H)

Feeds this value into the given Hasher. Read more
1.3.0 · source§

fn hash_slice<H>(data: &[Self], state: &mut H)where H: Hasher, Self: Sized,

Feeds a slice of this type into the given Hasher. Read more
source§

impl Ord for RightsRequest

source§

fn cmp(&self, other: &RightsRequest) -> Ordering

This method returns an Ordering between self and other. Read more
1.21.0 · source§

fn max(self, other: Self) -> Selfwhere Self: Sized,

Compares and returns the maximum of two values. Read more
1.21.0 · source§

fn min(self, other: Self) -> Selfwhere Self: Sized,

Compares and returns the minimum of two values. Read more
1.50.0 · source§

fn clamp(self, min: Self, max: Self) -> Selfwhere Self: Sized + PartialOrd<Self>,

Restrict a value to a certain interval. Read more
source§

impl PartialEq<RightsRequest> for RightsRequest

source§

fn eq(&self, other: &RightsRequest) -> bool

This method tests for self and other values to be equal, and is used by ==.
1.0.0 · source§

fn ne(&self, other: &Rhs) -> bool

This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
source§

impl PartialOrd<RightsRequest> for RightsRequest

source§

fn partial_cmp(&self, other: &RightsRequest) -> Option<Ordering>

This method returns an ordering between self and other values if one exists. Read more
1.0.0 · source§

fn lt(&self, other: &Rhs) -> bool

This method tests less than (for self and other) and is used by the < operator. Read more
1.0.0 · source§

fn le(&self, other: &Rhs) -> bool

This method tests less than or equal to (for self and other) and is used by the <= operator. Read more
1.0.0 · source§

fn gt(&self, other: &Rhs) -> bool

This method tests greater than (for self and other) and is used by the > operator. Read more
1.0.0 · source§

fn ge(&self, other: &Rhs) -> bool

This method tests greater than or equal to (for self and other) and is used by the >= operator. Read more
source§

impl TypeMarker for RightsRequest

§

type Owned = RightsRequest

The owned Rust type which this FIDL type decodes into.
source§

fn inline_align(context: Context) -> usize

Returns the minimum required alignment of the inline portion of the encoded object. It must be a (nonzero) power of two.
source§

fn inline_size(context: Context) -> usize

Returns the size of the inline portion of the encoded object, including padding for alignment. Must be a multiple of inline_align.
§

fn encode_is_copy() -> bool

Returns true if the memory layout of Self::Owned matches the FIDL wire format and encoding requires no validation. When true, we can optimize encoding arrays and vectors of Self::Owned to a single memcpy. Read more
§

fn decode_is_copy() -> bool

Returns true if the memory layout of Self::Owned matches the FIDL wire format and decoding requires no validation. When true, we can optimize decoding arrays and vectors of Self::Owned to a single memcpy.
source§

impl ValueTypeMarker for RightsRequest

§

type Borrowed<'a> = &'a <RightsRequest as TypeMarker>::Owned

The Rust type to use for encoding. This is a particular Encode<Self> type cheaply obtainable from &Self::Owned. There are three cases: Read more
source§

fn borrow<'a>(value: &'a <Self as TypeMarker>::Owned) -> Self::Borrowed<'a>

Cheaply converts from &Self::Owned to Self::Borrowed.
source§

impl Copy for RightsRequest

source§

impl Eq for RightsRequest

source§

impl StructuralEq for RightsRequest

source§

impl StructuralPartialEq for RightsRequest

source§

impl TopLevel for RightsRequest

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for Twhere T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for Twhere T: ?Sized,

const: unstable · source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for Twhere T: ?Sized,

const: unstable · source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
§

impl<T> Encode<Ambiguous1> for T

§

unsafe fn encode( self, _encoder: &mut Encoder<'_>, _offset: usize, _depth: Depth ) -> Result<(), Error>

Encodes the object into the encoder’s buffers. Any handles stored in the object are swapped for Handle::INVALID. Read more
§

impl<T> Encode<Ambiguous2> for T

§

unsafe fn encode( self, _encoder: &mut Encoder<'_>, _offset: usize, _depth: Depth ) -> Result<(), Error>

Encodes the object into the encoder’s buffers. Any handles stored in the object are swapped for Handle::INVALID. Read more
source§

impl<T> From<T> for T

const: unstable · source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T> Instrument for T

source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
source§

impl<T, U> Into<U> for Twhere U: From<T>,

const: unstable · source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T> Pointable for T

§

const ALIGN: usize = mem::align_of::<T>()

The alignment of pointer.
§

type Init = T

The type for initializers.
§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
source§

impl<T> ToOwned for Twhere T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for Twhere U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
const: unstable · source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for Twhere U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
const: unstable · source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
source§

impl<T> WithSubscriber for T

source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
§

impl<T> Persistable for Twhere T: TopLevel + for<'a> ValueTypeMarker<Borrowed<'a> = &'a T>,