Struct fidl_fuchsia_io::RightsRequest
source · pub struct RightsRequest {
pub at_most: Operations,
pub at_least: Operations,
pub resolution: RightsResolution,
}
Expand description
Options for requesting rights on the new connection.
Rights Hierarchy
Respecting principles of least privileges, rights in general must meet the following restrictions:
- A connection must have nonzero rights.
- From the perspective of a client, rights must never increase in a derived connection.
- From the perspective of a directory proxy, it must ensure that
new connections opened through it cannot have more rights than
the connection where the proxy received the
Open
/Reopen
call.
The proper enforcement of the rights hierarchy is a powerful refinement over the existing access control facilities offered by directory sandboxing.
Rights vs Abilities
The rights on a connection limits the set of operations allowed on that connection, but does not guarantee their availability, because the object may not support it.
See [Rights
] and [Abilities
].
Implementation Notes
When a directory proxy encounters an absent rights
field, let r
be
the rights on the connection where it received this request, the proxy
should fill in this field with the following:
RightsRequest {
at_most: r,
at_least: 0,
resolution: RightsResolution.MAXIMIZE,
}
before forwarding the request to the remote party.
Because opening a new connection may involve multiple hops through directory proxies, we require the client to set an upper bound and lower bound on the rights request, and intermediate proxies to refine these bounds.
The rights manipulation should be implemented mechanically without knowledge of any specific rights, and servers should propagate unknown bits members, to gracefully handle future rights extensions.
Implementation Notes
It could be common for a client to request an exact set of rights. We recommend client libraries to define a helper function like follows:
fn Exact(exact_rights: Rights) -> RightsRequest {
RightsRequest {
at_most: exact_rights,
at_least: exact_rights,
resolution: RightsResolution.MAXIMIZE,
}
}
Fields§
§at_most: Operations
Sets an upper bound on the resulting rights. The exact rights will
depend on resolution
.
Implementation Notes
When a directory proxy encounters this variant, it should compute the intersection between this and the rights on the connection where it received the request, to shrink the rights.
- If the intersection is empty, or not a superset of
at_least
, the proxy should closeobject_request
with theZX_ERR_ACCESS_DENIED
epitaph. - Otherwise, the proxy should forward the
Open
call as usual, but updateat_most
with the shrunk rights.
at_least: Operations
Sets a lower bound on the resulting rights. The exact rights will
depend on resolution
.
- During [
Directory.Open
], you may only specify the same rights as what the directory connection already has, or a subset of those. - During [
Node.Reopen
], similarly, you may only specify the same or a subset of rights possessed by the original connection. - Exceeding those rights causes
object_request
to be closed with aZX_ERR_ACCESS_DENIED
epitaph.
Therefore there are these invariants which should be maintained:
at_most ⊋ {}
at_most ⊃ at_least
rights_on_connection_where_open_is_received ⊋ {}
rights_on_connection_where_open_is_received ⊃ at_least
using the superset (⊃
), proper superset (⊋
),
and empty set ({}
) notations.
resolution: RightsResolution
When an Open
/Reopen
request reaches its final remote server, it should
assign rights on the new connection based on one of these modes.
Trait Implementations§
source§impl Clone for RightsRequest
impl Clone for RightsRequest
source§fn clone(&self) -> RightsRequest
fn clone(&self) -> RightsRequest
1.0.0 · source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source
. Read moresource§impl Debug for RightsRequest
impl Debug for RightsRequest
source§impl Decode<RightsRequest> for RightsRequest
impl Decode<RightsRequest> for RightsRequest
source§impl Encode<RightsRequest> for &RightsRequest
impl Encode<RightsRequest> for &RightsRequest
source§impl<T0: Encode<Operations>, T1: Encode<Operations>, T2: Encode<RightsResolution>> Encode<RightsRequest> for (T0, T1, T2)
impl<T0: Encode<Operations>, T1: Encode<Operations>, T2: Encode<RightsResolution>> Encode<RightsRequest> for (T0, T1, T2)
source§impl Hash for RightsRequest
impl Hash for RightsRequest
source§impl Ord for RightsRequest
impl Ord for RightsRequest
source§fn cmp(&self, other: &RightsRequest) -> Ordering
fn cmp(&self, other: &RightsRequest) -> Ordering
1.21.0 · source§fn max(self, other: Self) -> Selfwhere
Self: Sized,
fn max(self, other: Self) -> Selfwhere Self: Sized,
source§impl PartialEq<RightsRequest> for RightsRequest
impl PartialEq<RightsRequest> for RightsRequest
source§fn eq(&self, other: &RightsRequest) -> bool
fn eq(&self, other: &RightsRequest) -> bool
self
and other
values to be equal, and is used
by ==
.source§impl PartialOrd<RightsRequest> for RightsRequest
impl PartialOrd<RightsRequest> for RightsRequest
source§fn partial_cmp(&self, other: &RightsRequest) -> Option<Ordering>
fn partial_cmp(&self, other: &RightsRequest) -> Option<Ordering>
1.0.0 · source§fn le(&self, other: &Rhs) -> bool
fn le(&self, other: &Rhs) -> bool
self
and other
) and is used by the <=
operator. Read moresource§impl TypeMarker for RightsRequest
impl TypeMarker for RightsRequest
§type Owned = RightsRequest
type Owned = RightsRequest
source§fn inline_align(context: Context) -> usize
fn inline_align(context: Context) -> usize
source§fn inline_size(context: Context) -> usize
fn inline_size(context: Context) -> usize
inline_align
.§fn encode_is_copy() -> bool
fn encode_is_copy() -> bool
Self::Owned
matches the FIDL wire
format and encoding requires no validation. When true, we can optimize
encoding arrays and vectors of Self::Owned
to a single memcpy. Read more§fn decode_is_copy() -> bool
fn decode_is_copy() -> bool
Self::Owned
matches the FIDL wire
format and decoding requires no validation. When true, we can optimize
decoding arrays and vectors of Self::Owned
to a single memcpy.source§impl ValueTypeMarker for RightsRequest
impl ValueTypeMarker for RightsRequest
§type Borrowed<'a> = &'a <RightsRequest as TypeMarker>::Owned
type Borrowed<'a> = &'a <RightsRequest as TypeMarker>::Owned
Encode<Self>
type cheaply obtainable from &Self::Owned
. There are three cases: Read more