chromium/src
0
Fork 0
Code Activity
Files
android_webview
apps
ash
base
build
build_overrides
buildtools
cc
chrome
chromecast
chromeos
clank
codelabs
components
content
crypto
dbus
device
docs
accessibility
autofill
chromeos
design
enterprise
experiments
fuchsia
gpu
graphics
images
infra
intl
ios
linux
login
mac
media
memory
memory-infra
patterns
privacy
privacy_budget
process
security
speed
speed_metrics
standards
telemetry_extension
testing
transcripts
ui
updater
webapps
website
webui
workflow
DIR_METADATA
OWNERS
README.md
accessibility.md
ad_tagging.md
adding_to_third_party.md
android_accessing_cpp_enums_in_java.md
android_accessing_cpp_features_in_java.md
android_accessing_cpp_switches_in_java.md
android_build_instructions.md
android_cast_build_instructions.md
android_debugging_instructions.md
android_dynamic_feature_modules.md
android_emulator.md
android_isolated_splits.md
android_jni_ownership_best_practices.md
android_logging.md
android_native_libraries.md
android_studio.md
angle_in_chromium.md
api_keys.md
asan.md
atom.md
benchmark_performance_regressions.md
bfcache.md
bitmap_pipeline.md
branch_gardener.md
building_old_revisions.md
callback.md
ccache_mac.md
chrome_browser_design_principles.md
chrome_os_logging.md
chrome_settings.md
chromedriver_status.md
chromeos_build_instructions.md
chromeos_glossary.md
chromium_browser_vs_google_chrome.md
cipd_and_3pp.md
cl_respect.md
cl_tips.md
clang.md
clang_code_coverage_wrapper.md
clang_format.md
clang_gardening.md
clang_sheriffing.md
clang_static_analyzer.md
clang_tidy.md
clang_tool_refactoring.md
clangd.md
clion.md
closure_compilation.md
cocoa_tips_and_tricks.md
code_review_owners.md
code_reviews.md
commit_checklist.md
component_build.md
configuration.md
contributing.md
cq_fault_attribution.md
cr_respect.md
cr_user_manual.md
cross_platform_ui.md
cygwin_dll_remapping_failure.md
dangling_ptr.md
dangling_ptr_guide.md
dbus_mojo_connection_service.md
debugging_with_crash_keys.md
dependencies.md
deterministic_builds.md
disassemble_code.md
documentation_best_practices.md
documentation_guidelines.md
early-hints.md
eclipse.md
emacs.md
erc_irc.md
flag_expiry.md
flag_guarding_guidelines.md
flag_ownership.md
frame_trees.md
gardener.md
gcs_dependencies.md
gdbinit.md
get_the_code.md
git_cookbook.md
git_submodules.md
git_tips.md
google_chrome_branded_builds.md
google_play_services.md
graphical_debugging_aid_chromium_views.md
gwp_asan.md
history_manipulation_intervention.md
how_cc_works.md
how_to_add_your_feature_flag.md
how_to_extend_web_test_framework.md
idn.md
initialize_blink_features.md
inlined_stack_traces.md
installation_at_vmware.md
ios_build_instructions.md
ios_infra.md
ios_voiceover.md
kiosk_mode.md
life_of_a_frame.md
lldbinit.md
mac_arm64.md
mac_build_instructions.md
mac_lld.md
modifying_session_history_serialization.md
modules.md
mojo_and_services.md
mojo_ipc_conversion.md
mojo_testing.md
native_relocations.md
navbar.md
navigation-request-navigation-state.gv
navigation-request-navigation-state.png
navigation.md
navigation_concepts.md
network_traffic_annotations.md
no_sources_assignment_filter.md
orderfile.md
origin_trials_integration.md
ozone_overview.md
parsing_test_results.md
pgo.md
piranha_plant.md
process_model_and_site_isolation.md
profiling.md
profiling_content_shell_on_android.md
proxy_auto_config.md
qtcreator.md
release_branch_guidance.md
render-frame-host-lifecycle-state.gv
render-frame-host-lifecycle-state.png
render_document.md
rust-unsafe.md
rust.md
seccomp_sandbox_crash_dumping.md
servicification.md
session_history.md
sheriff.md
shutdown.md
special_case_urls.md
static_initializers.md
sublime_ide.md
system_hardening_features.md
tab_helpers.md
threading_and_tasks.md
threading_and_tasks_faq.md
threading_and_tasks_testing.md
toolchain_support.md
tour_of_luci_ui.md
tpm_quick_ref.md
translation_screenshots.md
unretained_dangling_ptr_guide.md
unsafe_buffers.md
updating_clang.md
updating_clang_format_binaries.md
use_counter_wiki.md
useful_urls.md
user_data_dir.md
user_data_storage.md
user_handle_mapping.md
vanilla_msysgit_workflow.md
vscode.md
vscode_python.md
webview_policies.md
win_cross.md
win_order_files.md
windows_build_instructions.md
windows_native_window_occlusion_tracking.md
windows_pwa_integration.md
windows_shortcut_and_taskbar_handling.md
windows_split_dll.md
windows_virtual_desktop_handling.md
wmax_tokens.md
working_remotely_with_android.md
writing_clang_plugins.md
extensions
fuchsia_web
gin
google_apis
gpu
headless
infra
internal
ios
ios_internal
ipc
media
mojo
native_client
native_client_sdk
net
pdf
ppapi
printing
remoting
rlz
sandbox
services
signing_keys
skia
sql
storage
styleguide
testing
third_party
tools
ui
url
v8
webkit
.clang-format
.clang-tidy
.clangd
.git-blame-ignore-revs
.gitallowed
.gitattributes
.gitignore
.gitmodules
.gn
.mailmap
.rustfmt.toml
.vpython3
.yapfignore
ATL_OWNERS
AUTHORS
BUILD.gn
CODE_OF_CONDUCT.md
CPPLINT.cfg
CRYPTO_OWNERS
DEPS
DIR_METADATA
LICENSE
LICENSE.chromium_os
OWNERS
PRESUBMIT.py
PRESUBMIT_test.py
PRESUBMIT_test_mocks.py
README.md
WATCHLISTS
codereview.settings
f804a20f6cbb5e40bac15c8304b28e6bb4e2f597
src/docs/rust-unsafe.md
Lukasz Anforowicz 4a54ad01b7 Add Chromium side of chrome-unsafe-rust-reviews@google.com gwsw setup. 
Bug: 393410747
Change-Id: I7bbbc5ec81116004f05cf6979b6b96e4d4afd0b7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6219726
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1415239}
2025-02-03 15:25:45 -08:00

4.7 KiB
Raw Blame History

unsafe Rust Guidelines

Code Review Policy

All unsafe Rust code in Chromium needs to be reviewed and LGTM-ed by a member of the unsafe-rust-in-chrome@google.com group and the review must be cc'd to the group for visibility. This policy applies to both third-party code (e.g. under //third_party/rust) and first-party code.

How to request a review

To facilitate a code review please:

  • For each new or modified unsafe block, function, impl, etc., add an unresolved "TODO: unsafe review" comment in Gerrit. You can consider using tools/crates/create_draft_comments.py to streamline creating such comments.

  • Add chrome-unsafe-rust-reviews@google.com as a reviewer.

Scope of review

Note that changes anywhere in a crate that uses unsafe blocks may violate the internal invariants on which those unsafe blocks rely. It is unrealistic to require a unsafe-rust-in-chrome@google.com review to re-audit all the unsafe blocks each time a crate is updated, but the crate OWNERS and other reviewers should be on the lookout for code changes which feel as though they could affect invariants on which unsafe blocks rely.

OWNERS files guidance

To require unsafe review for certain .rs files (e.g. ones that use unsafe Rust) you can forward from the file's OWNERS to //third_party/rust/UNSAFE_RUST_OWNERS (see comments in the latter for more details).

Soft SLA

For incremental changes (including updating a minor version of a crate under //third_party/rust/chromium_crates_io) the usual Chromium responsiveness expectations apply. (i.e. You should expect reviewer input within 1 business day.)

For bulk changes (e.g. importing a new crate and its transitive dependencies) the turnaround time may be longer. This depends mostly on the amount of unsafe code. To streamline reviews and future maintainability, we ask you kindly to prefer crates that do not use unsafe Rust code.

Other notes

Bugs that track streamlining application of this policy are tracked under the umbrella of https://crbug.com/393394872/dependencies.

cargo vet Policy

Crates in //third_party/rust/chromium_crates_io need to be covered by cargo vet audits. In other words, tools/crates/run_cargo_vet.py check should always succeed (this is enforced by //third_party/rust/PRESUBMIT.py).

Audit criteria required for most crates

Audit criteria required for a given crate depend on how the crate is used. The criteria are written to third_party/rust/chromium_crates_io/supply-chain/config.toml by tools/crates/run_gnrt.py vendor based on whether third_party/rust/chromium_crates_io/gnrt_config.toml declares that the crate is meant to be used (maybe transitively) in a safe, sandbox, or test environment. For example, to declare that a crate is safe to be used in the browser process, it needs to be audited and certified to be safe-to-deploy, ub-risk-2 or lower, and either does-not-implement-crypto or crypto-safe.

Note that some audits can be done by any engineer ("ub-risk-0" and "safe-to-run") while others will require specialists from the unsafe-rust-in-chrome@google.com group (see the "Code Review Policy" above. More details about audit criteria and the required expertise are explained in the auditing_standards.md, which also provides guidance for conducting delta audits.

Some crates don't require an audit

Chromium implicitly trusts certain crate publishers. Currently there are two scenarios where such trust relationship may be established:

  • Trusting crates authored and maintained under https://github.com/rust-lang/ (e.g. libc, hashbrown), because they are closely related to the Rust toolchain (i.e. the same group managed and publishes rustc, rustfmt, cargo, rustup, etc.).
  • Trusting crates that are part of an OS SDK (e.g. windows-... crates).

Chromium uses both our own audits (stored in third_party/rust/chromium_crates_io/supply-chain/audits.toml) as well as audits imported from other parts of Google (e.g. Android, Fuchsia, etc.). This means that adding a new crate does not necessarily require a new audit if the crate has already been audited by other projects (in this case, cargo vet will record the imported audit in the third_party/rust/chromium_crates_io/supply-chain/imports.lock file).

How to run cargo vet in Chromium

See Cargo Vet documentation for how to record the audit in audits.toml. The tools/crates/run_cargo_vet.py may be used to invoke Chromium's copy of cargo-vet.