Forbid unsafe code in most module (#1018)

This change adds the `forbid(unsafe_code)` directive to most modules,
ensuring that these modules are "safe". There are three modules this
cannot apply to:

- `duplex` -- due to the implementation of `BufMut` for `CopyBuf`; and
- `proxy::transport` -- due to socket option interactions.
- `system` -- for system-level counter access

Furthermore, this change adds `deny(warnings)` directives to a few
modules that were missing it.

Author: olix0r

Cargo.lock

@@ -645,7 +645,6 @@ dependencies = [
  "hyper",
  "indexmap",
  "ipnet",
- "libc",
  "linkerd-addr",
  "linkerd-cache",
  "linkerd-concurrency-limit",
@@ -681,14 +680,14 @@ dependencies = [
  "linkerd-stack",
  "linkerd-stack-metrics",
  "linkerd-stack-tracing",
+ "linkerd-system",
  "linkerd-timeout",
  "linkerd-tls",
  "linkerd-trace-context",
  "linkerd-tracing",
  "linkerd-transport-header",
  "linkerd2-proxy-api",
  "pin-project",
- "procinfo",
  "prost-types",
  "regex",
  "thiserror",
@@ -1344,6 +1343,15 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "linkerd-system"
+version = "0.1.0"
+dependencies = [
+ "libc",
+ "procinfo",
+ "tracing",
+]
+
 [[package]]
 name = "linkerd-timeout"
 version = "0.1.0"

Cargo.toml

@@ -51,6 +51,7 @@ members = [
     "linkerd/stack",
     "linkerd/stack/metrics",
     "linkerd/stack/tracing",
+    "linkerd/system",
     "linkerd/timeout",
     "linkerd/tls",
     "linkerd/tracing",

hyper-balance/src/lib.rs

@@ -1,4 +1,5 @@
 #![deny(warnings, rust_2018_idioms)]
+#![forbid(unsafe_code)]
 #![allow(clippy::inconsistent_struct_constructor)]
 
 use hyper::body::HttpBody;

linkerd/addr/fuzz/Cargo.toml

@@ -17,6 +17,7 @@ tracing = "0.1.23"
 # Prevent this from interfering with workspaces
 [workspace]
 members = ["."]
+resolver = "2"
 
 [[bin]]
 name = "fuzz_target_1"

linkerd/addr/src/lib.rs

@@ -1,4 +1,5 @@
 #![deny(warnings, rust_2018_idioms)]
+#![forbid(unsafe_code)]
 #![allow(clippy::inconsistent_struct_constructor)]
 use linkerd_dns_name::Name;
 use std::{

linkerd/app/core/Cargo.toml

@@ -81,8 +81,7 @@ features = [
 ]
 
 [target.'cfg(target_os = "linux")'.dependencies]
-libc = "0.2"
-procinfo = "0.4.2"
+linkerd-system = { path = "../../system" }
 
 [dev-dependencies]
 linkerd2-proxy-api = { git = "https://github.com/linkerd/linkerd2-proxy-api", tag = "v0.1.18", features = ["arbitrary"] }

linkerd/app/core/src/lib.rs

@@ -8,6 +8,7 @@
 //! - Metric labeling
 
 #![deny(warnings, rust_2018_idioms)]
+#![forbid(unsafe_code)]
 #![allow(clippy::inconsistent_struct_constructor)]
 
 pub use linkerd_addr::{self as addr, Addr, NameAddr};

linkerd/app/core/src/telemetry/process.rs

@@ -1,20 +1,20 @@
-use self::system::System;
 use linkerd_metrics::{metrics, FmtMetrics, Gauge};
 use std::fmt;
 use std::sync::Arc;
 use std::time::{SystemTime, UNIX_EPOCH};
-use tracing::debug;
 
 metrics! {
     process_start_time_seconds: Gauge {
         "Time that the process started (in seconds since the UNIX epoch)"
     }
 }
 
-#[derive(Clone, Debug, Default)]
+#[derive(Clone, Debug)]
 pub struct Report {
     start_time: Arc<Gauge>,
-    system: Option<System>,
+
+    #[cfg(target_os = "linux")]
+    system: linux::System,
 }
 
 impl Report {
@@ -24,16 +24,13 @@ impl Report {
             .expect("process start time")
             .as_secs();
 
-        let system = match System::new() {
-            Ok(s) => Some(s),
-            Err(err) => {
-                debug!("failed to load system stats: {}", err);
-                None
-            }
-        };
+        #[cfg(not(target_os = "linux"))]
+        info!("System-level metrics are only supported on Linux");
         Self {
             start_time: Arc::new(t0.into()),
-            system,
+
+            #[cfg(target_os = "linux")]
+            system: linux::System::new(),
         }
     }
 }
@@ -43,22 +40,19 @@ impl FmtMetrics for Report {
         process_start_time_seconds.fmt_help(f)?;
         process_start_time_seconds.fmt_metric(f, self.start_time.as_ref())?;
 
-        if let Some(ref sys) = self.system {
-            sys.fmt_metrics(f)?;
-        }
+        #[cfg(target_os = "linux")]
+        self.system.fmt_metrics(f)?;
 
         Ok(())
     }
 }
 
 #[cfg(target_os = "linux")]
-mod system {
-    use libc::{self, pid_t};
+mod linux {
     use linkerd_metrics::{metrics, Counter, FmtMetrics, Gauge, MillisAsSeconds};
-    use procinfo::pid;
+    use linkerd_system as sys;
     use std::fmt;
-    use std::{fs, io};
-    use tracing::{error, warn};
+    use tracing::warn;
 
     metrics! {
         process_cpu_seconds_total: Counter<MillisAsSeconds> {
@@ -74,131 +68,86 @@ mod system {
         }
     }
 
-    #[derive(Clone, Debug)]
+    #[derive(Clone, Debug, Default)]
     pub(super) struct System {
-        page_size: u64,
-        ms_per_tick: u64,
+        page_size: Option<u64>,
+        ms_per_tick: Option<u64>,
     }
 
     impl System {
-        pub fn new() -> io::Result<Self> {
-            let page_size = Self::sysconf(libc::_SC_PAGESIZE, "page size")?;
-
-            // On Linux, CLK_TCK is ~always `100`, so pure integer division
-            // works. This is probably not suitable if we encounter other
-            // values.
-            let clock_ticks_per_sec = Self::sysconf(libc::_SC_CLK_TCK, "clock ticks per second")?;
-            let ms_per_tick = 1_000 / clock_ticks_per_sec;
-            if clock_ticks_per_sec != 100 {
-                warn!(
-                    clock_ticks_per_sec,
-                    ms_per_tick, "Unexpected value; process_cpu_seconds_total may be inaccurate."
-                );
-            }
-
-            Ok(Self {
-                page_size,
-                ms_per_tick,
-            })
-        }
-
-        fn open_fds(pid: pid_t) -> io::Result<Gauge> {
-            let mut open = 0;
-            for f in fs::read_dir(format!("/proc/{}/fd", pid))? {
-                if !f?.file_type()?.is_dir() {
-                    open += 1;
+        pub fn new() -> Self {
+            let page_size = match sys::page_size() {
+                Ok(ps) => Some(ps),
+                Err(err) => {
+                    warn!("Failed to load page size: {}", err);
+                    None
                 }
-            }
-            Ok(Gauge::from(open))
-        }
-
-        fn max_fds() -> io::Result<Option<Gauge>> {
-            let limit = pid::limits_self()?.max_open_files;
-            let max_fds = limit.soft.or(limit.hard).map(|max| Gauge::from(max as u64));
-            Ok(max_fds)
-        }
-
-        fn sysconf(num: libc::c_int, name: &'static str) -> Result<u64, io::Error> {
-            match unsafe { libc::sysconf(num) } {
-                e if e <= 0 => {
-                    let error = io::Error::last_os_error();
-                    error!("error getting {}: {:?}", name, error);
-                    Err(error)
+            };
+            let ms_per_tick = match sys::ms_per_tick() {
+                Ok(mpt) => Some(mpt),
+                Err(err) => {
+                    warn!("Failed to load cpu clock speed: {}", err);
+                    None
                 }
-                val => Ok(val as u64),
+            };
+            Self {
+                page_size,
+                ms_per_tick,
             }
         }
     }
 
     impl FmtMetrics for System {
         fn fmt_metrics(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-            // XXX potentially blocking call
-            let stat = match pid::stat_self() {
+            let stat = match sys::blocking_stat() {
                 Ok(stat) => stat,
                 Err(err) => {
                     warn!("failed to read process stats: {}", err);
                     return Ok(());
                 }
             };
 
-            let clock_ticks = stat.utime as u64 + stat.stime as u64;
-            let cpu_ms = clock_ticks * self.ms_per_tick;
-            process_cpu_seconds_total.fmt_help(f)?;
-            process_cpu_seconds_total.fmt_metric(f, &Counter::from(cpu_ms))?;
+            if let Some(mpt) = self.ms_per_tick {
+                let clock_ticks = stat.utime as u64 + stat.stime as u64;
+                let cpu_ms = clock_ticks * mpt;
+                process_cpu_seconds_total.fmt_help(f)?;
+                process_cpu_seconds_total.fmt_metric(f, &Counter::from(cpu_ms))?;
+            } else {
+                warn!("Could not determine process_cpu_seconds_total");
+            }
 
             process_virtual_memory_bytes.fmt_help(f)?;
             process_virtual_memory_bytes.fmt_metric(f, &Gauge::from(stat.vsize as u64))?;
 
-            process_resident_memory_bytes.fmt_help(f)?;
-            process_resident_memory_bytes
-                .fmt_metric(f, &Gauge::from(stat.rss as u64 * self.page_size))?;
+            if let Some(ps) = self.page_size {
+                process_resident_memory_bytes.fmt_help(f)?;
+                process_resident_memory_bytes.fmt_metric(f, &Gauge::from(stat.rss as u64 * ps))?;
+            } else {
+                warn!("Could not determine process_resident_memory_bytes");
+            }
 
-            match Self::open_fds(stat.pid) {
+            match sys::open_fds(stat.pid) {
                 Ok(open_fds) => {
                     process_open_fds.fmt_help(f)?;
-                    process_open_fds.fmt_metric(f, &open_fds)?;
+                    process_open_fds.fmt_metric(f, &open_fds.into())?;
                 }
                 Err(err) => {
-                    warn!("could not determine process_open_fds: {}", err);
+                    warn!("Could not determine process_open_fds: {}", err);
                 }
             }
 
-            match Self::max_fds() {
+            match sys::max_fds() {
                 Ok(None) => {}
-                Ok(Some(ref max_fds)) => {
+                Ok(Some(max_fds)) => {
                     process_max_fds.fmt_help(f)?;
-                    process_max_fds.fmt_metric(f, max_fds)?;
+                    process_max_fds.fmt_metric(f, &max_fds.into())?;
                 }
                 Err(err) => {
-                    warn!("could not determine process_max_fds: {}", err);
+                    warn!("Could not determine process_max_fds: {}", err);
                 }
             }
 
             Ok(())
         }
     }
 }
-
-#[cfg(not(target_os = "linux"))]
-mod system {
-    use crate::metrics::FmtMetrics;
-    use std::{fmt, io};
-
-    #[derive(Clone, Debug)]
-    pub(super) struct System {}
-
-    impl System {
-        pub fn new() -> io::Result<Self> {
-            Err(io::Error::new(
-                io::ErrorKind::Other,
-                "procinfo not supported on this operating system",
-            ))
-        }
-    }
-
-    impl FmtMetrics for System {
-        fn fmt_metrics(&self, _: &mut fmt::Formatter<'_>) -> fmt::Result {
-            Ok(())
-        }
-    }
-}

linkerd/app/gateway/src/lib.rs

@@ -1,4 +1,5 @@
 #![deny(warnings, rust_2018_idioms)]
+#![forbid(unsafe_code)]
 #![allow(clippy::inconsistent_struct_constructor)]
 
 mod gateway;

linkerd/app/inbound/fuzz/Cargo.lock

@@ -575,7 +575,6 @@ dependencies = [
  "hyper",
  "indexmap",
  "ipnet",
- "libc",
  "linkerd-addr",
  "linkerd-cache",
  "linkerd-concurrency-limit",
@@ -611,14 +610,14 @@ dependencies = [
  "linkerd-stack",
  "linkerd-stack-metrics",
  "linkerd-stack-tracing",
+ "linkerd-system",
  "linkerd-timeout",
  "linkerd-tls",
  "linkerd-trace-context",
  "linkerd-tracing",
  "linkerd-transport-header",
  "linkerd2-proxy-api",
  "pin-project",
- "procinfo",
  "regex",
  "thiserror",
  "tokio",
@@ -1189,6 +1188,15 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "linkerd-system"
+version = "0.1.0"
+dependencies = [
+ "libc",
+ "procinfo",
+ "tracing",
+]
+
 [[package]]
 name = "linkerd-timeout"
 version = "0.1.0"