unsafe
Rust GuidelinesAll unsafe
Rust code in Chromium needs to be reviewed and LGTM-ed by a member of the unsafe-rust-in-chrome@google.com
group and the review must be cc'd to the group for visibility. This policy applies to both third-party code (e.g. under //third_party/rust
) and first-party code.
To facilitate a code review please:
Add unsafe-rust-in-chrome@google.com
to the CC line of a Gerrit code review.
For each new or modified unsafe
block, function, impl
, etc., add an unresolved “TODO: unsafe
review” comment in Gerrit.
Note that changes anywhere in a crate that uses unsafe
blocks may violate the internal invariants on which those unsafe
blocks rely. It is unrealistic to require a unsafe-rust-in-chrome@google.com
review to re-audit all the unsafe
blocks each time a crate is updated, but the crate OWNERS
and other reviewers should be on the lookout for code changes which feel as though they could affect invariants on which unsafe
blocks rely.
cargo vet
PolicyAll third-party Rust code in Chromium needs to be covered by cargo vet
audits. In other words, tools/crates/run_cargo_vet.py check
should always succeed.
Audit criteria required for a given crate depend on how the crate is used. The criteria are written to third_party/rust/chromium_crates_io/supply-chain/config.toml
by tools/crates/run_gnrt.py vendor
based on whether third_party/rust/chromium_crates_io/gnrt_config.toml
declares that the crate is meant to be used (maybe transitively) in a safe
, sandbox
, or test
environment. For example, to declare that a crate is safe
to be used in the browser process, it needs to be audited and certified to be safe-to-deploy
, ub-risk-2
or lower, and either does-not-implement-crypto
or crypto-safe
.
Additional notes:
unsafe-rust-in-chrome@google.com
group (see the “Code Review Policy” above. More details about audit criteria and the required expertise are explained in the auditing_standards.md.audits.toml
.third_party/rust/chromium_crates_io/supply-chain/audits.toml
) as well as audits imported from other parts of Google (e.g. Android, Fuchsia, etc.). This means that adding a new crate does not necessarily require a new audit if the crate has already been audited by other projects.