It is well known that Rust's
File::open is unsafe on Linux, because it can open
/proc/self/mem and write to it to bypass memory safety, see https://github.com/ben0x539/totally-safe-transmute.
The only honest thing to do is to mark
File::open unsafe, but it's difficult in practice. An alternative is to make file system access memory safe on Linux, or at least to have an option for file system access to be memory safe. The default probably can't be fixed due to backward compatibility.
I want to organize bounty for Linux kernel patch to restrict access to
/proc/self/mem. It probably should use Linux's capability system. That is, file system access to process's own memory is
CAP_MEMORY, which processes have by default. You can drop the capability by calling
prctl system call with
PR_CAPBSET_DROP. Once the patch is in mainline Linux kernel and Debian stable is released with the kernel, estimate 2025, Rust's runtime initialization should drop the capability by default.
If you are interested please reply. Let's make Linux memory safe! Thanks.