Update oci-spec-rs to v0.5.5

This means we can now use the filter types to enforce tighter type checks. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
youki-dev · Mar 7, 2022 · 330a715 · 330a715
1 parent ba9215c
commit 330a715
Show file tree

Hide file tree

Showing 7 changed files with 23 additions and 54 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/integration_test/Cargo.toml b/crates/integration_test/Cargo.toml
@@ -12,7 +12,7 @@ libcontainer = { path = "../libcontainer" }
 log = { version = "0.4", features = ["std"] }
 nix = "0.23.1"
 num_cpus = "1.13"
-oci-spec = { git = "https://github.com/containers/oci-spec-rs", rev = "54c5e386f01ab37c9305cc4a83404eb157e42440" }
+oci-spec = "0.5.5"
 once_cell = "1.10.0"
 pnet = "0.29.0"
 procfs = "0.12.0"

diff --git a/crates/libcgroups/Cargo.toml b/crates/libcgroups/Cargo.toml
@@ -25,7 +25,7 @@ nix = "0.23.1"
 procfs = "0.12.0"
 log = "0.4"
 anyhow = "1.0"
-oci-spec = "0.5.3"
+oci-spec = "0.5.5"
 dbus = { version = "0.9.5", optional = true }
 fixedbitset = "0.4.1"
 serde = { version = "1.0", features = ["derive"] }
@@ -35,7 +35,7 @@ errno = { version = "0.2.8", optional = true }
 libc = { version = "0.2.119", optional = true }
 
 [dev-dependencies]
-oci-spec = { version = "0.5.3", features = ["proptests"] }
+oci-spec = { version = "0.5.5", features = ["proptests"] }
 quickcheck = "1"
 mockall = { version = "0.11.0", features = [] }
 clap = "3.0.0-beta.5"

diff --git a/crates/libcontainer/Cargo.toml b/crates/libcontainer/Cargo.toml
@@ -29,7 +29,7 @@ libc = "0.2.119"
 log = "0.4"
 mio = { version = "0.8.0", features = ["os-ext", "os-poll"] }
 nix = "0.23.1"
-oci-spec = "0.5.3"
+oci-spec = "0.5.5"
 path-clean = "0.1.0"
 procfs = "0.12.0"
 prctl = "1.0.0"
@@ -42,7 +42,7 @@ wasmer = { version = "2.2.0", optional = true }
 wasmer-wasi = { version = "2.1.1", optional = true }
 
 [dev-dependencies]
-oci-spec = { version = "0.5.3", features = ["proptests"] }
+oci-spec = { version = "0.5.5", features = ["proptests"] }
 quickcheck = "1"
 serial_test = "0.6.0"
 rand = "0.8.5"
diff --git a/crates/libcontainer/src/seccomp/mod.rs b/crates/libcontainer/src/seccomp/mod.rs
@@ -10,6 +10,7 @@ use libseccomp::ScmpSyscall;
 use oci_spec::runtime::Arch;
 use oci_spec::runtime::LinuxSeccomp;
 use oci_spec::runtime::LinuxSeccompAction;
+use oci_spec::runtime::LinuxSeccompFilterFlag;
 use oci_spec::runtime::LinuxSeccompOperator;
 use std::os::unix::io;
 
@@ -93,25 +94,6 @@ fn check_seccomp(seccomp: &LinuxSeccomp) -> Result<()> {
     Ok(())
 }
 
-/// All filter return actions except SECCOMP_RET_ALLOW should be logged. An administrator may
-/// override this filter flag by preventing specific actions from being logged via the
-/// /proc/sys/kernel/seccomp/actions_logged file. (since Linux 4.14)
-const SECCOMP_FILTER_FLAG_LOG: &str = "SECCOMP_FILTER_FLAG_LOG";
-
-/// When adding a new filter, synchronize all other threads of the calling process to the same
-/// seccomp filter tree. A "filter tree" is the ordered list of filters attached to a thread.
-/// (Attaching identical filters in separate seccomp() calls results in different filters from this
-/// perspective.)
-///
-/// If any thread cannot synchronize to the same filter tree, the call will not attach the new
-/// seccomp filter, and will fail, returning the first thread ID found that cannot synchronize.
-/// Synchronization will fail if another thread in the same process is in SECCOMP_MODE_STRICT or if
-/// it has attached new seccomp filters to itself, diverging from the calling thread's filter tree.
-const SECCOMP_FILTER_FLAG_TSYNC: &str = "SECCOMP_FILTER_FLAG_TSYNC";
-
-/// Disable Speculative Store Bypass mitigation. (since Linux 4.17)
-const SECCOMP_FILTER_FLAG_SPEC_ALLOW: &str = "SECCOMP_FILTER_FLAG_SPEC_ALLOW";
-
 pub fn initialize_seccomp(seccomp: &LinuxSeccomp) -> Result<Option<io::RawFd>> {
     check_seccomp(seccomp)?;
 
@@ -123,11 +105,10 @@ pub fn initialize_seccomp(seccomp: &LinuxSeccomp) -> Result<Option<io::RawFd>> {
 
     if let Some(flags) = seccomp.flags() {
         for flag in flags {
-            match flag.as_ref() {
-                SECCOMP_FILTER_FLAG_LOG => ctx.set_ctl_log(true)?,
-                SECCOMP_FILTER_FLAG_TSYNC => ctx.set_ctl_tsync(true)?,
-                SECCOMP_FILTER_FLAG_SPEC_ALLOW => ctx.set_ctl_ssb(true)?,
-                f => bail!("seccomp flag {} is not supported", f),
+            match flag {
+                LinuxSeccompFilterFlag::SeccompFilterFlagLog => ctx.set_ctl_log(true)?,
+                LinuxSeccompFilterFlag::SeccompFilterFlagTsync => ctx.set_ctl_tsync(true)?,
+                LinuxSeccompFilterFlag::SeccompFilterFlagSpecAllow => ctx.set_ctl_ssb(true)?,
             }
         }
     }

diff --git a/crates/youki/Cargo.toml b/crates/youki/Cargo.toml
@@ -26,7 +26,7 @@ libcontainer = { version = "0.0.2", path = "../libcontainer" }
 liboci-cli = { version = "0.0.2", path = "../liboci-cli" }
 log = { version = "0.4", features = ["std"]}
 nix = "0.23.1"
-oci-spec = "0.5.3"
+oci-spec = "0.5.5"
 once_cell = "1.10.0"
 pentacle = "1.0.0"
 procfs = "0.12.0"

diff --git a/runtimetest/Cargo.toml b/runtimetest/Cargo.toml
@@ -10,5 +10,5 @@ members = []
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-oci-spec = "0.5.3"
-nix = "0.23.1"
+oci-spec = "0.5.5"
+nix = "0.23.1"