From 330a715197ca1f0ed782c86d1c0332d193517ba2 Mon Sep 17 00:00:00 2001 From: Sascha Grunert Date: Mon, 28 Feb 2022 13:42:28 +0100 Subject: [PATCH] Update oci-spec-rs to v0.5.5 This means we can now use the filter types to enforce tighter type checks. Signed-off-by: Sascha Grunert --- Cargo.lock | 32 ++++++++------------------ crates/integration_test/Cargo.toml | 2 +- crates/libcgroups/Cargo.toml | 4 ++-- crates/libcontainer/Cargo.toml | 4 ++-- crates/libcontainer/src/seccomp/mod.rs | 29 ++++------------------- crates/youki/Cargo.toml | 2 +- runtimetest/Cargo.toml | 4 ++-- 7 files changed, 23 insertions(+), 54 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 993f4be09..5d2334257 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -925,7 +925,7 @@ dependencies = [ "log", "nix", "num_cpus", - "oci-spec 0.5.2", + "oci-spec", "once_cell", "pnet", "procfs", @@ -1023,7 +1023,7 @@ dependencies = [ "log", "mockall", "nix", - "oci-spec 0.5.4", + "oci-spec", "procfs", "quickcheck", "rbpf", @@ -1049,7 +1049,7 @@ dependencies = [ "log", "mio", "nix", - "oci-spec 0.5.4", + "oci-spec", "path-clean", "prctl", "procfs", @@ -1120,9 +1120,9 @@ checksum = "9a7cbbd4ad467251987c6e5b47d53b11a5a05add08f2447a9e2d70aef1e0d138" [[package]] name = "libz-sys" -version = "1.1.3" +version = "1.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "de5435b8549c16d423ed0c03dbaafe57cf6c3344744f1242520d59c9d8ecec66" +checksum = "df2bf61678a0a521c3f7daf815d2e6717d85a272a7dcd02c9768272b32bd1e2a" dependencies = [ "cc", "libc", @@ -1353,21 +1353,9 @@ dependencies = [ [[package]] name = "oci-spec" -version = "0.5.2" -source = "git+https://github.com/containers/oci-spec-rs?rev=54c5e386f01ab37c9305cc4a83404eb157e42440#54c5e386f01ab37c9305cc4a83404eb157e42440" -dependencies = [ - "derive_builder", - "getset", - "serde", - "serde_json", - "thiserror", -] - -[[package]] -name = "oci-spec" -version = "0.5.4" +version = "0.5.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6b409d52fff741f330914aa6b8ab73e9113607bb13fbc09f95cdb04d16c8dd5d" +checksum = "71a85b9f9654fe5c3eab8907369250c05aeda9d807b76bd06c740601f881dc02" dependencies = [ "derive_builder", "getset", @@ -2684,9 +2672,9 @@ dependencies = [ [[package]] name = "wasmer-wasi" -version = "2.1.1" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c2b1d981ad312dac6e74a41a35b9bca41a6d1157c3e6a575fb1041e4b516610" +checksum = "df791d89498c2a4288f89a5807e67248c1c75924316f67b9edcfc89198fd1711" dependencies = [ "cfg-if 1.0.0", "generational-arena", @@ -2802,7 +2790,7 @@ dependencies = [ "liboci-cli", "log", "nix", - "oci-spec 0.5.4", + "oci-spec", "once_cell", "pentacle", "procfs", diff --git a/crates/integration_test/Cargo.toml b/crates/integration_test/Cargo.toml index d81b4f2e7..00898ef90 100644 --- a/crates/integration_test/Cargo.toml +++ b/crates/integration_test/Cargo.toml @@ -12,7 +12,7 @@ libcontainer = { path = "../libcontainer" } log = { version = "0.4", features = ["std"] } nix = "0.23.1" num_cpus = "1.13" -oci-spec = { git = "https://github.com/containers/oci-spec-rs", rev = "54c5e386f01ab37c9305cc4a83404eb157e42440" } +oci-spec = "0.5.5" once_cell = "1.10.0" pnet = "0.29.0" procfs = "0.12.0" diff --git a/crates/libcgroups/Cargo.toml b/crates/libcgroups/Cargo.toml index 8fc3666b3..7cd16429b 100644 --- a/crates/libcgroups/Cargo.toml +++ b/crates/libcgroups/Cargo.toml @@ -25,7 +25,7 @@ nix = "0.23.1" procfs = "0.12.0" log = "0.4" anyhow = "1.0" -oci-spec = "0.5.3" +oci-spec = "0.5.5" dbus = { version = "0.9.5", optional = true } fixedbitset = "0.4.1" serde = { version = "1.0", features = ["derive"] } @@ -35,7 +35,7 @@ errno = { version = "0.2.8", optional = true } libc = { version = "0.2.119", optional = true } [dev-dependencies] -oci-spec = { version = "0.5.3", features = ["proptests"] } +oci-spec = { version = "0.5.5", features = ["proptests"] } quickcheck = "1" mockall = { version = "0.11.0", features = [] } clap = "3.0.0-beta.5" diff --git a/crates/libcontainer/Cargo.toml b/crates/libcontainer/Cargo.toml index 8bb8e25b7..628079547 100644 --- a/crates/libcontainer/Cargo.toml +++ b/crates/libcontainer/Cargo.toml @@ -29,7 +29,7 @@ libc = "0.2.119" log = "0.4" mio = { version = "0.8.0", features = ["os-ext", "os-poll"] } nix = "0.23.1" -oci-spec = "0.5.3" +oci-spec = "0.5.5" path-clean = "0.1.0" procfs = "0.12.0" prctl = "1.0.0" @@ -42,7 +42,7 @@ wasmer = { version = "2.2.0", optional = true } wasmer-wasi = { version = "2.1.1", optional = true } [dev-dependencies] -oci-spec = { version = "0.5.3", features = ["proptests"] } +oci-spec = { version = "0.5.5", features = ["proptests"] } quickcheck = "1" serial_test = "0.6.0" rand = "0.8.5" diff --git a/crates/libcontainer/src/seccomp/mod.rs b/crates/libcontainer/src/seccomp/mod.rs index 9a3782b56..75f8ff147 100644 --- a/crates/libcontainer/src/seccomp/mod.rs +++ b/crates/libcontainer/src/seccomp/mod.rs @@ -10,6 +10,7 @@ use libseccomp::ScmpSyscall; use oci_spec::runtime::Arch; use oci_spec::runtime::LinuxSeccomp; use oci_spec::runtime::LinuxSeccompAction; +use oci_spec::runtime::LinuxSeccompFilterFlag; use oci_spec::runtime::LinuxSeccompOperator; use std::os::unix::io; @@ -93,25 +94,6 @@ fn check_seccomp(seccomp: &LinuxSeccomp) -> Result<()> { Ok(()) } -/// All filter return actions except SECCOMP_RET_ALLOW should be logged. An administrator may -/// override this filter flag by preventing specific actions from being logged via the -/// /proc/sys/kernel/seccomp/actions_logged file. (since Linux 4.14) -const SECCOMP_FILTER_FLAG_LOG: &str = "SECCOMP_FILTER_FLAG_LOG"; - -/// When adding a new filter, synchronize all other threads of the calling process to the same -/// seccomp filter tree. A "filter tree" is the ordered list of filters attached to a thread. -/// (Attaching identical filters in separate seccomp() calls results in different filters from this -/// perspective.) -/// -/// If any thread cannot synchronize to the same filter tree, the call will not attach the new -/// seccomp filter, and will fail, returning the first thread ID found that cannot synchronize. -/// Synchronization will fail if another thread in the same process is in SECCOMP_MODE_STRICT or if -/// it has attached new seccomp filters to itself, diverging from the calling thread's filter tree. -const SECCOMP_FILTER_FLAG_TSYNC: &str = "SECCOMP_FILTER_FLAG_TSYNC"; - -/// Disable Speculative Store Bypass mitigation. (since Linux 4.17) -const SECCOMP_FILTER_FLAG_SPEC_ALLOW: &str = "SECCOMP_FILTER_FLAG_SPEC_ALLOW"; - pub fn initialize_seccomp(seccomp: &LinuxSeccomp) -> Result> { check_seccomp(seccomp)?; @@ -123,11 +105,10 @@ pub fn initialize_seccomp(seccomp: &LinuxSeccomp) -> Result> { if let Some(flags) = seccomp.flags() { for flag in flags { - match flag.as_ref() { - SECCOMP_FILTER_FLAG_LOG => ctx.set_ctl_log(true)?, - SECCOMP_FILTER_FLAG_TSYNC => ctx.set_ctl_tsync(true)?, - SECCOMP_FILTER_FLAG_SPEC_ALLOW => ctx.set_ctl_ssb(true)?, - f => bail!("seccomp flag {} is not supported", f), + match flag { + LinuxSeccompFilterFlag::SeccompFilterFlagLog => ctx.set_ctl_log(true)?, + LinuxSeccompFilterFlag::SeccompFilterFlagTsync => ctx.set_ctl_tsync(true)?, + LinuxSeccompFilterFlag::SeccompFilterFlagSpecAllow => ctx.set_ctl_ssb(true)?, } } } diff --git a/crates/youki/Cargo.toml b/crates/youki/Cargo.toml index 058dcfbfa..46910ba4a 100644 --- a/crates/youki/Cargo.toml +++ b/crates/youki/Cargo.toml @@ -26,7 +26,7 @@ libcontainer = { version = "0.0.2", path = "../libcontainer" } liboci-cli = { version = "0.0.2", path = "../liboci-cli" } log = { version = "0.4", features = ["std"]} nix = "0.23.1" -oci-spec = "0.5.3" +oci-spec = "0.5.5" once_cell = "1.10.0" pentacle = "1.0.0" procfs = "0.12.0" diff --git a/runtimetest/Cargo.toml b/runtimetest/Cargo.toml index e70a999ad..02801f3f8 100644 --- a/runtimetest/Cargo.toml +++ b/runtimetest/Cargo.toml @@ -10,5 +10,5 @@ members = [] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] -oci-spec = "0.5.3" -nix = "0.23.1" \ No newline at end of file +oci-spec = "0.5.5" +nix = "0.23.1"