From 014c942ded40ad5815c31ea9a9f578dad1aab3e7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Mar 2022 00:29:46 +0000 Subject: [PATCH 01/18] chore(deps): bump redox_syscall from 0.2.10 to 0.2.11 Bumps redox_syscall from 0.2.10 to 0.2.11. --- updated-dependencies: - dependency-name: redox_syscall dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c93f549c4..57b1f6d3f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1757,9 +1757,9 @@ dependencies = [ [[package]] name = "redox_syscall" -version = "0.2.10" +version = "0.2.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8383f39639269cde97d255a32bdb68c047337295414940c68bdd30c2e13203ff" +checksum = "8380fe0152551244f0747b1bf41737e0f8a74f97a14ccefd1148187271634f3c" dependencies = [ "bitflags", ] From c701aef79258887658a7bf35f7d795b46546a404 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Mar 2022 00:29:55 +0000 Subject: [PATCH 02/18] chore(deps): bump libgit2-sys from 0.13.0+1.4.1 to 0.13.1+1.4.2 Bumps [libgit2-sys](https://github.com/rust-lang/git2-rs) from 0.13.0+1.4.1 to 0.13.1+1.4.2. - [Release notes](https://github.com/rust-lang/git2-rs/releases) - [Commits](https://github.com/rust-lang/git2-rs/compare/libgit2-sys-0.13.0...libgit2-sys-0.13.1) --- updated-dependencies: - dependency-name: libgit2-sys dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c93f549c4..3c39471e0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1071,9 +1071,9 @@ dependencies = [ [[package]] name = "libgit2-sys" -version = "0.13.0+1.4.1" +version = "0.13.1+1.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "864e22fc06cae62860398cd854c93d5867f11c02ec916aa1417b440f170df23a" +checksum = "43e598aa7a4faedf1ea1b4608f582b06f0f40211eec551b7ef36019ae3f62def" dependencies = [ "cc", "libc", From 87e135dba3667c78d5cda8d9ee614eea4b004a0f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Mar 2022 00:30:19 +0000 Subject: [PATCH 03/18] chore(deps): bump wasmer-derive from 2.1.1 to 2.2.0 Bumps [wasmer-derive](https://github.com/wasmerio/wasmer) from 2.1.1 to 2.2.0. - [Release notes](https://github.com/wasmerio/wasmer/releases) - [Changelog](https://github.com/wasmerio/wasmer/blob/master/CHANGELOG.md) - [Commits](https://github.com/wasmerio/wasmer/compare/2.1.1...2.2.0) --- updated-dependencies: - dependency-name: wasmer-derive dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c93f549c4..450f3b96f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2524,9 +2524,9 @@ dependencies = [ [[package]] name = "wasmer-derive" -version = "2.1.1" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "93f5cb7b09640e09f1215da95d6fb7477d2db572f064b803ff705f39ff079cc5" +checksum = "933b23b5cee0f58aa6c17c6de7e1f3007279357e0d555f22e24d6b395cfe7f89" dependencies = [ "proc-macro-error", "proc-macro2", From ed86bd129644aa80fad16de56ea72e69a2ba007e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Mar 2022 00:30:29 +0000 Subject: [PATCH 04/18] chore(deps): bump sysinfo from 0.23.4 to 0.23.5 Bumps [sysinfo](https://github.com/GuillaumeGomez/sysinfo) from 0.23.4 to 0.23.5. - [Release notes](https://github.com/GuillaumeGomez/sysinfo/releases) - [Changelog](https://github.com/GuillaumeGomez/sysinfo/blob/master/CHANGELOG.md) - [Commits](https://github.com/GuillaumeGomez/sysinfo/commits) --- updated-dependencies: - dependency-name: sysinfo dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c93f549c4..7692a4d53 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2106,9 +2106,9 @@ dependencies = [ [[package]] name = "sysinfo" -version = "0.23.4" +version = "0.23.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "70d06c623c041b6aec9830080e9069b4ab6a84de3b4b4d14b4bbb09c629efdc0" +checksum = "07fa4c84a5305909b0eedfcc8d1f2fafdbede645bb700a45ecaafe681a0ac5d6" dependencies = [ "cfg-if 1.0.0", "core-foundation-sys", From b8d8167b38fbe5bfe4eed5429d894f663d826429 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Mar 2022 00:30:49 +0000 Subject: [PATCH 05/18] chore(deps): bump git2 from 0.14.0 to 0.14.1 Bumps [git2](https://github.com/rust-lang/git2-rs) from 0.14.0 to 0.14.1. - [Release notes](https://github.com/rust-lang/git2-rs/releases) - [Commits](https://github.com/rust-lang/git2-rs/compare/git2-curl-0.14.0...git2-curl-0.14.1) --- updated-dependencies: - dependency-name: git2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c93f549c4..10809a9b1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -809,9 +809,9 @@ checksum = "78cc372d058dcf6d5ecd98510e7fbc9e5aec4d21de70f65fea8fecebcd881bd4" [[package]] name = "git2" -version = "0.14.0" +version = "0.14.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "94781080dd1a6b55dea7c46540d5bac87742a22f6dc2d84e54a5071ad6f0e387" +checksum = "6e7d3b96ec1fcaa8431cf04a4f1ef5caafe58d5cf7bcc31f09c1626adddb0ffe" dependencies = [ "bitflags", "libc", @@ -1071,9 +1071,9 @@ dependencies = [ [[package]] name = "libgit2-sys" -version = "0.13.0+1.4.1" +version = "0.13.1+1.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "864e22fc06cae62860398cd854c93d5867f11c02ec916aa1417b440f170df23a" +checksum = "43e598aa7a4faedf1ea1b4608f582b06f0f40211eec551b7ef36019ae3f62def" dependencies = [ "cc", "libc", From c67fe966e6f3573840d64d8ee04f41e704f82e9b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Mar 2022 00:30:53 +0000 Subject: [PATCH 06/18] chore(deps): bump wasmer-vfs from 2.1.1 to 2.2.0 Bumps wasmer-vfs from 2.1.1 to 2.2.0. --- updated-dependencies: - dependency-name: wasmer-vfs dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c93f549c4..2a80fffa6 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2625,9 +2625,9 @@ dependencies = [ [[package]] name = "wasmer-vfs" -version = "2.1.1" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8a3a58a3700781aa4f5344915ea082086e75ba7ebe294f60ae499614db92dd00" +checksum = "5d9c4be9fba0cb769ae2466437d629427bb2494c9e134eacd15a6f8127a77dc2" dependencies = [ "libc", "thiserror", From 4a273b711fddf2c519ce02b88f21f77c99e38a38 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Mar 2022 00:30:58 +0000 Subject: [PATCH 07/18] chore(deps): bump wasmer-types from 2.1.1 to 2.2.0 Bumps [wasmer-types](https://github.com/wasmerio/wasmer) from 2.1.1 to 2.2.0. - [Release notes](https://github.com/wasmerio/wasmer/releases) - [Changelog](https://github.com/wasmerio/wasmer/blob/master/CHANGELOG.md) - [Commits](https://github.com/wasmerio/wasmer/compare/2.1.1...2.2.0) --- updated-dependencies: - dependency-name: wasmer-types dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c93f549c4..6587c0dcc 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2612,9 +2612,9 @@ dependencies = [ [[package]] name = "wasmer-types" -version = "2.1.1" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "434e1c0177da0a74ecca90b2aa7d5e86198260f07e8ba83be89feb5f0a4aeead" +checksum = "4deb854f178265a76b59823c41547d259c65da3687b606b0b9c12d80ab950e3e" dependencies = [ "indexmap", "loupe", From 727c155316307da218489f7ddd913f16e5723cb9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Mar 2022 00:39:29 +0000 Subject: [PATCH 08/18] chore(deps): bump wasmer-vm from 2.1.1 to 2.2.0 Bumps [wasmer-vm](https://github.com/wasmerio/wasmer) from 2.1.1 to 2.2.0. - [Release notes](https://github.com/wasmerio/wasmer/releases) - [Changelog](https://github.com/wasmerio/wasmer/blob/master/CHANGELOG.md) - [Commits](https://github.com/wasmerio/wasmer/compare/2.1.1...2.2.0) --- updated-dependencies: - dependency-name: wasmer-vm dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c11fd04a8..3957727a5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2636,13 +2636,14 @@ dependencies = [ [[package]] name = "wasmer-vm" -version = "2.1.1" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cc8f964ebba70d9f81340228b98a164782591f00239fc7f01e1b67afcf0e0156" +checksum = "5dbc5c989cb14a102433927e630473da52f83d82c469acd5cfa8fc7efacc1e70" dependencies = [ "backtrace", "cc", "cfg-if 1.0.0", + "enum-iterator", "indexmap", "libc", "loupe", From 3abb9d57664a3366cf4a33ebf3fdbca886b67448 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Mar 2022 00:40:05 +0000 Subject: [PATCH 09/18] chore(deps): bump wasmer-wasi-types from 2.1.1 to 2.2.0 Bumps [wasmer-wasi-types](https://github.com/wasmerio/wasmer) from 2.1.1 to 2.2.0. - [Release notes](https://github.com/wasmerio/wasmer/releases) - [Changelog](https://github.com/wasmerio/wasmer/blob/master/CHANGELOG.md) - [Commits](https://github.com/wasmerio/wasmer/compare/2.1.1...2.2.0) --- updated-dependencies: - dependency-name: wasmer-wasi-types dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c11fd04a8..4f4c69dfd 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2677,9 +2677,9 @@ dependencies = [ [[package]] name = "wasmer-wasi-types" -version = "2.1.1" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7731240c0ae536623414beb73091dddf68d1a080f49086fc31ec916536b1af98" +checksum = "32531c8bb267f21a5ec86f73e7cbae032094c967835eb9a23b416e36483b09c4" dependencies = [ "byteorder", "time 0.2.27", From d14be64c8d54d3578322a133c29bde59923d0522 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 3 Mar 2022 00:25:20 +0000 Subject: [PATCH 10/18] chore(deps): bump termcolor from 1.1.2 to 1.1.3 Bumps [termcolor](https://github.com/BurntSushi/termcolor) from 1.1.2 to 1.1.3. - [Release notes](https://github.com/BurntSushi/termcolor/releases) - [Commits](https://github.com/BurntSushi/termcolor/compare/1.1.2...1.1.3) --- updated-dependencies: - dependency-name: termcolor dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index bb2c0c7e0..06141e2c9 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2160,9 +2160,9 @@ dependencies = [ [[package]] name = "termcolor" -version = "1.1.2" +version = "1.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2dfed899f0eb03f32ee8c6a0aabdb8a7949659e3466561fc0adf54e26d88c5f4" +checksum = "bab24d30b911b2376f3a13cc2cd443142f0c81dda04c118693e35b3835757755" dependencies = [ "winapi-util", ] From a2c8373fae5a5036173aea19cce34f0812a00d2d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 4 Mar 2022 00:27:03 +0000 Subject: [PATCH 11/18] chore(deps): bump rkyv from 0.7.33 to 0.7.35 Bumps [rkyv](https://github.com/rkyv/rkyv) from 0.7.33 to 0.7.35. - [Release notes](https://github.com/rkyv/rkyv/releases) - [Changelog](https://github.com/rkyv/rkyv/blob/master/release_checklist.md) - [Commits](https://github.com/rkyv/rkyv/compare/v0.7.33...v0.7.35) --- updated-dependencies: - dependency-name: rkyv dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 06141e2c9..f144aff32 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1824,9 +1824,9 @@ dependencies = [ [[package]] name = "rkyv" -version = "0.7.33" +version = "0.7.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf98e3e6c7ed44e474b454b1ebded3193ee5aba3428e29c55d59b1d65e49945e" +checksum = "2cdcf5caf69bcc87b1e3f5427b4f21a32fdd53c2847687bdf9861abb1cdaa0d8" dependencies = [ "bytecheck", "hashbrown 0.12.0", @@ -1838,9 +1838,9 @@ dependencies = [ [[package]] name = "rkyv_derive" -version = "0.7.33" +version = "0.7.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cc9940ec6a7c62b1d1f476f607c6caf0d7fbf74e43f77bc022143b878fcd3266" +checksum = "a6cf557da1f81b8c7e889c59c9c3abaf6978f7feb156b9579e4f8bf6d7a2bada" dependencies = [ "proc-macro2", "quote", From 843cc8d94b27bbae6e532455cbc9c8c1cffd676b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 4 Mar 2022 00:27:53 +0000 Subject: [PATCH 12/18] chore(deps): bump once_cell from 1.9.0 to 1.10.0 Bumps [once_cell](https://github.com/matklad/once_cell) from 1.9.0 to 1.10.0. - [Release notes](https://github.com/matklad/once_cell/releases) - [Changelog](https://github.com/matklad/once_cell/blob/master/CHANGELOG.md) - [Commits](https://github.com/matklad/once_cell/compare/v1.9.0...v1.10.0) --- updated-dependencies: - dependency-name: once_cell dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- crates/integration_test/Cargo.toml | 2 +- crates/youki/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 06141e2c9..51eb8173a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1357,9 +1357,9 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.9.0" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "da32515d9f6e6e489d7bc9d84c71b060db7247dc035bbe44eac88cf87486d8d5" +checksum = "87f3e037eac156d1775da914196f0f37741a274155e34a0b7e427c35d2a2ecb9" [[package]] name = "os_str_bytes" diff --git a/crates/integration_test/Cargo.toml b/crates/integration_test/Cargo.toml index e98f23e40..d81b4f2e7 100644 --- a/crates/integration_test/Cargo.toml +++ b/crates/integration_test/Cargo.toml @@ -13,7 +13,7 @@ log = { version = "0.4", features = ["std"] } nix = "0.23.1" num_cpus = "1.13" oci-spec = { git = "https://github.com/containers/oci-spec-rs", rev = "54c5e386f01ab37c9305cc4a83404eb157e42440" } -once_cell = "1.9.0" +once_cell = "1.10.0" pnet = "0.29.0" procfs = "0.12.0" rand = "0.8.5" diff --git a/crates/youki/Cargo.toml b/crates/youki/Cargo.toml index 9aef4e035..058dcfbfa 100644 --- a/crates/youki/Cargo.toml +++ b/crates/youki/Cargo.toml @@ -27,7 +27,7 @@ liboci-cli = { version = "0.0.2", path = "../liboci-cli" } log = { version = "0.4", features = ["std"]} nix = "0.23.1" oci-spec = "0.5.3" -once_cell = "1.9.0" +once_cell = "1.10.0" pentacle = "1.0.0" procfs = "0.12.0" serde = { version = "1.0", features = ["derive"] } From f21deee59b61a2110c139a78aece06693721488c Mon Sep 17 00:00:00 2001 From: utam0k Date: Sat, 5 Mar 2022 15:49:13 +0900 Subject: [PATCH 13/18] Create the pid file with integration test. --- .../integration_test/src/tests/pidfile/pidfile_test.rs | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/crates/integration_test/src/tests/pidfile/pidfile_test.rs b/crates/integration_test/src/tests/pidfile/pidfile_test.rs index 4cdf4a157..a9238d0d1 100644 --- a/crates/integration_test/src/tests/pidfile/pidfile_test.rs +++ b/crates/integration_test/src/tests/pidfile/pidfile_test.rs @@ -3,7 +3,10 @@ use crate::utils::{ prepare_bundle, State, TempDir, }; use anyhow::anyhow; -use std::process::{Command, Stdio}; +use std::{ + fs::File, + process::{Command, Stdio}, +}; use test_framework::{Test, TestGroup, TestResult}; use uuid::Uuid; @@ -24,6 +27,8 @@ fn test_pidfile() -> TestResult { // create temp dir for bundle and for storing the pid let bundle = prepare_bundle(&container_id).unwrap(); let pidfile_dir = create_temp_dir(&pidfile_uuid).unwrap(); + let pidfile_path = pidfile_dir.as_ref().join("pidfile"); + let _ = File::create(&pidfile_path).unwrap(); // start the container Command::new(get_runtime_path()) @@ -37,7 +42,7 @@ fn test_pidfile() -> TestResult { .arg("--bundle") .arg(bundle.as_ref().join("bundle")) .arg("--pid-file") - .arg(pidfile_dir.as_ref().join("pidfile")) + .arg(pidfile_path) .spawn() .unwrap() .wait() From d9d1efabdc2199264b6a4cf2e0d65f74f01daa9a Mon Sep 17 00:00:00 2001 From: utam0k Date: Wed, 2 Mar 2022 21:14:20 +0900 Subject: [PATCH 14/18] fix the warnings of cargo clippy. Signed-off-by: utam0k --- crates/integration_test/src/tests/cgroups/blkio.rs | 4 ++-- crates/integration_test/src/utils/test_utils.rs | 4 ++-- crates/libcgroups/src/v2/unified.rs | 2 +- .../src/process/container_init_process.rs | 2 +- crates/libcontainer/src/utils.rs | 13 ++++--------- crates/libcontainer/src/workload/wasmer.rs | 2 +- crates/test_framework/src/test_manager.rs | 9 ++++----- 7 files changed, 15 insertions(+), 21 deletions(-) diff --git a/crates/integration_test/src/tests/cgroups/blkio.rs b/crates/integration_test/src/tests/cgroups/blkio.rs index d65ee1667..3f73f47f2 100644 --- a/crates/integration_test/src/tests/cgroups/blkio.rs +++ b/crates/integration_test/src/tests/cgroups/blkio.rs @@ -76,9 +76,9 @@ fn supports_throttle_iops() -> bool { fn parse_device_data<'a>(device_type: &'static str, line: &'a str) -> Result<(i64, i64, &'a str)> { let (device_id, value) = line - .split_once(" ") + .split_once(' ') .with_context(|| format!("invalid {} device format : found {}", device_type, line))?; - let (major_str, minor_str) = device_id.split_once(":").with_context(|| { + let (major_str, minor_str) = device_id.split_once(':').with_context(|| { format!( "invalid major-minor number format for {} device : found {}", device_type, device_id diff --git a/crates/integration_test/src/utils/test_utils.rs b/crates/integration_test/src/utils/test_utils.rs index 16705f183..ca8fd89ec 100644 --- a/crates/integration_test/src/utils/test_utils.rs +++ b/crates/integration_test/src/utils/test_utils.rs @@ -86,7 +86,7 @@ pub fn get_state>(id: &str, dir: P) -> Result<(String, String)> { sleep(SLEEP_TIME); let output = runtime_command(dir) .arg("state") - .arg(id.to_string()) + .arg(id) .spawn() .context("could not get container state")? .wait_with_output() @@ -99,7 +99,7 @@ pub fn get_state>(id: &str, dir: P) -> Result<(String, String)> { pub fn start_container>(id: &str, dir: P) -> Result { let res = runtime_command(dir) .arg("start") - .arg(id.to_string()) + .arg(id) .spawn() .context("could not start container")?; Ok(res) diff --git a/crates/libcgroups/src/v2/unified.rs b/crates/libcgroups/src/v2/unified.rs index 74d111a0c..22e541688 100644 --- a/crates/libcgroups/src/v2/unified.rs +++ b/crates/libcgroups/src/v2/unified.rs @@ -32,7 +32,7 @@ impl Unified { common::write_cgroup_file_str(cgroup_path.join(cgroup_file), value).map_err( |e| { let (subsystem, _) = cgroup_file - .split_once(".") + .split_once('.') .with_context(|| { format!("failed to split {} with {}", cgroup_file, ".") }) diff --git a/crates/libcontainer/src/process/container_init_process.rs b/crates/libcontainer/src/process/container_init_process.rs index e9822be35..84586524a 100644 --- a/crates/libcontainer/src/process/container_init_process.rs +++ b/crates/libcontainer/src/process/container_init_process.rs @@ -79,7 +79,7 @@ fn cleanup_file_descriptors(preserve_fds: i32) -> Result<()> { fn sysctl(kernel_params: &HashMap) -> Result<()> { let sys = PathBuf::from("/proc/sys"); for (kernel_param, value) in kernel_params { - let path = sys.join(kernel_param.replace(".", "/")); + let path = sys.join(kernel_param.replace('.', "/")); log::debug!( "apply value {} to kernel parameter {}.", value, diff --git a/crates/libcontainer/src/utils.rs b/crates/libcontainer/src/utils.rs index 49bb84c2c..2871d5039 100644 --- a/crates/libcontainer/src/utils.rs +++ b/crates/libcontainer/src/utils.rs @@ -181,15 +181,10 @@ pub fn secure_join>(rootfs: P, unsafe_path: P) -> Result { - part_path = PathBuf::from(part); - } - None => { - break; - } - } + let part_path = match part.next() { + None => break, + Some(part) => PathBuf::from(part), + }; if !part_path.is_absolute() { if part_path.starts_with("..") { diff --git a/crates/libcontainer/src/workload/wasmer.rs b/crates/libcontainer/src/workload/wasmer.rs index fa250dc8b..d90df5f39 100644 --- a/crates/libcontainer/src/workload/wasmer.rs +++ b/crates/libcontainer/src/workload/wasmer.rs @@ -20,7 +20,7 @@ impl Executor for WasmerExecutor { .unwrap_or(&EMPTY) .iter() .filter_map(|e| { - e.split_once("=") + e.split_once('=') .filter(|kv| !kv.0.contains('\u{0}') && !kv.1.contains('\u{0}')) .map(|kv| (kv.0.trim(), kv.1.trim())) }); diff --git a/crates/test_framework/src/test_manager.rs b/crates/test_framework/src/test_manager.rs index 660fed49d..81d3fffee 100644 --- a/crates/test_framework/src/test_manager.rs +++ b/crates/test_framework/src/test_manager.rs @@ -83,11 +83,10 @@ impl<'a> TestManager<'a> { let mut collector = Vec::with_capacity(tests.len()); for (test_group_name, tests) in &tests { if let Some(tg) = self.test_groups.get(test_group_name) { - let r; - match tests { - None => r = s.spawn(move |_| tg.run_all()), - Some(tests) => r = s.spawn(move |_| tg.run_selected(tests)), - } + let r = match tests { + None => s.spawn(move |_| tg.run_all()), + Some(tests) => s.spawn(move |_| tg.run_selected(tests)), + }; collector.push((test_group_name, r)); } else { eprintln!("Error : Test Group {} not found, skipping", test_group_name); From 74f6814f768f7b8e506f8253f772eb68af96a269 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 5 Mar 2022 11:24:21 +0000 Subject: [PATCH 15/18] chore(deps): bump wasmer from 2.1.1 to 2.2.0 Bumps [wasmer](https://github.com/wasmerio/wasmer) from 2.1.1 to 2.2.0. - [Release notes](https://github.com/wasmerio/wasmer/releases) - [Changelog](https://github.com/wasmerio/wasmer/blob/master/CHANGELOG.md) - [Commits](https://github.com/wasmerio/wasmer/compare/2.1.1...2.2.0) --- updated-dependencies: - dependency-name: wasmer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 48 ++++++++++++++++++++++------------ crates/libcontainer/Cargo.toml | 2 +- 2 files changed, 33 insertions(+), 17 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index efa9d36d7..e0a3ef8f8 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -77,7 +77,7 @@ dependencies = [ "cfg-if 1.0.0", "libc", "miniz_oxide", - "object", + "object 0.27.1", "rustc-demangle", ] @@ -831,6 +831,9 @@ name = "hashbrown" version = "0.11.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ab5ef0d4909ef3724cc8cce6ccc8572c5c817592e9285f5464f8e86f8bd3726e" +dependencies = [ + "ahash", +] [[package]] name = "hashbrown" @@ -1323,8 +1326,18 @@ name = "object" version = "0.27.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "67ac1d3f9a1d3616fd9a60c8d74296f22406a238b6a72f5cc1e6f314df4ffbf9" +dependencies = [ + "memchr", +] + +[[package]] +name = "object" +version = "0.28.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "40bec70ba014595f99f7aa110b84331ffe1ee9aece7fe6f387cc7e3ecda4d456" dependencies = [ "crc32fast", + "hashbrown 0.11.2", "indexmap", "memchr", ] @@ -2458,9 +2471,9 @@ checksum = "3d958d035c4438e28c70e4321a2911302f10135ce78a9c7834c0cab4123d06a2" [[package]] name = "wasmer" -version = "2.1.1" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "23f0188c23fc1b7de9bd7f8b834d0b1cd5edbe66e287452e8ce36d24418114f7" +checksum = "bfc7dff846db3f38f8ed0be4a009fdfeb729cf1f94a2c7fb6ff2fec01cefa110" dependencies = [ "cfg-if 1.0.0", "indexmap", @@ -2484,9 +2497,9 @@ dependencies = [ [[package]] name = "wasmer-compiler" -version = "2.1.1" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "88c51cc589772c5f90bd329244c2416976d6cb2ee00d59429aaa8f421d9fe447" +checksum = "8c91abf22b16dad3826ec0d0e3ec0a8304262a6c7a14e16528c536131b80e63d" dependencies = [ "enumset", "loupe", @@ -2503,9 +2516,9 @@ dependencies = [ [[package]] name = "wasmer-compiler-cranelift" -version = "2.1.1" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "09691e3e323b4e1128d2127f60f9cd988b66ce49afc8184b071c2b5ab16793f2" +checksum = "7624a1f496b163139a7e0b442426cad805bec70486900287506f9d15a29323ab" dependencies = [ "cranelift-codegen", "cranelift-entity", @@ -2536,9 +2549,9 @@ dependencies = [ [[package]] name = "wasmer-engine" -version = "2.1.1" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab20311c354fe2c12bc766417e0a1a45f399c1cd8ff262127d1dc86d0588971a" +checksum = "41db0ac4df90610cda8320cfd5abf90c6ec90e298b6fe5a09a81dff718b55640" dependencies = [ "backtrace", "enumset", @@ -2558,15 +2571,17 @@ dependencies = [ [[package]] name = "wasmer-engine-dylib" -version = "2.1.1" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8dd5b7a74731e1dcccaf10a8ff5f72216c82f12972ce17cc81c6caa1afff75ea" +checksum = "591683f3356ac31cc88aaecaf77ac2cc9f456014348b01af46c164f44f531162" dependencies = [ "cfg-if 1.0.0", + "enum-iterator", "enumset", "leb128", "libloading", "loupe", + "object 0.28.3", "rkyv", "serde", "tempfile", @@ -2581,11 +2596,12 @@ dependencies = [ [[package]] name = "wasmer-engine-universal" -version = "2.1.1" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dfeae8d5b825ad7abcf9a34e66eb11e1507b21020efe7bbf9897e3dd8d7869e2" +checksum = "dccfde103e9b87427099a6de344b7c791574f307d035c8c7dbbc00974c1af0c1" dependencies = [ "cfg-if 1.0.0", + "enum-iterator", "enumset", "leb128", "loupe", @@ -2600,11 +2616,11 @@ dependencies = [ [[package]] name = "wasmer-object" -version = "2.1.1" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c3d4714e4f3bdc3b2157c24284417d19cd99de036da31d00ec5664712dcb72f7" +checksum = "1d0c4005592998bd840f2289102ef9c67b6138338ed78e1fc0809586aa229040" dependencies = [ - "object", + "object 0.28.3", "thiserror", "wasmer-compiler", "wasmer-types", diff --git a/crates/libcontainer/Cargo.toml b/crates/libcontainer/Cargo.toml index a74d3524b..70642726b 100644 --- a/crates/libcontainer/Cargo.toml +++ b/crates/libcontainer/Cargo.toml @@ -38,7 +38,7 @@ libseccomp = { version = "0.0.2", path = "../libseccomp" } serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" rust-criu = { git = "https://github.com/checkpoint-restore/rust-criu", version = "0.1.0" } -wasmer = { version = "2.1.1", optional = true } +wasmer = { version = "2.2.0", optional = true } wasmer-wasi = { version = "2.1.1", optional = true } [dev-dependencies] From baa8c2177293f5ca421614924c9e44510f7b8005 Mon Sep 17 00:00:00 2001 From: utam0k Date: Sun, 27 Feb 2022 17:09:51 +0900 Subject: [PATCH 16/18] Use the libseccomp-rs/libseccomp-rs crate instead of youki original libseccomp-rs. Signed-off-by: utam0k --- Cargo.lock | 39 +- crates/libcontainer/Cargo.toml | 2 +- .../src/seccomp/fixture/config.json | 2 +- crates/libcontainer/src/seccomp/mod.rs | 361 +++------- crates/libseccomp/Cargo.toml | 12 - crates/libseccomp/README.md | 11 - crates/libseccomp/build.rs | 14 - crates/libseccomp/src/lib.rs | 661 ------------------ 8 files changed, 104 insertions(+), 998 deletions(-) delete mode 100644 crates/libseccomp/Cargo.toml delete mode 100644 crates/libseccomp/README.md delete mode 100644 crates/libseccomp/build.rs delete mode 100644 crates/libseccomp/src/lib.rs diff --git a/Cargo.lock b/Cargo.lock index e0a3ef8f8..993f4be09 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1023,7 +1023,7 @@ dependencies = [ "log", "mockall", "nix", - "oci-spec 0.5.3", + "oci-spec 0.5.4", "procfs", "quickcheck", "rbpf", @@ -1049,7 +1049,7 @@ dependencies = [ "log", "mio", "nix", - "oci-spec 0.5.3", + "oci-spec 0.5.4", "path-clean", "prctl", "procfs", @@ -1103,12 +1103,21 @@ dependencies = [ [[package]] name = "libseccomp" -version = "0.0.2" +version = "0.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "49bda1fbf25c42ac8942ff7df1eb6172a3bc36299e84be0dba8c888a7db68c80" dependencies = [ "libc", + "libseccomp-sys", "pkg-config", ] +[[package]] +name = "libseccomp-sys" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9a7cbbd4ad467251987c6e5b47d53b11a5a05add08f2447a9e2d70aef1e0d138" + [[package]] name = "libz-sys" version = "1.1.3" @@ -1356,9 +1365,9 @@ dependencies = [ [[package]] name = "oci-spec" -version = "0.5.3" +version = "0.5.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8057bb0f33d7ecdf1f0f7cc74ea5cced7c6c694245e2a8d14700507c3bde32e3" +checksum = "6b409d52fff741f330914aa6b8ab73e9113607bb13fbc09f95cdb04d16c8dd5d" dependencies = [ "derive_builder", "getset", @@ -1638,24 +1647,24 @@ dependencies = [ [[package]] name = "protobuf" -version = "2.25.2" +version = "2.27.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "47c327e191621a2158159df97cdbc2e7074bb4e940275e35abf38eb3d2595754" +checksum = "cf7e6d18738ecd0902d30d1ad232c9125985a3422929b16c65517b38adc14f96" [[package]] name = "protobuf-codegen" -version = "2.25.2" +version = "2.27.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3df8c98c08bd4d6653c2dbae00bd68c1d1d82a360265a5b0bbc73d48c63cb853" +checksum = "aec1632b7c8f2e620343439a7dfd1f3c47b18906c4be58982079911482b5d707" dependencies = [ "protobuf", ] [[package]] name = "protobuf-codegen-pure" -version = "2.25.2" +version = "2.27.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "394a73e2a819405364df8d30042c0f1174737a763e0170497ec9d36f8a2ea8f7" +checksum = "9f8122fdb18e55190c796b088a16bdb70cd7acdcd48f7a8b796b58c62e532cc6" dependencies = [ "protobuf", "protobuf-codegen", @@ -1897,7 +1906,7 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366" dependencies = [ - "semver 1.0.4", + "semver 1.0.6", ] [[package]] @@ -1935,9 +1944,9 @@ dependencies = [ [[package]] name = "semver" -version = "1.0.4" +version = "1.0.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "568a8e6258aa33c13358f81fd834adb854c6f7c9468520910a9b1e8fac068012" +checksum = "a4a3381e03edd24287172047536f20cabde766e2cd3e65e6b00fb3af51c4f38d" [[package]] name = "semver-parser" @@ -2793,7 +2802,7 @@ dependencies = [ "liboci-cli", "log", "nix", - "oci-spec 0.5.3", + "oci-spec 0.5.4", "once_cell", "pentacle", "procfs", diff --git a/crates/libcontainer/Cargo.toml b/crates/libcontainer/Cargo.toml index 70642726b..8bb8e25b7 100644 --- a/crates/libcontainer/Cargo.toml +++ b/crates/libcontainer/Cargo.toml @@ -34,7 +34,7 @@ path-clean = "0.1.0" procfs = "0.12.0" prctl = "1.0.0" libcgroups = { version = "0.0.2", path = "../libcgroups" } -libseccomp = { version = "0.0.2", path = "../libseccomp" } +libseccomp = { version = "0.2.3" } serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" rust-criu = { git = "https://github.com/checkpoint-restore/rust-criu", version = "0.1.0" } diff --git a/crates/libcontainer/src/seccomp/fixture/config.json b/crates/libcontainer/src/seccomp/fixture/config.json index 04c6764a2..f0e5a2047 100644 --- a/crates/libcontainer/src/seccomp/fixture/config.json +++ b/crates/libcontainer/src/seccomp/fixture/config.json @@ -961,4 +961,4 @@ "/proc/sysrq-trigger" ] } -} \ No newline at end of file +} diff --git a/crates/libcontainer/src/seccomp/mod.rs b/crates/libcontainer/src/seccomp/mod.rs index f303c0c10..212c88aca 100644 --- a/crates/libcontainer/src/seccomp/mod.rs +++ b/crates/libcontainer/src/seccomp/mod.rs @@ -1,269 +1,65 @@ use anyhow::bail; use anyhow::Context; use anyhow::Result; -use libseccomp::scmp_compare::*; -use libseccomp::*; -use nix::errno::Errno; +use libseccomp::ScmpAction; +use libseccomp::ScmpArch; +use libseccomp::ScmpArgCompare; +use libseccomp::ScmpCompareOp; +use libseccomp::ScmpFilterContext; +use libseccomp::ScmpSyscall; use oci_spec::runtime::Arch; use oci_spec::runtime::LinuxSeccomp; use oci_spec::runtime::LinuxSeccompAction; use oci_spec::runtime::LinuxSeccompOperator; -use std::ffi::CString; use std::os::unix::io; -#[derive(Debug)] -struct Compare { - // The zero-indexed index of the syscall argument. - arg: libc::c_uint, - op: Option, - datum_a: Option, - datum_b: Option, -} - -impl Compare { - pub fn new(args: u32) -> Self { - Compare { - arg: args as libc::c_uint, - op: None, - datum_a: None, - datum_b: None, - } - } - - pub fn op(mut self, op: scmp_compare) -> Self { - self.op = Some(op); - - self - } - - pub fn datum_a(mut self, datum: scmp_datum_t) -> Self { - self.datum_a = Some(datum); - - self - } - - pub fn datum_b(mut self, datum: scmp_datum_t) -> Self { - self.datum_b = Some(datum); - - self - } - - pub fn build(self) -> Result { - if let Some((op, datum_a)) = self.op.zip(self.datum_a) { - Ok(scmp_arg_cmp { - arg: self.arg, - op, - datum_a, - // datum_b is optional for a number of op, since these op only - // requires one value. For example, the SCMP_OP_EQ or equal op - // requires only one value. We set the datum_b to 0 in the case - // that only one value is required. - datum_b: self.datum_b.unwrap_or(0), - }) - } else { - bail!("op and datum_a is required: {:?}", self); - } - } -} - -#[derive(Debug)] -struct Rule { - action: u32, - syscall_nr: i32, - comparators: Vec, -} - -impl Rule { - pub fn new(action: u32, syscall_number: i32) -> Self { - Rule { - action, - syscall_nr: syscall_number, - comparators: vec![], - } - } - - pub fn add_comparator(&mut self, cmp: scmp_arg_cmp) { - self.comparators.push(cmp); - } -} - -#[derive(Debug)] -struct FilterContext { - ctx: scmp_filter_ctx, -} - -impl FilterContext { - pub fn default(default_action: u32) -> Result { - let filter_ctx = unsafe { seccomp_init(default_action) }; - if filter_ctx.is_null() { - bail!("Failed to initialized seccomp profile") - } - - Ok(FilterContext { ctx: filter_ctx }) - } - - pub fn add_rule(&mut self, rule: &Rule) -> Result<()> { - let res = match rule.comparators.len() { - 0 => unsafe { seccomp_rule_add(self.ctx, rule.action, rule.syscall_nr, 0) }, - _ => unsafe { - seccomp_rule_add_array( - self.ctx, - rule.action, - rule.syscall_nr, - rule.comparators.len() as u32, - rule.comparators.as_ptr(), - ) - }, - }; - if res != 0 { - bail!("Failed to add rule. Errno: {}, Rule: {:?}", res, rule); - } - - Ok(()) - } - - pub fn add_arch(&mut self, arch: u32) -> Result<()> { - let res = unsafe { seccomp_arch_add(self.ctx, arch) }; - if res != 0 && nix::Error::from_i32(res.abs()) != nix::Error::EEXIST { - // The architecture already existed in the profile, so we can - // safely ignore the error here. Otherwise, error out. - bail!("Failed to add architecture {}. Errno: {}", arch, res); - } - - Ok(()) - } - - pub fn load(&self) -> Result<()> { - let res = unsafe { seccomp_load(self.ctx) }; - if res != 0 { - bail!("Failed to load seccomp profile: {}", res); - } - - Ok(()) - } - - pub fn notify_fd(&self) -> Result> { - let res = unsafe { seccomp_notify_fd(self.ctx) }; - if res > 0 { - return Ok(Some(res)); - } - - // -1 indicates the notify fd is not set. This can happen if no seccomp - // notify filter is set. - if res == -1 { - return Ok(None); - } - - match nix::errno::from_i32(res.abs()) { - Errno::EINVAL => { - bail!("invalid seccomp context used to call notify fd"); - } - Errno::EFAULT => { - bail!("internal libseccomp fault; likely no seccomp filter is loaded"); - } - Errno::EOPNOTSUPP => { - bail!("seccomp notify filter not supported"); - } - - _ => { - bail!("unknown error from return code: {}", res); - } - }; - } - - /// Enable or disable the no new privileges attribute bit. - pub fn set_nnp_bit(&self, to: bool) -> Result<()> { - self.set_attr(scmp_filter_attr::SCMP_FLTATR_CTL_NNP, to as u32) - .context("set no new privileges bit") - } - - /// Enable or disable the log attribute bit. - pub fn set_log_bit(&self, to: bool) -> Result<()> { - self.set_attr(scmp_filter_attr::SCMP_FLTATR_CTL_LOG, to as u32) - .context("set log bit") - } - - /// Enable or disable the tsync attribute bit. - pub fn set_tsync_bit(&self, to: bool) -> Result<()> { - self.set_attr(scmp_filter_attr::SCMP_FLTATR_CTL_TSYNC, to as u32) - .context("set tsync bit") - } - - /// Enable or disable the SSB (Speculative Store Bypass) attribute bit. - pub fn set_ssb_bit(&self, to: bool) -> Result<()> { - self.set_attr(scmp_filter_attr::SCMP_FLTATR_CTL_SSB, to as u32) - .context("set SSB bit") - } - - /// Can be used to set any arbitrary seccomp filter attribute. - pub fn set_attr(&self, attr: scmp_filter_attr, value: u32) -> Result<()> { - let res = unsafe { seccomp_attr_set(self.ctx, attr, value) }; - if res != 0 { - bail!( - "unable to set attribute on seccomp filter: {}", - nix::errno::from_i32(res) - ) - } - Ok(()) - } -} - -fn translate_syscall(syscall_name: &str) -> Result { - let c_syscall_name = CString::new(syscall_name) - .with_context(|| format!("Failed to convert syscall {:?} to cstring", syscall_name))?; - let res = unsafe { seccomp_syscall_resolve_name(c_syscall_name.as_ptr()) }; - if res == __NR_SCMP_ERROR { - bail!("Failed to resolve syscall from name: {:?}", syscall_name); +fn translate_arch(arch: Arch) -> ScmpArch { + match arch { + Arch::ScmpArchNative => ScmpArch::Native, + Arch::ScmpArchX86 => ScmpArch::X86, + Arch::ScmpArchX86_64 => ScmpArch::X8664, + Arch::ScmpArchX32 => ScmpArch::X32, + Arch::ScmpArchArm => ScmpArch::Arm, + Arch::ScmpArchAarch64 => ScmpArch::Aarch64, + Arch::ScmpArchMips => ScmpArch::Mips, + Arch::ScmpArchMips64 => ScmpArch::Mips64, + Arch::ScmpArchMips64n32 => ScmpArch::Mips64N32, + Arch::ScmpArchMipsel => ScmpArch::Mipsel, + Arch::ScmpArchMipsel64 => ScmpArch::Mipsel64, + Arch::ScmpArchMipsel64n32 => ScmpArch::Mipsel64N32, + Arch::ScmpArchPpc => ScmpArch::Ppc, + Arch::ScmpArchPpc64 => ScmpArch::Ppc64, + Arch::ScmpArchPpc64le => ScmpArch::Ppc64Le, + Arch::ScmpArchS390 => ScmpArch::S390, + Arch::ScmpArchS390x => ScmpArch::S390X, } - - Ok(res) } -fn translate_action(action: LinuxSeccompAction, errno: Option) -> u32 { - let errno = errno.unwrap_or(libc::EPERM as u32); - match action { - LinuxSeccompAction::ScmpActKill => SCMP_ACT_KILL, - LinuxSeccompAction::ScmpActTrap => SCMP_ACT_TRAP, - LinuxSeccompAction::ScmpActErrno => SCMP_ACT_ERRNO(errno), - LinuxSeccompAction::ScmpActTrace => SCMP_ACT_TRACE(errno), - LinuxSeccompAction::ScmpActAllow => SCMP_ACT_ALLOW, - LinuxSeccompAction::ScmpActKillProcess => SCMP_ACT_KILL_PROCESS, - LinuxSeccompAction::ScmpActNotify => SCMP_ACT_NOTIFY, - LinuxSeccompAction::ScmpActLog => SCMP_ACT_LOG, - } +fn translate_action(action: LinuxSeccompAction, errno: Option) -> Result { + let errno = Some(errno.map(|e| e as i32).unwrap_or(libc::EPERM as i32)); + let action_str = match action { + LinuxSeccompAction::ScmpActKill => "SCMP_ACT_KILL", + LinuxSeccompAction::ScmpActTrap => "SCMP_ACT_TRAP", + LinuxSeccompAction::ScmpActErrno => "SCMP_ACT_ERRNO", + LinuxSeccompAction::ScmpActTrace => "SCMP_ACT_TRACE", + LinuxSeccompAction::ScmpActAllow => "SCMP_ACT_ALLOW", + LinuxSeccompAction::ScmpActKillProcess => "SCMP_ACT_KILL_PROCESS", + LinuxSeccompAction::ScmpActNotify => "SCMP_ACT_NOTIFY", + LinuxSeccompAction::ScmpActLog => "SCMP_ACT_LOG", + }; + ScmpAction::from_str(action_str, errno) + .with_context(|| format!("faild to tranlate ScmpAction from {action_str}")) } -fn translate_op(op: LinuxSeccompOperator) -> scmp_compare { +fn translate_op(op: LinuxSeccompOperator, datum_b: Option) -> ScmpCompareOp { match op { - LinuxSeccompOperator::ScmpCmpNe => SCMP_CMP_NE, - LinuxSeccompOperator::ScmpCmpLt => SCMP_CMP_LT, - LinuxSeccompOperator::ScmpCmpLe => SCMP_CMP_LE, - LinuxSeccompOperator::ScmpCmpEq => SCMP_CMP_EQ, - LinuxSeccompOperator::ScmpCmpGe => SCMP_CMP_GE, - LinuxSeccompOperator::ScmpCmpGt => SCMP_CMP_GT, - LinuxSeccompOperator::ScmpCmpMaskedEq => SCMP_CMP_MASKED_EQ, - } -} - -fn translate_arch(arch: Arch) -> scmp_arch { - match arch { - Arch::ScmpArchNative => SCMP_ARCH_NATIVE, - Arch::ScmpArchX86 => SCMP_ARCH_X86, - Arch::ScmpArchX86_64 => SCMP_ARCH_X86_64, - Arch::ScmpArchX32 => SCMP_ARCH_X32, - Arch::ScmpArchArm => SCMP_ARCH_ARM, - Arch::ScmpArchAarch64 => SCMP_ARCH_AARCH64, - Arch::ScmpArchMips => SCMP_ARCH_MIPS, - Arch::ScmpArchMips64 => SCMP_ARCH_MIPS64, - Arch::ScmpArchMips64n32 => SCMP_ARCH_MIPS64N32, - Arch::ScmpArchMipsel => SCMP_ARCH_MIPSEL, - Arch::ScmpArchMipsel64 => SCMP_ARCH_MIPSEL64, - Arch::ScmpArchMipsel64n32 => SCMP_ARCH_MIPSEL64N32, - Arch::ScmpArchPpc => SCMP_ARCH_PPC, - Arch::ScmpArchPpc64 => SCMP_ARCH_PPC64, - Arch::ScmpArchPpc64le => SCMP_ARCH_PPC64LE, - Arch::ScmpArchS390 => SCMP_ARCH_S390, - Arch::ScmpArchS390x => SCMP_ARCH_S390X, + LinuxSeccompOperator::ScmpCmpNe => ScmpCompareOp::NotEqual, + LinuxSeccompOperator::ScmpCmpLt => ScmpCompareOp::Less, + LinuxSeccompOperator::ScmpCmpLe => ScmpCompareOp::LessOrEqual, + LinuxSeccompOperator::ScmpCmpEq => ScmpCompareOp::Equal, + LinuxSeccompOperator::ScmpCmpGe => ScmpCompareOp::GreaterEqual, + LinuxSeccompOperator::ScmpCmpGt => ScmpCompareOp::Greater, + LinuxSeccompOperator::ScmpCmpMaskedEq => ScmpCompareOp::MaskedEqual(datum_b.unwrap_or(0)), } } @@ -319,15 +115,18 @@ const SECCOMP_FILTER_FLAG_SPEC_ALLOW: &str = "SECCOMP_FILTER_FLAG_SPEC_ALLOW"; pub fn initialize_seccomp(seccomp: &LinuxSeccomp) -> Result> { check_seccomp(seccomp)?; - let default_action = translate_action(seccomp.default_action(), seccomp.default_errno_ret()); - let mut ctx = FilterContext::default(default_action)?; + let default_action = translate_action(seccomp.default_action(), seccomp.default_errno_ret())?; + let mut ctx = ScmpFilterContext::new_filter(translate_action( + seccomp.default_action(), + seccomp.default_errno_ret(), + )?)?; if let Some(flags) = seccomp.flags() { for flag in flags { match flag.as_ref() { - SECCOMP_FILTER_FLAG_LOG => ctx.set_log_bit(true)?, - SECCOMP_FILTER_FLAG_TSYNC => ctx.set_tsync_bit(true)?, - SECCOMP_FILTER_FLAG_SPEC_ALLOW => ctx.set_ssb_bit(true)?, + SECCOMP_FILTER_FLAG_LOG => ctx.set_ctl_log(true)?, + SECCOMP_FILTER_FLAG_TSYNC => ctx.set_ctl_tsync(true)?, + SECCOMP_FILTER_FLAG_SPEC_ALLOW => ctx.set_ctl_ssb(true)?, f => bail!("seccomp flag {} is not supported", f), } } @@ -335,8 +134,7 @@ pub fn initialize_seccomp(seccomp: &LinuxSeccomp) -> Result> { if let Some(architectures) = seccomp.architectures() { for &arch in architectures { - let arch_token = translate_arch(arch); - ctx.add_arch(arch_token as u32) + ctx.add_arch(translate_arch(arch)) .context("failed to add arch to seccomp")?; } } @@ -348,11 +146,11 @@ pub fn initialize_seccomp(seccomp: &LinuxSeccomp) -> Result> { // set it here. If the seccomp load operation fails without enough // privilege, so be it. To prevent this automatic behavior, we unset the // value here. - ctx.set_nnp_bit(false)?; + ctx.set_ctl_nnp(false)?; if let Some(syscalls) = seccomp.syscalls() { for syscall in syscalls { - let action = translate_action(syscall.action(), syscall.errno_ret()); + let action = translate_action(syscall.action(), syscall.errno_ret())?; if action == default_action { // When the action is the same as the default action, the rule is redundant. We can // skip this here to avoid failing when we add the rules. @@ -364,13 +162,13 @@ pub fn initialize_seccomp(seccomp: &LinuxSeccomp) -> Result> { } for name in syscall.names() { - let syscall_number = match translate_syscall(name) { + let sc = match ScmpSyscall::from_name(name) { Ok(x) => x, Err(_) => { // If we failed to resolve the syscall by name, likely the kernel // doeesn't support this syscall. So it is safe to skip... log::warn!( - "Failed to resolve syscall, likely kernel doesn't support this. {:?}", + "failed to resolve syscall, likely kernel doesn't support this. {:?}", name ); continue; @@ -382,29 +180,23 @@ pub fn initialize_seccomp(seccomp: &LinuxSeccomp) -> Result> { match syscall.args() { Some(args) => { for arg in args { - let mut rule = Rule::new(action, syscall_number); - let cmp = Compare::new(arg.index() as u32) - .op(translate_op(arg.op())) - .datum_a(arg.value()) - .datum_b(arg.value_two().unwrap_or(0)) - .build() - .context("Failed to build a seccomp compare rule")?; - rule.add_comparator(cmp); - ctx.add_rule(&rule).with_context(|| { - format!( - "failed to add seccomp rule: {:?}. Syscall: {:?}", - &rule, name, - ) - })?; + let cmp = ScmpArgCompare::new( + arg.index() as u32, + translate_op(arg.op(), arg.value_two()), + arg.value(), + ); + ctx.add_rule_conditional(action, sc, &[cmp]) + .with_context(|| { + format!( + "failed to add seccomp action: {:?}. Cmp: {:?} Syscall: {name}", + &action, cmp, + ) + })?; } } None => { - let rule = Rule::new(action, syscall_number); - ctx.add_rule(&rule).with_context(|| { - format!( - "failed to add seccomp rule: {:?}. Syscall: {:?}", - &rule, name, - ) + ctx.add_rule(action, sc).with_context(|| { + format!("failed to add seccomp rule: {:?}. Syscall: {name}", &sc) })?; } } @@ -419,7 +211,10 @@ pub fn initialize_seccomp(seccomp: &LinuxSeccomp) -> Result> { ctx.load().context("failed to load seccomp context")?; let fd = if is_notify(seccomp) { - ctx.notify_fd().context("failed to get seccomp notify fd")? + Some( + ctx.get_notify_fd() + .context("failed to get seccomp notify fd")?, + ) } else { None }; diff --git a/crates/libseccomp/Cargo.toml b/crates/libseccomp/Cargo.toml deleted file mode 100644 index 9ba143448..000000000 --- a/crates/libseccomp/Cargo.toml +++ /dev/null @@ -1,12 +0,0 @@ -[package] -name = "libseccomp" -version = "0.0.2" -edition = "2021" - -build = "build.rs" - -[dependencies] -libc = "0.2.119" - -[build-dependencies] -pkg-config = "0.3.24" diff --git a/crates/libseccomp/README.md b/crates/libseccomp/README.md deleted file mode 100644 index 31f7ae3e0..000000000 --- a/crates/libseccomp/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# Bindings to libseccomp - -This crate contains a rust FFI binding to -[libseccomp](https://github.com/seccomp/libseccomp). - -The code is adapted from auto generated code using -[rust-bindgen](https://github.com/rust-lang/rust-bindgen). The `rust-bindgen` -has some issue with detecting function macro, which `libseccomp` uses. We -decided to manually fix the issue and include the bindings in this crate. - -The header file used: diff --git a/crates/libseccomp/build.rs b/crates/libseccomp/build.rs deleted file mode 100644 index 618d1e9f9..000000000 --- a/crates/libseccomp/build.rs +++ /dev/null @@ -1,14 +0,0 @@ -const MINIMUM_VERSION: &str = "2.5"; -const PKG_NAME: &str = "libseccomp"; -fn main() { - match pkg_config::Config::new() - .atleast_version(MINIMUM_VERSION) - .probe(PKG_NAME) - { - Ok(_) => {} - Err(err) => { - eprintln!("{}", err); - std::process::exit(1); - } - } -} diff --git a/crates/libseccomp/src/lib.rs b/crates/libseccomp/src/lib.rs deleted file mode 100644 index 116e9a622..000000000 --- a/crates/libseccomp/src/lib.rs +++ /dev/null @@ -1,661 +0,0 @@ -extern crate libc; - -#[allow(non_camel_case_types)] -pub type __s8 = ::std::os::raw::c_schar; -#[allow(non_camel_case_types)] -pub type __u8 = ::std::os::raw::c_uchar; -#[allow(non_camel_case_types)] -pub type __s16 = ::std::os::raw::c_short; -#[allow(non_camel_case_types)] -pub type __u16 = ::std::os::raw::c_ushort; -#[allow(non_camel_case_types)] -pub type __s32 = ::std::os::raw::c_int; -#[allow(non_camel_case_types)] -pub type __u32 = ::std::os::raw::c_uint; -#[allow(non_camel_case_types)] -pub type __s64 = ::std::os::raw::c_longlong; -#[allow(non_camel_case_types)] -pub type __u64 = ::std::os::raw::c_ulonglong; - -pub const SCMP_VER_MAJOR: u32 = 2; -pub const SCMP_VER_MINOR: u32 = 5; -pub const SCMP_VER_MICRO: u32 = 1; - -pub const __NR_SCMP_ERROR: i32 = -1; -pub const __NR_SCMP_UNDEF: i32 = -2; - -#[allow(non_camel_case_types)] -pub type scmp_arch = u32; -pub const SCMP_ARCH_NATIVE: scmp_arch = 0; -pub const SCMP_ARCH_X86: scmp_arch = 1073741827; -pub const SCMP_ARCH_X86_64: scmp_arch = 3221225534; -pub const SCMP_ARCH_X32: scmp_arch = 1073741886; -pub const SCMP_ARCH_ARM: scmp_arch = 1073741864; -pub const SCMP_ARCH_AARCH64: scmp_arch = 3221225655; -pub const SCMP_ARCH_MIPS: scmp_arch = 8; -pub const SCMP_ARCH_MIPS64: scmp_arch = 2147483656; -pub const SCMP_ARCH_MIPS64N32: scmp_arch = 2684354568; -pub const SCMP_ARCH_MIPSEL: scmp_arch = 1073741832; -pub const SCMP_ARCH_MIPSEL64: scmp_arch = 3221225480; -pub const SCMP_ARCH_MIPSEL64N32: scmp_arch = 3758096392; -pub const SCMP_ARCH_PPC: scmp_arch = 20; -pub const SCMP_ARCH_PPC64: scmp_arch = 2147483669; -pub const SCMP_ARCH_PPC64LE: scmp_arch = 3221225493; -pub const SCMP_ARCH_S390: scmp_arch = 22; -pub const SCMP_ARCH_S390X: scmp_arch = 2147483670; -pub const SCMP_ARCH_PARISC: scmp_arch = 15; -pub const SCMP_ARCH_PARISC64: scmp_arch = 2147483663; -pub const SCMP_ARCH_RISCV64: scmp_arch = 3221225715; - -pub const SCMP_ACT_KILL_PROCESS: u32 = 2147483648; -pub const SCMP_ACT_KILL_THREAD: u32 = 0; -pub const SCMP_ACT_KILL: u32 = 0; -pub const SCMP_ACT_TRAP: u32 = 196608; -pub const SCMP_ACT_NOTIFY: u32 = 2143289344; -pub const SCMP_ACT_LOG: u32 = 2147221504; -pub const SCMP_ACT_ALLOW: u32 = 2147418112; -#[allow(non_snake_case)] -pub fn SCMP_ACT_ERRNO(x: u32) -> u32 { - 0x00050000 | ((x) & 0x0000ffff) -} -#[allow(non_snake_case)] -pub fn SCMP_ACT_TRACE(x: u32) -> u32 { - 0x7ff00000 | ((x) & 0x0000ffff) -} - -#[allow(non_camel_case_types)] -#[repr(C)] -#[derive(Debug, Copy, Clone)] -pub enum scmp_filter_attr { - _SCMP_FLTATR_MIN, - SCMP_FLTATR_ACT_DEFAULT, - SCMP_FLTATR_ACT_BADARCH, - SCMP_FLTATR_CTL_NNP, - SCMP_FLTATR_CTL_TSYNC, - SCMP_FLTATR_API_TSKIP, - SCMP_FLTATR_CTL_LOG, - SCMP_FLTATR_CTL_SSB, - SCMP_FLTATR_CTL_OPTIMIZE, - SCMP_FLTATR_API_SYSRAWRC, - _SCMP_FLTATR_MAX, -} - -#[allow(non_camel_case_types)] -#[repr(C)] -#[derive(Debug, Copy, Clone)] -pub enum scmp_compare { - _SCMP_CMP_MIN = 0, - SCMP_CMP_NE = 1, - SCMP_CMP_LT = 2, - SCMP_CMP_LE = 3, - SCMP_CMP_EQ = 4, - SCMP_CMP_GE = 5, - SCMP_CMP_GT = 6, - SCMP_CMP_MASKED_EQ = 7, - _SCMP_CMP_MAX = 8, -} - -#[allow(non_camel_case_types)] -pub type scmp_datum_t = u64; - -#[allow(non_camel_case_types)] -pub type scmp_filter_ctx = *mut ::std::os::raw::c_void; - -#[repr(C)] -#[derive(Debug, Copy, Clone)] -pub struct scmp_version { - pub major: ::std::os::raw::c_uint, - pub minor: ::std::os::raw::c_uint, - pub micro: ::std::os::raw::c_uint, -} - -#[repr(C)] -#[derive(Debug, Copy, Clone)] -pub struct scmp_arg_cmp { - pub arg: ::std::os::raw::c_uint, - pub op: scmp_compare, - pub datum_a: scmp_datum_t, - pub datum_b: scmp_datum_t, -} - -#[repr(C)] -#[derive(Debug, Copy, Clone)] -pub struct seccomp_data { - pub nr: ::std::os::raw::c_int, - pub arch: __u32, - pub instruction_pointer: __u64, - pub args: [__u64; 6usize], -} - -#[repr(C)] -#[derive(Debug, Copy, Clone)] -pub struct seccomp_notif_sizes { - pub seccomp_notif: __u16, - pub seccomp_notif_resp: __u16, - pub seccomp_data: __u16, -} - -#[repr(C)] -#[derive(Debug, Copy, Clone)] -pub struct seccomp_notif { - pub id: __u64, - pub pid: __u32, - pub flags: __u32, - pub data: seccomp_data, -} - -#[repr(C)] -#[derive(Debug, Copy, Clone)] -pub struct seccomp_notif_resp { - pub id: __u64, - pub val: __s64, - pub error: __s32, - pub flags: __u32, -} - -#[link(name = "seccomp")] -extern "C" { - /** - * Query the library version information - * - * This function returns a pointer to a populated scmp_version struct, the - * caller does not need to free the structure when finished. - * - */ - pub fn seccomp_version() -> *const scmp_version; - - /** - * Query the library's level of API support - * - * This function returns an API level value indicating the current supported - * functionality. It is important to note that this level of support is - * determined at runtime and therefore can change based on the running kernel - * and system configuration (e.g. any previously loaded seccomp filters). This - * function can be called multiple times, but it only queries the system the - * first time it is called, the API level is cached and used in subsequent - * calls. - * - * The current API levels are described below: - * 0 : reserved - * 1 : base level - * 2 : support for the SCMP_FLTATR_CTL_TSYNC filter attribute - * uses the seccomp(2) syscall instead of the prctl(2) syscall - * 3 : support for the SCMP_FLTATR_CTL_LOG filter attribute - * support for the SCMP_ACT_LOG action - * support for the SCMP_ACT_KILL_PROCESS action - * 4 : support for the SCMP_FLTATR_CTL_SSB filter attrbute - * 5 : support for the SCMP_ACT_NOTIFY action and notify APIs - * 6 : support the simultaneous use of SCMP_FLTATR_CTL_TSYNC and notify APIs - * - */ - pub fn seccomp_api_get() -> ::std::os::raw::c_uint; - - /** - * Set the library's level of API support - * - * This function forcibly sets the API level of the library at runtime. Valid - * API levels are discussed in the description of the seccomp_api_get() - * function. General use of this function is strongly discouraged. - * - */ - pub fn seccomp_api_set(level: ::std::os::raw::c_uint) -> ::std::os::raw::c_int; - - /** - * Initialize the filter state - * @param def_action the default filter action - * - * This function initializes the internal seccomp filter state and should - * be called before any other functions in this library to ensure the filter - * state is initialized. Returns a filter context on success, NULL on failure. - * - */ - pub fn seccomp_init(def_action: u32) -> scmp_filter_ctx; - - /** - * Reset the filter state - * @param ctx the filter context - * @param def_action the default filter action - * - * This function resets the given seccomp filter state and ensures the - * filter state is reinitialized. This function does not reset any seccomp - * filters already loaded into the kernel. Returns zero on success, negative - * values on failure. - * - */ - pub fn seccomp_reset(ctx: scmp_filter_ctx, def_action: u32) -> ::std::os::raw::c_int; - - /** - * Destroys the filter state and releases any resources - * @param ctx the filter context - * - * This functions destroys the given seccomp filter state and releases any - * resources, including memory, associated with the filter state. This - * function does not reset any seccomp filters already loaded into the kernel. - * The filter context can no longer be used after calling this function. - * - */ - pub fn seccomp_release(ctx: scmp_filter_ctx); - - /** - * Merge two filters - * @param ctx_dst the destination filter context - * @param ctx_src the source filter context - * - * This function merges two filter contexts into a single filter context and - * destroys the second filter context. The two filter contexts must have the - * same attribute values and not contain any of the same architectures; if they - * do, the merge operation will fail. On success, the source filter context - * will be destroyed and should no longer be used; it is not necessary to - * call seccomp_release() on the source filter context. Returns zero on - * success, negative values on failure. - * - */ - pub fn seccomp_merge( - ctx_dst: scmp_filter_ctx, - ctx_src: scmp_filter_ctx, - ) -> ::std::os::raw::c_int; - - /** - * Resolve the architecture name to a architecture token - * @param arch_name the architecture name - * - * This function resolves the given architecture name to a token suitable for - * use with libseccomp, returns zero on failure. - * - */ - pub fn seccomp_arch_resolve_name(arch_name: *const ::std::os::raw::c_char) -> u32; - - /** - * Return the native architecture token - * - * This function returns the native architecture token value, e.g. SCMP_ARCH_*. - * - */ - pub fn seccomp_arch_native() -> u32; - - /** - * Check to see if an existing architecture is present in the filter - * @param ctx the filter context - * @param arch_token the architecture token, e.g. SCMP_ARCH_* - * - * This function tests to see if a given architecture is included in the filter - * context. If the architecture token is SCMP_ARCH_NATIVE then the native - * architecture will be assumed. Returns zero if the architecture exists in - * the filter, -EEXIST if it is not present, and other negative values on - * failure. - * - */ - pub fn seccomp_arch_exist(ctx: scmp_filter_ctx, arch_token: u32) -> ::std::os::raw::c_int; - - /** - * Adds an architecture to the filter - * @param ctx the filter context - * @param arch_token the architecture token, e.g. SCMP_ARCH_* - * - * This function adds a new architecture to the given seccomp filter context. - * Any new rules added after this function successfully returns will be added - * to this architecture but existing rules will not be added to this - * architecture. If the architecture token is SCMP_ARCH_NATIVE then the native - * architecture will be assumed. Returns zero on success, -EEXIST if - * specified architecture is already present, other negative values on failure. - * - */ - pub fn seccomp_arch_add(ctx: scmp_filter_ctx, arch_token: u32) -> ::std::os::raw::c_int; - - /** - * Removes an architecture from the filter - * @param ctx the filter context - * @param arch_token the architecture token, e.g. SCMP_ARCH_* - * - * This function removes an architecture from the given seccomp filter context. - * If the architecture token is SCMP_ARCH_NATIVE then the native architecture - * will be assumed. Returns zero on success, negative values on failure. - * - */ - pub fn seccomp_arch_remove(ctx: scmp_filter_ctx, arch_token: u32) -> ::std::os::raw::c_int; - - /** - * Loads the filter into the kernel - * @param ctx the filter context - * - * This function loads the given seccomp filter context into the kernel. If - * the filter was loaded correctly, the kernel will be enforcing the filter - * when this function returns. Returns zero on success, negative values on - * error. - * - */ - pub fn seccomp_load(ctx: scmp_filter_ctx) -> ::std::os::raw::c_int; - - /** - * Get the value of a filter attribute - * @param ctx the filter context - * @param attr the filter attribute name - * @param value the filter attribute value - * - * This function fetches the value of the given attribute name and returns it - * via @value. Returns zero on success, negative values on failure. - * - */ - pub fn seccomp_attr_get( - ctx: scmp_filter_ctx, - attr: scmp_filter_attr, - value: *mut u32, - ) -> ::std::os::raw::c_int; - - /** - * Set the value of a filter attribute - * @param ctx the filter context - * @param attr the filter attribute name - * @param value the filter attribute value - * - * This function sets the value of the given attribute. Returns zero on - * success, negative values on failure. - * - */ - pub fn seccomp_attr_set( - ctx: scmp_filter_ctx, - attr: scmp_filter_attr, - value: u32, - ) -> ::std::os::raw::c_int; - - /** - * Resolve a syscall number to a name - * @param arch_token the architecture token, e.g. SCMP_ARCH_* - * @param num the syscall number - * - * Resolve the given syscall number to the syscall name for the given - * architecture; it is up to the caller to free the returned string. Returns - * the syscall name on success, NULL on failure. - * - */ - pub fn seccomp_syscall_resolve_num_arch( - arch_token: u32, - num: ::std::os::raw::c_int, - ) -> *mut ::std::os::raw::c_char; - - /** - * Resolve a syscall name to a number - * @param arch_token the architecture token, e.g. SCMP_ARCH_* - * @param name the syscall name - * - * Resolve the given syscall name to the syscall number for the given - * architecture. Returns the syscall number on success, including negative - * pseudo syscall numbers (e.g. __PNR_*); returns __NR_SCMP_ERROR on failure. - * - */ - pub fn seccomp_syscall_resolve_name_arch( - arch_token: u32, - name: *const ::std::os::raw::c_char, - ) -> ::std::os::raw::c_int; - - /** - * Resolve a syscall name to a number and perform any rewriting necessary - * @param arch_token the architecture token, e.g. SCMP_ARCH_* - * @param name the syscall name - * - * Resolve the given syscall name to the syscall number for the given - * architecture and do any necessary syscall rewriting needed by the - * architecture. Returns the syscall number on success, including negative - * pseudo syscall numbers (e.g. __PNR_*); returns __NR_SCMP_ERROR on failure. - * - */ - pub fn seccomp_syscall_resolve_name_rewrite( - arch_token: u32, - name: *const ::std::os::raw::c_char, - ) -> ::std::os::raw::c_int; - - /** - * Resolve a syscall name to a number - * @param name the syscall name - * - * Resolve the given syscall name to the syscall number. Returns the syscall - * number on success, including negative pseudo syscall numbers (e.g. __PNR_*); - * returns __NR_SCMP_ERROR on failure. - * - */ - pub fn seccomp_syscall_resolve_name( - name: *const ::std::os::raw::c_char, - ) -> ::std::os::raw::c_int; - - /** - * Set the priority of a given syscall - * @param ctx the filter context - * @param syscall the syscall number - * @param priority priority value, higher value == higher priority - * - * This function sets the priority of the given syscall; this value is used - * when generating the seccomp filter code such that higher priority syscalls - * will incur less filter code overhead than the lower priority syscalls in the - * filter. Returns zero on success, negative values on failure. - * - */ - pub fn seccomp_syscall_priority( - ctx: scmp_filter_ctx, - syscall: ::std::os::raw::c_int, - priority: u8, - ) -> ::std::os::raw::c_int; - - /** - * Add a new rule to the filter - * @param ctx the filter context - * @param action the filter action - * @param syscall the syscall number - * @param arg_cnt the number of argument filters in the argument filter chain - * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) - * - * This function adds a series of new argument/value checks to the seccomp - * filter for the given syscall; multiple argument/value checks can be - * specified and they will be chained together (AND'd together) in the filter. - * If the specified rule needs to be adjusted due to architecture specifics it - * will be adjusted without notification. Returns zero on success, negative - * values on failure. - * - */ - pub fn seccomp_rule_add( - ctx: scmp_filter_ctx, - action: u32, - syscall: ::std::os::raw::c_int, - arg_cnt: ::std::os::raw::c_uint, - ... - ) -> ::std::os::raw::c_int; - - /** - * Add a new rule to the filter - * @param ctx the filter context - * @param action the filter action - * @param syscall the syscall number - * @param arg_cnt the number of elements in the arg_array parameter - * @param arg_array array of scmp_arg_cmp structs - * - * This function adds a series of new argument/value checks to the seccomp - * filter for the given syscall; multiple argument/value checks can be - * specified and they will be chained together (AND'd together) in the filter. - * If the specified rule needs to be adjusted due to architecture specifics it - * will be adjusted without notification. Returns zero on success, negative - * values on failure. - * - */ - pub fn seccomp_rule_add_array( - ctx: scmp_filter_ctx, - action: u32, - syscall: ::std::os::raw::c_int, - arg_cnt: ::std::os::raw::c_uint, - arg_array: *const scmp_arg_cmp, - ) -> ::std::os::raw::c_int; - - /** - * Add a new rule to the filter - * @param ctx the filter context - * @param action the filter action - * @param syscall the syscall number - * @param arg_cnt the number of argument filters in the argument filter chain - * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) - * - * This function adds a series of new argument/value checks to the seccomp - * filter for the given syscall; multiple argument/value checks can be - * specified and they will be chained together (AND'd together) in the filter. - * If the specified rule can not be represented on the architecture the - * function will fail. Returns zero on success, negative values on failure. - * - */ - pub fn seccomp_rule_add_exact( - ctx: scmp_filter_ctx, - action: u32, - syscall: ::std::os::raw::c_int, - arg_cnt: ::std::os::raw::c_uint, - ... - ) -> ::std::os::raw::c_int; - - /** - * Add a new rule to the filter - * @param ctx the filter context - * @param action the filter action - * @param syscall the syscall number - * @param arg_cnt the number of elements in the arg_array parameter - * @param arg_array array of scmp_arg_cmp structs - * - * This function adds a series of new argument/value checks to the seccomp - * filter for the given syscall; multiple argument/value checks can be - * specified and they will be chained together (AND'd together) in the filter. - * If the specified rule can not be represented on the architecture the - * function will fail. Returns zero on success, negative values on failure. - * - */ - pub fn seccomp_rule_add_exact_array( - ctx: scmp_filter_ctx, - action: u32, - syscall: ::std::os::raw::c_int, - arg_cnt: ::std::os::raw::c_uint, - arg_array: *const scmp_arg_cmp, - ) -> ::std::os::raw::c_int; - - /** - * Allocate a pair of notification request/response structures - * @param req the request location - * @param resp the response location - * - * This function allocates a pair of request/response structure by computing - * the correct sized based on the currently running kernel. It returns zero on - * success, and negative values on failure. - * - */ - pub fn seccomp_notify_alloc( - req: *mut *mut seccomp_notif, - resp: *mut *mut seccomp_notif_resp, - ) -> ::std::os::raw::c_int; - - /** - * Free a pair of notification request/response structures. - * @param req the request location - * @param resp the response location - */ - pub fn seccomp_notify_free(req: *mut seccomp_notif, resp: *mut seccomp_notif_resp); - - /** - * Receive a notification from a seccomp notification fd - * @param fd the notification fd - * @param req the request buffer to save into - * - * Blocks waiting for a notification on this fd. This function is thread safe - * (synchronization is performed in the kernel). Returns zero on success, - * negative values on error. - * - */ - pub fn seccomp_notify_receive( - fd: ::std::os::raw::c_int, - req: *mut seccomp_notif, - ) -> ::std::os::raw::c_int; - - /** - * Send a notification response to a seccomp notification fd - * @param fd the notification fd - * @param resp the response buffer to use - * - * Sends a notification response on this fd. This function is thread safe - * (synchronization is performed in the kernel). Returns zero on success, - * negative values on error. - * - */ - pub fn seccomp_notify_respond( - fd: ::std::os::raw::c_int, - resp: *mut seccomp_notif_resp, - ) -> ::std::os::raw::c_int; - - /** - * Check if a notification id is still valid - * @param fd the notification fd - * @param id the id to test - * - * Checks to see if a notification id is still valid. Returns 0 on success, and - * negative values on failure. - * - */ - pub fn seccomp_notify_id_valid(fd: ::std::os::raw::c_int, id: u64) -> ::std::os::raw::c_int; - - /** - * Return the notification fd from a filter that has already been loaded - * @param ctx the filter context - * - * This returns the listener fd that was generated when the seccomp policy was - * loaded. This is only valid after seccomp_load() with a filter that makes - * use of SCMP_ACT_NOTIFY. - * - */ - pub fn seccomp_notify_fd(ctx: scmp_filter_ctx) -> ::std::os::raw::c_int; - - /** - * Generate seccomp Pseudo Filter Code (PFC) and export it to a file - * @param ctx the filter context - * @param fd the destination fd - * - * This function generates seccomp Pseudo Filter Code (PFC) and writes it to - * the given fd. Returns zero on success, negative values on failure. - * - */ - pub fn seccomp_export_pfc( - ctx: scmp_filter_ctx, - fd: ::std::os::raw::c_int, - ) -> ::std::os::raw::c_int; - - /** - * Generate seccomp Berkeley Packet Filter (BPF) code and export it to a file - * @param ctx the filter context - * @param fd the destination fd - * - * This function generates seccomp Berkeley Packer Filter (BPF) code and writes - * it to the given fd. Returns zero on success, negative values on failure. - * - */ - pub fn seccomp_export_bpf( - ctx: scmp_filter_ctx, - fd: ::std::os::raw::c_int, - ) -> ::std::os::raw::c_int; - -} - -#[cfg(test)] -mod tests { - use super::*; - - #[test] - fn it_works() { - // Note: we should probably run this in a different process, since it - // loads a seccomp profile. However, since this is the only test in the - // repo at the moment, this should be OK for now. - unsafe { - let ctx = seccomp_init(SCMP_ACT_ALLOW); - let cmp = scmp_arg_cmp { - arg: 0, - op: scmp_compare::SCMP_CMP_EQ, - datum_a: 1000, - datum_b: 0, - }; - - let c_syscall_name = std::ffi::CString::new("getcwd").unwrap(); - let syscall_number = seccomp_syscall_resolve_name(c_syscall_name.as_ptr()); - - assert!(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(42), syscall_number, 1, cmp) == 0); - assert!(seccomp_load(ctx) == 0); - } - } -} From 57c3543be336da0bf074eddbc31d6b14704676c0 Mon Sep 17 00:00:00 2001 From: utam0k Date: Sun, 27 Feb 2022 17:14:03 +0900 Subject: [PATCH 17/18] Remove crates/libseccomp from github actions. Signed-off-by: utam0k --- .github/workflows/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 7d25141f6..6c72499f1 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,7 +20,6 @@ jobs: ./crates/youki: crates/youki/** ./crates/libcontainer: crates/libcontainer/** ./crates/libcgroups: crates/libcgroups/** - ./crates/libseccomp: crates/libseccomp/** ./crates/integration_test: crates/integration_test/** ./runtimetest : runtimetest/** check: @@ -93,7 +92,7 @@ jobs: run: | cargo llvm-cov clean --workspace cargo llvm-cov --no-report - cargo llvm-cov --no-run --lcov --ignore-filename-regex "libseccomp/src|integration_test/src|test_framework/src|systemd_api.rs" --output-path ./coverage.lcov + cargo llvm-cov --no-run --lcov --ignore-filename-regex "integration_test/src|test_framework/src|systemd_api.rs" --output-path ./coverage.lcov - name: Upload Youki Code Coverage Results uses: codecov/codecov-action@v2 with: From 5916ff31dc9dd9568e46c7192962d4cebab58116 Mon Sep 17 00:00:00 2001 From: utam0k Date: Wed, 2 Mar 2022 20:47:03 +0900 Subject: [PATCH 18/18] Make the code more understandable. Co-authored-by: Manabu Sugimoto <66765615+ManaSugi@users.noreply.github.com> --- crates/libcontainer/src/seccomp/mod.rs | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/crates/libcontainer/src/seccomp/mod.rs b/crates/libcontainer/src/seccomp/mod.rs index 212c88aca..9a3782b56 100644 --- a/crates/libcontainer/src/seccomp/mod.rs +++ b/crates/libcontainer/src/seccomp/mod.rs @@ -36,19 +36,19 @@ fn translate_arch(arch: Arch) -> ScmpArch { } fn translate_action(action: LinuxSeccompAction, errno: Option) -> Result { - let errno = Some(errno.map(|e| e as i32).unwrap_or(libc::EPERM as i32)); - let action_str = match action { - LinuxSeccompAction::ScmpActKill => "SCMP_ACT_KILL", - LinuxSeccompAction::ScmpActTrap => "SCMP_ACT_TRAP", - LinuxSeccompAction::ScmpActErrno => "SCMP_ACT_ERRNO", - LinuxSeccompAction::ScmpActTrace => "SCMP_ACT_TRACE", - LinuxSeccompAction::ScmpActAllow => "SCMP_ACT_ALLOW", - LinuxSeccompAction::ScmpActKillProcess => "SCMP_ACT_KILL_PROCESS", - LinuxSeccompAction::ScmpActNotify => "SCMP_ACT_NOTIFY", - LinuxSeccompAction::ScmpActLog => "SCMP_ACT_LOG", + let errno = errno.map(|e| e as i32).unwrap_or(libc::EPERM); + let action = match action { + LinuxSeccompAction::ScmpActKill => ScmpAction::KillThread, + LinuxSeccompAction::ScmpActTrap => ScmpAction::Trap, + LinuxSeccompAction::ScmpActErrno => ScmpAction::Errno(errno), + LinuxSeccompAction::ScmpActTrace => ScmpAction::Trace(errno.try_into()?), + LinuxSeccompAction::ScmpActAllow => ScmpAction::Allow, + LinuxSeccompAction::ScmpActKillProcess => ScmpAction::KillProcess, + LinuxSeccompAction::ScmpActNotify => ScmpAction::Notify, + LinuxSeccompAction::ScmpActLog => ScmpAction::Log, }; - ScmpAction::from_str(action_str, errno) - .with_context(|| format!("faild to tranlate ScmpAction from {action_str}")) + + Ok(action) } fn translate_op(op: LinuxSeccompOperator, datum_b: Option) -> ScmpCompareOp {