Update oci-spec-rs to v0.5.5

This means we can now use the filter types to enforce tighter type checks. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
youki-dev · Feb 28, 2022 · db36e0f · db36e0f
1 parent 5aad78e
commit db36e0f
Show file tree

Hide file tree

Showing 13 changed files with 47 additions and 90 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/integration_test/Cargo.toml b/crates/integration_test/Cargo.toml
@@ -12,7 +12,7 @@ libcontainer = { path = "../libcontainer" }
 log = { version = "0.4", features = ["std"] }
 nix = "0.23.1"
 num_cpus = "1.13"
-oci-spec = { git = "https://github.com/containers/oci-spec-rs", rev = "54c5e386f01ab37c9305cc4a83404eb157e42440" }
+oci-spec = "0.5.5"
 once_cell = "1.9.0"
 pnet = "0.29.0"
 procfs = "0.12.0"

diff --git a/crates/integration_test/src/tests/cgroups/blkio.rs b/crates/integration_test/src/tests/cgroups/blkio.rs
@@ -76,9 +76,9 @@ fn supports_throttle_iops() -> bool {
 
 fn parse_device_data<'a>(device_type: &'static str, line: &'a str) -> Result<(i64, i64, &'a str)> {
     let (device_id, value) = line
-        .split_once(" ")
+        .split_once(' ')
         .with_context(|| format!("invalid {} device format : found {}", device_type, line))?;
-    let (major_str, minor_str) = device_id.split_once(":").with_context(|| {
+    let (major_str, minor_str) = device_id.split_once(':').with_context(|| {
         format!(
             "invalid major-minor number format for {} device : found {}",
             device_type, device_id

diff --git a/crates/integration_test/src/utils/test_utils.rs b/crates/integration_test/src/utils/test_utils.rs
@@ -86,7 +86,7 @@ pub fn get_state<P: AsRef<Path>>(id: &str, dir: P) -> Result<(String, String)> {
     sleep(SLEEP_TIME);
     let output = runtime_command(dir)
         .arg("state")
-        .arg(id.to_string())
+        .arg(id)
         .spawn()
         .context("could not get container state")?
         .wait_with_output()
@@ -99,7 +99,7 @@ pub fn get_state<P: AsRef<Path>>(id: &str, dir: P) -> Result<(String, String)> {
 pub fn start_container<P: AsRef<Path>>(id: &str, dir: P) -> Result<Child> {
     let res = runtime_command(dir)
         .arg("start")
-        .arg(id.to_string())
+        .arg(id)
         .spawn()
         .context("could not start container")?;
     Ok(res)

diff --git a/crates/libcgroups/Cargo.toml b/crates/libcgroups/Cargo.toml
@@ -25,7 +25,7 @@ nix = "0.23.1"
 procfs = "0.12.0"
 log = "0.4"
 anyhow = "1.0"
-oci-spec = "0.5.3"
+oci-spec = "0.5.5"
 dbus = { version = "0.9.5", optional = true }
 fixedbitset = "0.4.1"
 serde = { version = "1.0", features = ["derive"] }
@@ -35,7 +35,7 @@ errno = { version = "0.2.8", optional = true }
 libc = { version = "0.2.119", optional = true }
 
 [dev-dependencies]
-oci-spec = { version = "0.5.3", features = ["proptests"] }
+oci-spec = { version = "0.5.5", features = ["proptests"] }
 quickcheck = "1"
 mockall = { version = "0.11.0", features = [] }
 clap = "3.0.0-beta.5"

diff --git a/crates/libcgroups/src/v2/unified.rs b/crates/libcgroups/src/v2/unified.rs
@@ -32,7 +32,7 @@ impl Unified {
                 common::write_cgroup_file_str(cgroup_path.join(cgroup_file), value).map_err(
                     |e| {
                         let (subsystem, _) = cgroup_file
-                            .split_once(".")
+                            .split_once('.')
                             .with_context(|| {
                                 format!("failed to split {} with {}", cgroup_file, ".")
                             })

diff --git a/crates/libcontainer/Cargo.toml b/crates/libcontainer/Cargo.toml
@@ -29,7 +29,7 @@ libc = "0.2.119"
 log = "0.4"
 mio = { version = "0.8.0", features = ["os-ext", "os-poll"] }
 nix = "0.23.1"
-oci-spec = "0.5.3"
+oci-spec = "0.5.5"
 path-clean = "0.1.0"
 procfs = "0.12.0"
 prctl = "1.0.0"
@@ -42,7 +42,7 @@ wasmer = { version = "2.1.1", optional = true }
 wasmer-wasi = { version = "2.1.1", optional = true }
 
 [dev-dependencies]
-oci-spec = { version = "0.5.3", features = ["proptests"] }
+oci-spec = { version = "0.5.5", features = ["proptests"] }
 quickcheck = "1"
 serial_test = "0.6.0"
 rand = "0.8.5"
diff --git a/crates/libcontainer/src/process/container_init_process.rs b/crates/libcontainer/src/process/container_init_process.rs
@@ -79,7 +79,7 @@ fn cleanup_file_descriptors(preserve_fds: i32) -> Result<()> {
 fn sysctl(kernel_params: &HashMap<String, String>) -> Result<()> {
     let sys = PathBuf::from("/proc/sys");
     for (kernel_param, value) in kernel_params {
-        let path = sys.join(kernel_param.replace(".", "/"));
+        let path = sys.join(kernel_param.replace('.', "/"));
         log::debug!(
             "apply value {} to kernel parameter {}.",
             value,

diff --git a/crates/libcontainer/src/seccomp/mod.rs b/crates/libcontainer/src/seccomp/mod.rs
@@ -1,15 +1,10 @@
-use anyhow::bail;
-use anyhow::Context;
-use anyhow::Result;
-use libseccomp::scmp_compare::*;
-use libseccomp::*;
+use anyhow::{bail, Context, Result};
+use libseccomp::{scmp_compare::*, *};
 use nix::errno::Errno;
-use oci_spec::runtime::Arch;
-use oci_spec::runtime::LinuxSeccomp;
-use oci_spec::runtime::LinuxSeccompAction;
-use oci_spec::runtime::LinuxSeccompOperator;
-use std::ffi::CString;
-use std::os::unix::io;
+use oci_spec::runtime::{
+    Arch, LinuxSeccomp, LinuxSeccompAction, LinuxSeccompFilterFlag, LinuxSeccompOperator,
+};
+use std::{ffi::CString, os::unix::io};
 
 #[derive(Debug)]
 struct Compare {
@@ -297,25 +292,6 @@ fn check_seccomp(seccomp: &LinuxSeccomp) -> Result<()> {
     Ok(())
 }
 
-/// All filter return actions except SECCOMP_RET_ALLOW should be logged. An administrator may
-/// override this filter flag by preventing specific actions from being logged via the
-/// /proc/sys/kernel/seccomp/actions_logged file. (since Linux 4.14)
-const SECCOMP_FILTER_FLAG_LOG: &str = "SECCOMP_FILTER_FLAG_LOG";
-
-/// When adding a new filter, synchronize all other threads of the calling process to the same
-/// seccomp filter tree. A "filter tree" is the ordered list of filters attached to a thread.
-/// (Attaching identical filters in separate seccomp() calls results in different filters from this
-/// perspective.)
-///
-/// If any thread cannot synchronize to the same filter tree, the call will not attach the new
-/// seccomp filter, and will fail, returning the first thread ID found that cannot synchronize.
-/// Synchronization will fail if another thread in the same process is in SECCOMP_MODE_STRICT or if
-/// it has attached new seccomp filters to itself, diverging from the calling thread's filter tree.
-const SECCOMP_FILTER_FLAG_TSYNC: &str = "SECCOMP_FILTER_FLAG_TSYNC";
-
-/// Disable Speculative Store Bypass mitigation. (since Linux 4.17)
-const SECCOMP_FILTER_FLAG_SPEC_ALLOW: &str = "SECCOMP_FILTER_FLAG_SPEC_ALLOW";
-
 pub fn initialize_seccomp(seccomp: &LinuxSeccomp) -> Result<Option<io::RawFd>> {
     check_seccomp(seccomp)?;
 
@@ -324,11 +300,10 @@ pub fn initialize_seccomp(seccomp: &LinuxSeccomp) -> Result<Option<io::RawFd>> {
 
     if let Some(flags) = seccomp.flags() {
         for flag in flags {
-            match flag.as_ref() {
-                SECCOMP_FILTER_FLAG_LOG => ctx.set_log_bit(true)?,
-                SECCOMP_FILTER_FLAG_TSYNC => ctx.set_tsync_bit(true)?,
-                SECCOMP_FILTER_FLAG_SPEC_ALLOW => ctx.set_ssb_bit(true)?,
-                f => bail!("seccomp flag {} is not supported", f),
+            match flag {
+                LinuxSeccompFilterFlag::SeccompFilterFlagLog => ctx.set_log_bit(true)?,
+                LinuxSeccompFilterFlag::SeccompFilterFlagTsync => ctx.set_tsync_bit(true)?,
+                LinuxSeccompFilterFlag::SeccompFilterFlagSpecAllow => ctx.set_ssb_bit(true)?,
             }
         }
     }

diff --git a/crates/libcontainer/src/utils.rs b/crates/libcontainer/src/utils.rs
@@ -181,15 +181,10 @@ pub fn secure_join<P: Into<PathBuf>>(rootfs: P, unsafe_path: P) -> Result<PathBu
             bail!("dereference too many symlinks, may be infinite loop");
         }
 
-        let part_path;
-        match part.next() {
-            Some(part) => {
-                part_path = PathBuf::from(part);
-            }
-            None => {
-                break;
-            }
-        }
+        let part_path = match part.next() {
+            Some(part) => PathBuf::from(part),
+            None => break,
+        };
 
         if !part_path.is_absolute() {
             if part_path.starts_with("..") {

diff --git a/crates/test_framework/src/test_manager.rs b/crates/test_framework/src/test_manager.rs
@@ -83,11 +83,10 @@ impl<'a> TestManager<'a> {
             let mut collector = Vec::with_capacity(tests.len());
             for (test_group_name, tests) in &tests {
                 if let Some(tg) = self.test_groups.get(test_group_name) {
-                    let r;
-                    match tests {
-                        None => r = s.spawn(move |_| tg.run_all()),
-                        Some(tests) => r = s.spawn(move |_| tg.run_selected(tests)),
-                    }
+                    let r = match tests {
+                        None => s.spawn(move |_| tg.run_all()),
+                        Some(tests) => s.spawn(move |_| tg.run_selected(tests)),
+                    };
                     collector.push((test_group_name, r));
                 } else {
                     eprintln!("Error : Test Group {} not found, skipping", test_group_name);

diff --git a/crates/youki/Cargo.toml b/crates/youki/Cargo.toml
@@ -26,7 +26,7 @@ libcontainer = { version = "0.0.2", path = "../libcontainer" }
 liboci-cli = { version = "0.0.2", path = "../liboci-cli" }
 log = { version = "0.4", features = ["std"]}
 nix = "0.23.1"
-oci-spec = "0.5.3"
+oci-spec = "0.5.5"
 once_cell = "1.9.0"
 pentacle = "1.0.0"
 procfs = "0.12.0"

diff --git a/runtimetest/Cargo.toml b/runtimetest/Cargo.toml
@@ -10,5 +10,5 @@ members = []
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-oci-spec = "0.5.3"
-nix = "0.23.1"
+oci-spec = "0.5.5"
+nix = "0.23.1"