Do one add_seals call, rather than one per flag. (#4366)

sunfishcode · web-flow · commit a2197ebbeb20 · 2022-07-01T16:00:18.000-07:00
When setting up a copy on write image, we add several seals, to prevent
the image from being resized or modified. Set all the seals in a single
call, rather than doing one call per seal.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/runtime/Cargo.toml b/crates/runtime/Cargo.toml
@@ -25,7 +25,7 @@ cfg-if = "1.0"
 backtrace = { version = "0.3.61" }
 rand = "0.8.3"
 anyhow = "1.0.38"
-memfd = { version = "0.4.1", optional = true }
+memfd = { version = "0.6.1", optional = true }
 
 [target.'cfg(target_os = "macos")'.dependencies]
 mach = "0.3.2"
diff --git a/crates/runtime/src/cow.rs b/crates/runtime/src/cow.rs
@@ -162,10 +162,12 @@ impl MemoryImage {
                 // extra-super-sure that it never changes, and because
                 // this costs very little, we use the kernel's "seal" API
                 // to make the memfd image permanently read-only.
-                memfd.add_seal(memfd::FileSeal::SealGrow)?;
-                memfd.add_seal(memfd::FileSeal::SealShrink)?;
-                memfd.add_seal(memfd::FileSeal::SealWrite)?;
-                memfd.add_seal(memfd::FileSeal::SealSeal)?;
+                memfd.add_seals(&[
+                    memfd::FileSeal::SealGrow,
+                    memfd::FileSeal::SealShrink,
+                    memfd::FileSeal::SealWrite,
+                    memfd::FileSeal::SealSeal,
+                ])?;
 
                 Ok(Some(MemoryImage {
                     fd: FdSource::Memfd(memfd),
