Update nix dependency to address CVE-2021-45707

Cargo.toml

@@ -8,7 +8,7 @@ edition = "2018"
 
 [dependencies]
 structopt = "0.3"
-nix = "0.18"
+nix = {version = "0.27.1", features = ["dir", "fs", "mman", "mount", "process", "ptrace", "signal", "uio", "user"]}
 anyhow = "1.0"
 fuser = {version = "0.6", features = ["abi-7-19"]}
 time = "0.1"

Dockerfile

@@ -12,7 +12,7 @@ ENV https_proxy $HTTPS_PROXY
 
 RUN apt-get update && apt-get install build-essential curl git pkg-config libfuse-dev fuse -y && rm -rf /var/lib/apt/lists/*
 
-RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --default-toolchain nightly-2021-12-23 -y
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --default-toolchain stable -y
 ENV PATH "/root/.cargo/bin:${PATH}"
 
 RUN if [ -n "$HTTP_PROXY" ]; then echo "[http]\n\
@@ -24,7 +24,6 @@ COPY . /toda-build
 
 WORKDIR /toda-build
 
-ENV RUSTFLAGS "-Z relro-level=full"
 RUN --mount=type=cache,target=/toda-build/target \
     --mount=type=cache,target=/root/.cargo/registry \
     cargo build --release

rust-toolchain

@@ -1 +1 @@
-nightly-2021-12-23
+stable

src/fuse_device.rs

@@ -1,18 +1,16 @@
 use nix::sys::stat::{makedev, mknod, Mode, SFlag};
-use nix::Error as NixError;
 
 pub fn mkfuse_node() -> anyhow::Result<()> {
-    let mode = unsafe { Mode::from_bits_unchecked(0o666) };
+    let mode = Mode::S_IWUSR | Mode::S_IRUSR | Mode::S_IWGRP | Mode::S_IRGRP | Mode::S_IWOTH | Mode::S_IROTH;
     let dev = makedev(10, 229);
     match mknod("/dev/fuse", SFlag::S_IFCHR, mode, dev) {
         Ok(()) => Ok(()),
-        Err(NixError::Sys(errno)) => {
+        Err(errno) => {
             if errno == nix::errno::Errno::EEXIST {
                 Ok(())
             } else {
-                Err(NixError::from_errno(errno).into())
+                Err(errno.into())
             }
         }
-        Err(err) => Err(err.into()),
     }
 }

src/hookfs/errors.rs

@@ -36,15 +36,8 @@ impl HookFsError {
 }
 
 impl From<nix::Error> for HookFsError {
-    fn from(err: Error) -> HookFsError {
-        // TODO: match more error types
-        match err {
-            Error::Sys(errno) => HookFsError::Sys(errno),
-            _ => {
-                error!("unknown error {:?}", err);
-                HookFsError::UnknownError
-            }
-        }
+    fn from(errno: Error) -> HookFsError {
+        HookFsError::Sys(errno)
     }
 }
 

src/hookfs/mod.rs

@@ -4,7 +4,7 @@ mod reply;
 pub mod runtime;
 mod utils;
 
-use std::collections::{HashMap, LinkedList};
+use std::collections::HashMap;
 use std::ffi::{CString, OsStr, OsString};
 use std::os::unix::ffi::OsStrExt;
 use std::os::unix::io::RawFd;
@@ -159,12 +159,12 @@ pub struct HookFs {
 struct Node {
     pub ref_count: u64,
     // TODO: optimize paths with a combination data structure
-    paths: LinkedList<PathBuf>,
+    paths: Vec<PathBuf>,
 }
 
 impl Node {
     fn get_path(&self) -> Option<&Path> {
-        self.paths.back().map(|item| item.as_path())
+        self.paths.last().map(|item| item.as_path())
     }
 
     fn insert(&mut self, path: PathBuf) {
@@ -174,11 +174,11 @@ impl Node {
             }
         }
 
-        self.paths.push_back(path);
+        self.paths.push(path);
     }
 
     fn remove(&mut self, path: &Path) {
-        self.paths.drain_filter(|x| x == path);
+        self.paths.retain(|x| x != path);
     }
 }
 
@@ -728,7 +728,7 @@ impl AsyncFileSystemImpl for HookFs {
         // filter out append. The kernel layer will translate the
         // offsets for us appropriately.
         let filtered_flags = flags & (!libc::O_APPEND) & (!libc::O_DIRECT);
-        let filtered_flags = OFlag::from_bits_truncate(filtered_flags as i32);
+        let filtered_flags = OFlag::from_bits_truncate(filtered_flags);
 
         let inode_map = self.inode_map.read().await;
         let path = inode_map.get_path(ino)?;
@@ -849,7 +849,7 @@ impl AsyncFileSystemImpl for HookFs {
         let inode_map = self.inode_map.read().await;
         let path = { inode_map.get_path(ino)?.to_owned() };
         let filtered_flags = flags & (!libc::O_APPEND);
-        let filtered_flags = OFlag::from_bits_truncate(filtered_flags as i32);
+        let filtered_flags = OFlag::from_bits_truncate(filtered_flags);
 
         let path_clone = path.clone();
         let dir = spawn_blocking(move || {
@@ -889,7 +889,7 @@ impl AsyncFileSystemImpl for HookFs {
             trace!("empty reply");
             return Ok(());
         }
-        for (index, entry) in all_entries.iter().enumerate().skip(offset as usize) {
+        for (index, entry) in all_entries.iter().enumerate().skip(offset) {
             let entry = (*entry)?;
 
             let name = entry.file_name();
@@ -990,9 +990,6 @@ impl AsyncFileSystemImpl for HookFs {
         let cpath = CString::new(path.as_os_str().as_bytes())?;
         let name = CString::new(name.as_bytes())?;
 
-        let mut buf = Vec::new();
-        buf.resize(size as usize, 0u8);
-
         let data = async_getxattr(cpath, name, size as usize).await?;
 
         let mut reply = if size == 0 {
@@ -1016,8 +1013,7 @@ impl AsyncFileSystemImpl for HookFs {
         let path = inode_map.get_path(ino)?.to_owned();
         let cpath = CString::new(path.as_os_str().as_bytes())?;
 
-        let mut buf = Vec::new();
-        buf.resize(size as usize, 0u8);
+        let buf = vec![0u8; size as usize];
 
         let shared_buf = std::sync::Arc::new(buf);
         let buf_clone = shared_buf.clone();
@@ -1073,7 +1069,7 @@ impl AsyncFileSystemImpl for HookFs {
 
         let inode_map = self.inode_map.read().await;
         let path = inode_map.get_path(ino)?.to_owned();
-        let mask = AccessFlags::from_bits_truncate(mask as i32);
+        let mask = AccessFlags::from_bits_truncate(mask);
         let path_clone = path.to_path_buf();
 
         spawn_blocking(move || nix::unistd::access(&path_clone, mask)).await??;
@@ -1102,7 +1098,7 @@ impl AsyncFileSystemImpl for HookFs {
         };
 
         let filtered_flags = flags & (!libc::O_APPEND);
-        let filtered_flags = OFlag::from_bits_truncate(filtered_flags as i32);
+        let filtered_flags = OFlag::from_bits_truncate(filtered_flags);
         let mode = stat::Mode::from_bits_truncate(mode);
 
         trace!("create with flags: {:?}, mode: {:?}", filtered_flags, mode);
@@ -1180,14 +1176,13 @@ async fn async_setxattr(path: CString, name: CString, data: Vec<u8>, flags: i32)
 
 async fn async_getxattr(path: CString, name: CString, size: usize) -> Result<Vec<u8>> {
     spawn_blocking(move || {
-        let mut buf = Vec::new();
-        buf.resize(size, 0);
+        let mut buf = vec![0; size];
 
         let path_ptr = &path.as_bytes_with_nul()[0] as *const u8 as *const libc::c_char;
         let name_ptr = &name.as_bytes_with_nul()[0] as *const u8 as *const libc::c_char;
         let buf_ptr = buf.as_slice() as *const [u8] as *mut [u8] as *mut libc::c_void;
 
-        let ret = unsafe { lgetxattr(path_ptr, name_ptr, buf_ptr, size as usize) };
+        let ret = unsafe { lgetxattr(path_ptr, name_ptr, buf_ptr, size) };
         if ret == -1 {
             Err(Error::last())
         } else {
@@ -1200,8 +1195,7 @@ async fn async_getxattr(path: CString, name: CString, size: usize) -> Result<Vec
 
 async fn async_read(fd: RawFd, count: usize, offset: i64) -> Result<Vec<u8>> {
     spawn_blocking(move || unsafe {
-        let mut buf = Vec::new();
-        buf.resize(count, 0);
+        let mut buf = vec![0; count];
         let ret = libc::pread(fd, buf.as_ptr() as *mut c_void, count, offset);
         if ret == -1 {
             Err(Error::last())

src/injector/multi_injector.rs

@@ -25,16 +25,16 @@ impl MultiInjector {
         for injector in conf.into_iter() {
             let injector = match injector {
                 InjectorConfig::Fault(faults) => {
-                    (box FaultInjector::build(faults)?) as Box<dyn Injector>
+                    (Box::new(FaultInjector::build(faults)?)) as Box<dyn Injector>
                 }
                 InjectorConfig::Latency(latency) => {
-                    (box LatencyInjector::build(latency)?) as Box<dyn Injector>
+                    (Box::new(LatencyInjector::build(latency)?)) as Box<dyn Injector>
                 }
                 InjectorConfig::AttrOverride(attr_override) => {
-                    (box AttrOverrideInjector::build(attr_override)?) as Box<dyn Injector>
+                    (Box::new(AttrOverrideInjector::build(attr_override)?)) as Box<dyn Injector>
                 }
                 InjectorConfig::Mistake(mistakes) => {
-                    (box MistakeInjector::build(mistakes)?) as Box<dyn Injector>
+                    (Box::new(MistakeInjector::build(mistakes)?)) as Box<dyn Injector>
                 }
             };
             injectors.push(injector)

src/lib.rs

@@ -11,11 +11,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-#![feature(box_syntax)]
-#![feature(async_closure)]
-#![feature(vec_into_raw_parts)]
-#![feature(atomic_mut_ptr)]
-#![feature(drain_filter)]
 #![allow(clippy::or_fun_call)]
 #![allow(clippy::too_many_arguments)]
 

src/main.rs

@@ -11,11 +11,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-#![feature(box_syntax)]
-#![feature(async_closure)]
-#![feature(vec_into_raw_parts)]
-#![feature(atomic_mut_ptr)]
-#![feature(drain_filter)]
 #![allow(clippy::or_fun_call)]
 #![allow(clippy::too_many_arguments)]
 

src/mount.rs

@@ -21,7 +21,7 @@ impl MountsInfo {
     pub fn non_root<P: AsRef<Path>>(&self, path: P) -> Result<bool> {
         let mount_points = self.mounts.iter().map(|item| &item.mount_point);
         for mount_point in mount_points {
-            if path.as_ref().starts_with(&mount_point) {
+            if path.as_ref().starts_with(mount_point) {
                 // The relationship is "contain" because if we want to inject /a/b, and /a is a mount point, we can still
                 // use this method.
                 return Ok(true);

src/mount_injector.rs

@@ -125,7 +125,7 @@ impl MountInjector {
         let cloned_hookfs = hookfs.clone();
 
         let (before_mount_waiter, before_mount_guard) = stop::lock();
-        let handler = std::thread::spawn(box move || {
+        let handler = std::thread::spawn(Box::new(move || {
             let fs = hookfs::AsyncFileSystem::from(cloned_hookfs);
 
             std::fs::create_dir_all(new_path.as_path())?;
@@ -144,7 +144,7 @@ impl MountInjector {
             drop(hookfs::runtime::RUNTIME.write().unwrap().take().unwrap());
 
             Ok(())
-        });
+        }));
         // TODO: remove this. But wait for FUSE gets up
         // Related Issue: https://github.com/zargony/fuse-rs/issues/9
         before_mount_waiter.wait();