dep: update nix dependency

To fix CVE-2021-45707 that affects nix < 0.20.2. Fixes: #4929 Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2025-04-29 20:24:31 +00:00 · 2022-08-16 17:46:05 +08:00 · 2022-08-16 17:46:05 +08:00 · 338c282950
commit 338c282950
parent 82ad43f9bf
13 changed files with 379 additions and 108 deletions
--- a/src/agent/Cargo.lock
+++ b/src/agent/Cargo.lock
@ -718,21 +718,20 @@ checksum = "349d5a591cd28b49e1d1037471617a32ddcda5731b99419008085f72d5a53836"

 [[package]]
 name = "libseccomp"
-version = "0.1.3"
+version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "36ad71a5b66ceef3acfe6a3178b29b4da063f8bcb2c36dab666d52a7a9cfdb86"
+checksum = "49bda1fbf25c42ac8942ff7df1eb6172a3bc36299e84be0dba8c888a7db68c80"
 dependencies = [
 "libc",
 "libseccomp-sys",
- "nix 0.17.0",
 "pkg-config",
 ]

 [[package]]
 name = "libseccomp-sys"
-version = "0.1.1"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "539912de229a4fc16e507e8df12a394038a524a5b5b6c92045ad344472aac475"
+checksum = "9a7cbbd4ad467251987c6e5b47d53b11a5a05add08f2447a9e2d70aef1e0d138"

 [[package]]
 name = "lock_api"
@ -905,19 +904,6 @@ dependencies = [
 "tokio",
 ]

-[[package]]
-name = "nix"
-version = "0.17.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "50e4785f2c3b7589a0d0c1dd60285e1188adac4006e8abd6dd578e1567027363"
-dependencies = [
- "bitflags",
- "cc",
- "cfg-if 0.1.10",
- "libc",
- "void",
-]
-
 [[package]]
 name = "nix"
 version = "0.23.1"
@ -2057,12 +2043,6 @@ version = "0.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"

-[[package]]
-name = "void"
-version = "1.0.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a02e4885ed3bc0f2de90ea6dd45ebcbb66dacffe03547fadbb0eeae2770887d"
-
 [[package]]
 name = "vsock"
 version = "0.2.6"
@ -2081,7 +2061,7 @@ dependencies = [
 "bincode",
 "byteorder",
 "libc",
- "nix 0.23.1",
+ "nix 0.24.2",
 "opentelemetry",
 "serde",
 "slog",
--- a/src/agent/Cargo.toml
+++ b/src/agent/Cargo.toml
@ -12,7 +12,7 @@ lazy_static = "1.3.0"
 ttrpc = { version = "0.6.0", features = ["async"], default-features = false }
 protobuf = "2.27.0"
 libc = "0.2.58"
-nix = "0.24.1"
+nix = "0.24.2"
 capctl = "0.2.0"
 serde_json = "1.0.39"
 scan_fmt = "0.2.3"
--- a/src/agent/rustjail/Cargo.toml
+++ b/src/agent/rustjail/Cargo.toml
@ -31,7 +31,7 @@ tokio = { version = "1.2.0", features = ["sync", "io-util", "process", "time", "
 futures = "0.3.17"
 async-trait = "0.1.31"
 inotify = "0.9.2"
-libseccomp = { version = "0.1.3", optional = true }
+libseccomp = { version = "0.2.3", optional = true }

 [dev-dependencies]
 serial_test = "0.5.0"
--- a/src/agent/rustjail/src/seccomp.rs
+++ b/src/agent/rustjail/src/seccomp.rs
@ -26,12 +26,15 @@ fn get_rule_conditions(args: &[LinuxSeccompArg]) -> Result<Vec<ScmpArgCompare>>
            return Err(anyhow!("seccomp opreator is required"));
        }

-        let cond = ScmpArgCompare::new(
-            arg.index,
-            ScmpCompareOp::from_str(&arg.op)?,
-            arg.value,
-            Some(arg.value_two),
-        );
+        let mut op = ScmpCompareOp::from_str(&arg.op)?;
+        let mut value = arg.value;
+        // For SCMP_CMP_MASKED_EQ, arg.value is the mask and arg.value_two is the value
+        if op == ScmpCompareOp::MaskedEqual(u64::default()) {
+            op = ScmpCompareOp::MaskedEqual(arg.value);
+            value = arg.value_two;
+        }
+
+        let cond = ScmpArgCompare::new(arg.index, op, value);

        conditions.push(cond);
    }
@ -44,7 +47,7 @@ pub fn get_unknown_syscalls(scmp: &LinuxSeccomp) -> Option<Vec<String>> {

    for syscall in &scmp.syscalls {
        for name in &syscall.names {
-            if get_syscall_from_name(name, None).is_err() {
+            if ScmpSyscall::from_name(name).is_err() {
                unknown_syscalls.push(name.to_string());
            }
        }
@ -60,7 +63,7 @@ pub fn get_unknown_syscalls(scmp: &LinuxSeccomp) -> Option<Vec<String>> {
 // init_seccomp creates a seccomp filter and loads it for the current process
 // including all the child processes.
 pub fn init_seccomp(scmp: &LinuxSeccomp) -> Result<()> {
-    let def_action = ScmpAction::from_str(scmp.default_action.as_str(), Some(libc::EPERM as u32))?;
+    let def_action = ScmpAction::from_str(scmp.default_action.as_str(), Some(libc::EPERM as i32))?;

    // Create a new filter context
    let mut filter = ScmpFilterContext::new_filter(def_action)?;
@ -72,7 +75,7 @@ pub fn init_seccomp(scmp: &LinuxSeccomp) -> Result<()> {
    }

    // Unset no new privileges bit
-    filter.set_no_new_privs_bit(false)?;
+    filter.set_ctl_nnp(false)?;

    // Add a rule for each system call
    for syscall in &scmp.syscalls {
@ -80,13 +83,13 @@ pub fn init_seccomp(scmp: &LinuxSeccomp) -> Result<()> {
            return Err(anyhow!("syscall name is required"));
        }

-        let action = ScmpAction::from_str(&syscall.action, Some(syscall.errno_ret))?;
+        let action = ScmpAction::from_str(&syscall.action, Some(syscall.errno_ret as i32))?;
        if action == def_action {
            continue;
        }

        for name in &syscall.names {
-            let syscall_num = match get_syscall_from_name(name, None) {
+            let syscall_num = match ScmpSyscall::from_name(name) {
                Ok(num) => num,
                Err(_) => {
                    // If we cannot resolve the given system call, we assume it is not supported
@ -96,10 +99,10 @@ pub fn init_seccomp(scmp: &LinuxSeccomp) -> Result<()> {
            };

            if syscall.args.is_empty() {
-                filter.add_rule(action, syscall_num, None)?;
+                filter.add_rule(action, syscall_num)?;
            } else {
                let conditions = get_rule_conditions(&syscall.args)?;
-                filter.add_rule(action, syscall_num, Some(&conditions))?;
+                filter.add_rule_conditional(action, syscall_num, &conditions)?;
            }
        }
    }
--- a/src/agent/vsock-exporter/Cargo.toml
+++ b/src/agent/vsock-exporter/Cargo.toml
@ -7,7 +7,7 @@ edition = "2018"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

 [dependencies]
-nix = "0.23.0"
+nix = "0.24.2"
 libc = "0.2.94"
 thiserror = "1.0.26"
 opentelemetry = { version = "0.14.0", features=["serialize"] }
--- a/src/dragonball/Cargo.toml
+++ b/src/dragonball/Cargo.toml
@ -28,7 +28,7 @@ lazy_static = "1.2"
 libc = "0.2.39"
 linux-loader = "0.4.0"
 log = "0.4.14"
-nix = "0.23.1"
+nix = "0.24.2"
 seccompiler = "0.2.0"
 serde = "1.0.27"
 serde_derive = "1.0.27"
--- a/src/libs/kata-sys-util/Cargo.toml
+++ b/src/libs/kata-sys-util/Cargo.toml
@ -18,7 +18,7 @@ common-path = "=1.0.0"
 fail = "0.5.0"
 lazy_static = "1.4.0"
 libc = "0.2.100"
-nix = "0.24.1"
+nix = "0.24.2"
 once_cell = "1.9.0"
 serde_json = "1.0.73"
 slog = "2.5.2"
--- a/src/runtime-rs/Cargo.lock
+++ b/src/runtime-rs/Cargo.lock
@ -99,6 +99,52 @@ version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8da52d66c7071e2e3fa2a1e5c6d088fec47b593032b254f5e980de8ea54454d6"

+[[package]]
+name = "async-macros"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e421d59b24c1feea2496e409b3e0a8de23e5fc130a2ddc0b012e551f3b272bba"
+dependencies = [
+ "futures-core-preview",
+ "pin-utils",
+]
+
+[[package]]
+name = "async-std"
+version = "0.99.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "44501a9f7961bb539b67be0c428b3694e26557046a52759ca7eaf790030a64cc"
+dependencies = [
+ "async-macros",
+ "async-task",
+ "crossbeam-channel 0.3.9",
+ "crossbeam-deque",
+ "crossbeam-utils 0.6.6",
+ "futures-core",
+ "futures-io",
+ "futures-timer 1.0.3",
+ "kv-log-macro",
+ "log",
+ "memchr",
+ "mio 0.6.23",
+ "mio-uds",
+ "num_cpus",
+ "once_cell",
+ "pin-project-lite 0.1.12",
+ "pin-utils",
+ "slab",
+]
+
+[[package]]
+name = "async-task"
+version = "1.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0ac2c016b079e771204030951c366db398864f5026f84a44dafb0ff20f02085d"
+dependencies = [
+ "libc",
+ "winapi 0.3.9",
+]
+
 [[package]]
 name = "async-trait"
 version = "0.1.56"
@ -280,7 +326,7 @@ dependencies = [
 "num-integer",
 "num-traits",
 "time 0.1.43",
- "winapi",
+ "winapi 0.3.9",
 ]

 [[package]]
@ -294,8 +340,9 @@ dependencies = [
 "kata-sys-util",
 "kata-types",
 "lazy_static",
- "nix 0.24.1",
+ "nix 0.24.2",
 "oci",
+ "persist",
 "protobuf",
 "serde_json",
 "slog",
@ -353,6 +400,15 @@ dependencies = [
 "cfg-if 1.0.0",
 ]

+[[package]]
+name = "crossbeam-channel"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8ec7fcd21571dc78f96cc96243cab8d8f035247c3efd16c687be154c3fa9efa"
+dependencies = [
+ "crossbeam-utils 0.6.6",
+]
+
 [[package]]
 name = "crossbeam-channel"
 version = "0.5.4"
@ -360,7 +416,54 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5aaa7bd5fb665c6864b5f963dd9097905c54125909c7aa94c9e18507cdbe6c53"
 dependencies = [
 "cfg-if 1.0.0",
- "crossbeam-utils",
+ "crossbeam-utils 0.8.8",
+]
+
+[[package]]
+name = "crossbeam-deque"
+version = "0.7.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c20ff29ded3204c5106278a81a38f4b482636ed4fa1e6cfbeef193291beb29ed"
+dependencies = [
+ "crossbeam-epoch",
+ "crossbeam-utils 0.7.2",
+ "maybe-uninit",
+]
+
+[[package]]
+name = "crossbeam-epoch"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "058ed274caafc1f60c4997b5fc07bf7dc7cca454af7c6e81edffe5f33f70dace"
+dependencies = [
+ "autocfg",
+ "cfg-if 0.1.10",
+ "crossbeam-utils 0.7.2",
+ "lazy_static",
+ "maybe-uninit",
+ "memoffset 0.5.6",
+ "scopeguard",
+]
+
+[[package]]
+name = "crossbeam-utils"
+version = "0.6.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "04973fa96e96579258a5091af6003abde64af786b860f18622b82e026cca60e6"
+dependencies = [
+ "cfg-if 0.1.10",
+ "lazy_static",
+]
+
+[[package]]
+name = "crossbeam-utils"
+version = "0.7.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3c7c73a2d1e9fc0886a08b93e98eb643461230d5f1925e4036204d5f2e261a8"
+dependencies = [
+ "autocfg",
+ "cfg-if 0.1.10",
+ "lazy_static",
 ]

 [[package]]
@ -383,6 +486,16 @@ dependencies = [
 "typenum",
 ]

+[[package]]
+name = "ctor"
+version = "0.1.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f877be4f7c9f246b183111634f75baa039715e3f46ce860677d3b19a69fb229c"
+dependencies = [
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "darling"
 version = "0.13.4"
@ -460,7 +573,7 @@ dependencies = [
 "kvm-bindings",
 "kvm-ioctls",
 "libc",
- "memoffset",
+ "memoffset 0.6.5",
 "vm-memory",
 "vmm-sys-util",
 ]
@ -520,7 +633,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b773f7f1b9088438e9746890c7c0836b133b07935812867a33e06e81c92c0cdc"
 dependencies = [
 "libc",
- "mio",
+ "mio 0.8.3",
 ]

 [[package]]
@ -631,7 +744,7 @@ dependencies = [
 "libc",
 "linux-loader",
 "log",
- "nix 0.23.1",
+ "nix 0.24.2",
 "seccompiler",
 "serde",
 "serde_derive",
@ -668,7 +781,7 @@ checksum = "f639046355ee4f37944e44f60642c6f3a7efa3cf6b78c78a0d989a8ce6c396a1"
 dependencies = [
 "errno-dragonfly",
 "libc",
- "winapi",
+ "winapi 0.3.9",
 ]

 [[package]]
@ -749,6 +862,22 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a06f77d526c1a601b7c4cdd98f54b5eaabffc14d5f2f0296febdc7f357c6d3ba"

+[[package]]
+name = "fuchsia-zircon"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2e9763c69ebaae630ba35f74888db465e49e259ba1bc0eda7d06f4a067615d82"
+dependencies = [
+ "bitflags",
+ "fuchsia-zircon-sys",
+]
+
+[[package]]
+name = "fuchsia-zircon-sys"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3dcaa9ae7725d12cdb85b3ad99a434db70b468c09ded17e012d86b5c1010f7a7"
+
 [[package]]
 name = "fuse-backend-rs"
 version = "0.9.0"
@ -763,7 +892,7 @@ dependencies = [
 "lazy_static",
 "libc",
 "log",
- "mio",
+ "mio 0.8.3",
 "nix 0.23.1",
 "virtio-queue",
 "vm-memory",
@ -807,6 +936,12 @@ version = "0.3.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0c09fd04b7e4073ac7156a9539b57a484a8ea920f79c7c675d05d289ab6110d3"

+[[package]]
+name = "futures-core-preview"
+version = "0.3.0-alpha.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b35b6263fb1ef523c3056565fa67b1d16f0a8604ff12b11b08c25f28a734c60a"
+
 [[package]]
 name = "futures-executor"
 version = "0.3.21"
@ -847,6 +982,16 @@ version = "0.3.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "57c66a976bf5909d801bbef33416c41372779507e7a6b3a5e25e4749c58f776a"

+[[package]]
+name = "futures-timer"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7946248e9429ff093345d3e8fdf4eb0f9b2d79091611c9c14f744971a6f8be45"
+dependencies = [
+ "futures-core-preview",
+ "pin-utils",
+]
+
 [[package]]
 name = "futures-timer"
 version = "3.0.2"
@ -866,7 +1011,7 @@ dependencies = [
 "futures-sink",
 "futures-task",
 "memchr",
- "pin-project-lite",
+ "pin-project-lite 0.2.9",
 "pin-utils",
 "slab",
 ]
@ -932,7 +1077,7 @@ checksum = "19775995ee20209163239355bc3ad2f33f83da35d9ef72dea26e5af753552c87"
 dependencies = [
 "dashmap",
 "futures 0.3.21",
- "futures-timer",
+ "futures-timer 3.0.2",
 "no-std-compat",
 "nonzero_ext",
 "parking_lot 0.12.1",
@ -990,8 +1135,10 @@ dependencies = [
 "kata-types",
 "libc",
 "logging",
- "nix 0.24.1",
+ "nix 0.24.2",
+ "persist",
 "seccompiler",
+ "serde",
 "serde_json",
 "slog",
 "slog-scope",
@ -1106,7 +1253,7 @@ dependencies = [
 "kata-types",
 "lazy_static",
 "libc",
- "nix 0.24.1",
+ "nix 0.24.2",
 "oci",
 "once_cell",
 "rand 0.7.3",
@ -1135,6 +1282,25 @@ dependencies = [
 "toml 0.5.9",
 ]

+[[package]]
+name = "kernel32-sys"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7507624b29483431c0ba2d82aece8ca6cdba9382bff4ddd0f7490560c056098d"
+dependencies = [
+ "winapi 0.2.8",
+ "winapi-build",
+]
+
+[[package]]
+name = "kv-log-macro"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0de8b303297635ad57c9f5059fd9cee7a47f8e8daa09df0fcd07dd39fb22977f"
+dependencies = [
+ "log",
+]
+
 [[package]]
 name = "kvm-bindings"
 version = "0.5.0"
@ -1210,6 +1376,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e"
 dependencies = [
 "cfg-if 1.0.0",
+ "value-bag",
 ]

 [[package]]
@ -1248,12 +1415,27 @@ version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a3e378b66a060d48947b590737b30a1be76706c8dd7b8ba0f2fe3989c68a853f"

+[[package]]
+name = "maybe-uninit"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "60302e4db3a61da70c0cb7991976248362f30319e88850c487b9b95bbf059e00"
+
 [[package]]
 name = "memchr"
 version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d"

+[[package]]
+name = "memoffset"
+version = "0.5.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "043175f069eda7b85febe4a74abbaeff828d9f8b448515d3151a14a3542811aa"
+dependencies = [
+ "autocfg",
+]
+
 [[package]]
 name = "memoffset"
 version = "0.6.5"
@ -1272,6 +1454,25 @@ dependencies = [
 "adler",
 ]

+[[package]]
+name = "mio"
+version = "0.6.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4afd66f5b91bf2a3bc13fad0e21caedac168ca4c707504e75585648ae80e4cc4"
+dependencies = [
+ "cfg-if 0.1.10",
+ "fuchsia-zircon",
+ "fuchsia-zircon-sys",
+ "iovec",
+ "kernel32-sys",
+ "libc",
+ "log",
+ "miow",
+ "net2",
+ "slab",
+ "winapi 0.2.8",
+]
+
 [[package]]
 name = "mio"
 version = "0.8.3"
@ -1284,12 +1485,46 @@ dependencies = [
 "windows-sys",
 ]

+[[package]]
+name = "mio-uds"
+version = "0.6.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "afcb699eb26d4332647cc848492bbc15eafb26f08d0304550d5aa1f612e066f0"
+dependencies = [
+ "iovec",
+ "libc",
+ "mio 0.6.23",
+]
+
+[[package]]
+name = "miow"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebd808424166322d4a38da87083bfddd3ac4c131334ed55856112eb06d46944d"
+dependencies = [
+ "kernel32-sys",
+ "net2",
+ "winapi 0.2.8",
+ "ws2_32-sys",
+]
+
 [[package]]
 name = "multimap"
 version = "0.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e5ce46fe64a9d73be07dcbe690a38ce1b293be448fd8ce1e6c1b8062c9f72c6a"

+[[package]]
+name = "net2"
+version = "0.2.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "391630d12b68002ae1e25e8f974306474966550ad82dac6886fb8910c19568ae"
+dependencies = [
+ "cfg-if 0.1.10",
+ "libc",
+ "winapi 0.3.9",
+]
+
 [[package]]
 name = "netlink-packet-core"
 version = "0.4.2"
@ -1356,19 +1591,6 @@ dependencies = [
 "tokio",
 ]

-[[package]]
-name = "nix"
-version = "0.16.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dd0eaf8df8bab402257e0a5c17a254e4cc1f72a93588a1ddfb5d356c801aa7cb"
-dependencies = [
- "bitflags",
- "cc",
- "cfg-if 0.1.10",
- "libc",
- "void",
-]
-
 [[package]]
 name = "nix"
 version = "0.23.1"
@ -1379,19 +1601,19 @@ dependencies = [
 "cc",
 "cfg-if 1.0.0",
 "libc",
- "memoffset",
+ "memoffset 0.6.5",
 ]

 [[package]]
 name = "nix"
-version = "0.24.1"
+version = "0.24.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f17df307904acd05aa8e32e97bb20f2a0df1728bbc2d771ae8f9a90463441e9"
+checksum = "195cdbc1741b8134346d515b3a56a1c94b0912758009cfd53f99ea0f57b065fc"
 dependencies = [
 "bitflags",
 "cfg-if 1.0.0",
 "libc",
- "memoffset",
+ "memoffset 0.6.5",
 ]

 [[package]]
@ -1539,7 +1761,7 @@ dependencies = [
 "libc",
 "redox_syscall",
 "smallvec",
- "winapi",
+ "winapi 0.3.9",
 ]

 [[package]]
@ -1567,6 +1789,21 @@ version = "2.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d4fd5641d01c8f18a23da7b6fe29298ff4b55afcccdf78973b24cf3175fee32e"

+[[package]]
+name = "persist"
+version = "0.1.0"
+dependencies = [
+ "anyhow",
+ "async-trait",
+ "kata-sys-util",
+ "kata-types",
+ "libc",
+ "rustc-serialize",
+ "safe-path",
+ "serde",
+ "serde_json",
+]
+
 [[package]]
 name = "petgraph"
 version = "0.5.1"
@ -1577,6 +1814,12 @@ dependencies = [
 "indexmap",
 ]

+[[package]]
+name = "pin-project-lite"
+version = "0.1.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "257b64915a082f7811703966789728173279bdebb956b143dbcd23f6f970a777"
+
 [[package]]
 name = "pin-project-lite"
 version = "0.2.9"
@ -1701,14 +1944,14 @@ version = "0.9.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "20afe714292d5e879d8b12740aa223c6a88f118af41870e8b6196e39a02238a8"
 dependencies = [
- "crossbeam-utils",
+ "crossbeam-utils 0.8.8",
 "libc",
 "mach",
 "once_cell",
 "raw-cpuid",
 "wasi 0.10.2+wasi-snapshot-preview1",
 "web-sys",
- "winapi",
+ "winapi 0.3.9",
 ]

 [[package]]
@ -1768,7 +2011,7 @@ dependencies = [
 "libc",
 "rand_core 0.3.1",
 "rdrand",
- "winapi",
+ "winapi 0.3.9",
 ]

 [[package]]
@ -1907,7 +2150,7 @@ version = "0.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7"
 dependencies = [
- "winapi",
+ "winapi 0.3.9",
 ]

 [[package]]
@ -1929,11 +2172,13 @@ dependencies = [
 "logging",
 "netlink-packet-route",
 "netlink-sys",
- "nix 0.24.1",
+ "nix 0.24.2",
 "oci",
+ "persist",
 "rand 0.7.3",
 "rtnetlink",
 "scopeguard",
+ "serde",
 "slog",
 "slog-scope",
 "tokio",
@ -1959,7 +2204,7 @@ dependencies = [
 "log",
 "netlink-packet-route",
 "netlink-proto",
- "nix 0.24.1",
+ "nix 0.24.2",
 "thiserror",
 "tokio",
 ]
@ -1975,6 +2220,7 @@ dependencies = [
 "linux_container",
 "logging",
 "oci",
+ "persist",
 "slog",
 "slog-scope",
 "tokio",
@ -1988,6 +2234,12 @@ version = "0.1.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7ef03e0a2b150c7a90d01faf6254c9c48a41e95fb2a8c2ac1c6f0d2b9aefc342"

+[[package]]
+name = "rustc-serialize"
+version = "0.3.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda"
+
 [[package]]
 name = "rustix"
 version = "0.34.8"
@ -1999,7 +2251,7 @@ dependencies = [
 "io-lifetimes",
 "libc",
 "linux-raw-sys",
- "winapi",
+ "winapi 0.3.9",
 ]

 [[package]]
@ -2014,6 +2266,13 @@ version = "1.0.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f3f6f92acf49d1b98f7a81226834412ada05458b7364277387724a237f062695"

+[[package]]
+name = "safe-path"
+version = "0.1.0"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "scopeguard"
 version = "1.1.0"
@ -2031,18 +2290,18 @@ dependencies = [

 [[package]]
 name = "serde"
-version = "1.0.137"
+version = "1.0.143"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "61ea8d54c77f8315140a05f4c7237403bf38b72704d031543aa1d16abbf517d1"
+checksum = "53e8e5d5b70924f74ff5c6d64d9a5acd91422117c60f48c4e07855238a254553"
 dependencies = [
 "serde_derive",
 ]

 [[package]]
 name = "serde_derive"
-version = "1.0.137"
+version = "1.0.143"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1f26faba0c3959972377d3b2d306ee9f71faee9714294e41bb777f83f88578be"
+checksum = "d3d8e8de557aee63c26b85b947f5e59b690d0454c753f3adeb5cd7835ab88391"
 dependencies = [
 "proc-macro2",
 "quote",
@ -2051,9 +2310,9 @@ dependencies = [

 [[package]]
 name = "serde_json"
-version = "1.0.81"
+version = "1.0.83"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9b7ce2b32a1aed03c558dc61a5cd328f15aff2dbc17daad8fb8af04d2100e15c"
+checksum = "38dd04e3c8279e75b31ef29dbdceebfe5ad89f4d0937213c53f7d49d01b3d5a7"
 dependencies = [
 "itoa",
 "ryu",
@ -2113,6 +2372,7 @@ dependencies = [
 "common",
 "containerd-shim-protos",
 "logging",
+ "persist",
 "runtimes",
 "slog",
 "slog-scope",
@ -2146,7 +2406,7 @@ dependencies = [
 "libc",
 "log",
 "logging",
- "nix 0.24.1",
+ "nix 0.24.2",
 "oci",
 "protobuf",
 "rand 0.8.5",
@ -2191,7 +2451,7 @@ version = "2.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "766c59b252e62a34651412870ff55d8c4e6d04df19b43eecb2703e417b097ffe"
 dependencies = [
- "crossbeam-channel",
+ "crossbeam-channel 0.5.4",
 "slog",
 "take_mut",
 "thread_local",
@ -2244,7 +2504,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "66d72b759436ae32898a2af0a14218dbf55efde3feeb170eb623637db85ee1e0"
 dependencies = [
 "libc",
- "winapi",
+ "winapi 0.3.9",
 ]

 [[package]]
@ -2316,7 +2576,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0c2e86926081dda636c546d8c5e641661049d7562a68f5488be4a1f7f66f6086"
 dependencies = [
 "libc",
- "winapi",
+ "winapi 0.3.9",
 ]

 [[package]]
@ -2353,7 +2613,7 @@ dependencies = [
 "libc",
 "redox_syscall",
 "remove_dir_all",
- "winapi",
+ "winapi 0.3.9",
 ]

 [[package]]
@ -2408,7 +2668,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438"
 dependencies = [
 "libc",
- "winapi",
+ "winapi 0.3.9",
 ]

 [[package]]
@ -2455,15 +2715,15 @@ dependencies = [
 "bytes 1.1.0",
 "libc",
 "memchr",
- "mio",
+ "mio 0.8.3",
 "num_cpus",
 "once_cell",
 "parking_lot 0.12.1",
- "pin-project-lite",
+ "pin-project-lite 0.2.9",
 "signal-hook-registry",
 "socket2",
 "tokio-macros",
- "winapi",
+ "winapi 0.3.9",
 ]

 [[package]]
@ -2617,6 +2877,16 @@ dependencies = [
 "rand 0.3.23",
 ]

+[[package]]
+name = "value-bag"
+version = "1.0.0-alpha.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2209b78d1249f7e6f3293657c9779fe31ced465df091bbd433a1cf88e916ec55"
+dependencies = [
+ "ctor",
+ "version_check",
+]
+
 [[package]]
 name = "version_check"
 version = "0.9.4"
@ -2629,6 +2899,7 @@ version = "0.1.0"
 dependencies = [
 "agent",
 "anyhow",
+ "async-std",
 "async-trait",
 "awaitgroup",
 "common",
@ -2640,8 +2911,9 @@ dependencies = [
 "lazy_static",
 "libc",
 "logging",
- "nix 0.16.1",
+ "nix 0.24.2",
 "oci",
+ "persist",
 "protobuf",
 "resource",
 "serde",
@ -2685,7 +2957,7 @@ checksum = "339d4349c126fdcd87e034631d7274370cf19eb0e87b33166bcd956589fc72c5"
 dependencies = [
 "arc-swap 1.5.0",
 "libc",
- "winapi",
+ "winapi 0.3.9",
 ]

 [[package]]
@ -2704,12 +2976,6 @@ dependencies = [
 "libc",
 ]

-[[package]]
-name = "void"
-version = "1.0.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a02e4885ed3bc0f2de90ea6dd45ebcbb66dacffe03547fadbb0eeae2770887d"
-
 [[package]]
 name = "vsock"
 version = "0.2.6"
@ -2824,6 +3090,12 @@ dependencies = [
 "libc",
 ]

+[[package]]
+name = "winapi"
+version = "0.2.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "167dc9d6949a9b857f3451275e911c3f44255842c1f7a76f33c55103a909087a"
+
 [[package]]
 name = "winapi"
 version = "0.3.9"
@ -2834,6 +3106,12 @@ dependencies = [
 "winapi-x86_64-pc-windows-gnu",
 ]

+[[package]]
+name = "winapi-build"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2d315eee3b34aca4797b2da6b13ed88266e6d612562a0c46390af8299fc699bc"
+
 [[package]]
 name = "winapi-i686-pc-windows-gnu"
 version = "0.4.0"
@ -2889,6 +3167,16 @@ version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c811ca4a8c853ef420abd8592ba53ddbbac90410fab6903b3e79972a631f7680"

+[[package]]
+name = "ws2_32-sys"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d59cefebd0c892fa2dd6de581e937301d8552cb44489cdff035c6187cb63fa5e"
+dependencies = [
+ "winapi 0.2.8",
+ "winapi-build",
+]
+
 [[package]]
 name = "zstd"
 version = "0.11.2+zstd.1.5.2"
--- a/src/runtime-rs/crates/hypervisor/Cargo.toml
+++ b/src/runtime-rs/crates/hypervisor/Cargo.toml
@ -12,7 +12,7 @@ async-trait = "0.1.48"
 dbs-utils = "0.1.0"
 go-flag = "0.1.0"
 libc = ">=0.2.39"
-nix = "0.24.1"
+nix = "0.24.2"
 persist = { path = "../persist" }
 seccompiler = "0.2.0"
 serde = { version = "1.0.138", features = ["derive"] }
--- a/src/runtime-rs/crates/resource/Cargo.toml
+++ b/src/runtime-rs/crates/resource/Cargo.toml
@ -14,7 +14,7 @@ lazy_static = "1.4.0"
 libc = ">=0.2.39"
 netlink-sys = "0.8.3"
 netlink-packet-route = "0.13.0"
-nix = "0.24.1"
+nix = "0.24.2"
 rand = "^0.7.2"
 rtnetlink = "0.11.0"
 scopeguard = "1.0.0"
--- a/src/runtime-rs/crates/runtimes/common/Cargo.toml
+++ b/src/runtime-rs/crates/runtimes/common/Cargo.toml
@ -11,7 +11,7 @@ anyhow = "^1.0"
 async-trait = "0.1.48"
 containerd-shim-protos = { version = "0.2.0", features = ["async"]}
 lazy_static = "1.4.0"
-nix = "0.24.1"
+nix = "0.24.2"
 protobuf = "2.27.0"
 serde_json = "1.0.39"
 slog = "2.5.2"
--- a/src/runtime-rs/crates/runtimes/virt_container/Cargo.toml
+++ b/src/runtime-rs/crates/runtimes/virt_container/Cargo.toml
@ -12,7 +12,7 @@ containerd-shim-protos = { version = "0.2.0", features = ["async"]}
 futures = "0.3.19"
 lazy_static = "1.4.0"
 libc = ">=0.2.39"
-nix = "0.16.0"
+nix = "0.24.2"
 protobuf = "2.27.0"
 serde = { version = "1.0.100", features = ["derive"] }
 serde_derive = "1.0.27"
--- a/src/runtime-rs/crates/shim/Cargo.toml
+++ b/src/runtime-rs/crates/shim/Cargo.toml
@ -19,7 +19,7 @@ containerd-shim-protos = { version = "0.2.0", features = ["async"]}
 go-flag = "0.1.0"
 libc = "0.2.108"
 log = "0.4.14"
-nix = "0.24.1"
+nix = "0.24.2"
 protobuf = "2.27.0"
 sha2 = "=0.9.3"
 slog = {version = "2.5.2", features = ["std", "release_max_level_trace", "max_level_trace"]}