From 3c4485ece37d1de95060963fde5c74c12564f5eb Mon Sep 17 00:00:00 2001 From: David Gibson Date: Fri, 16 Apr 2021 16:26:28 +1000 Subject: [PATCH] agent/rustjail: Clean up some static definitions with vec! macro DEFAULT_ALLOWED_DEVICES and DEFAULT_DEVICES are essentially global constant lists. They're implemented as a lazy_static! initialized Vec values. The code to initialize them creates an empty Vec then pushes values onto it. We can simplify this a bit by using the vec! macro. This might be slightly more efficient, and it definitely stops recent clippy versions (e.g. 1.51) from complaining about it. fixes #1611 Signed-off-by: David Gibson --- src/agent/rustjail/src/cgroups/fs/mod.rs | 102 ++++++++++----------- src/agent/rustjail/src/container.rs | 112 +++++++++++------------ 2 files changed, 106 insertions(+), 108 deletions(-) diff --git a/src/agent/rustjail/src/cgroups/fs/mod.rs b/src/agent/rustjail/src/cgroups/fs/mod.rs index 55aefed872..7f41cb4ddb 100644 --- a/src/agent/rustjail/src/cgroups/fs/mod.rs +++ b/src/agent/rustjail/src/cgroups/fs/mod.rs @@ -489,63 +489,61 @@ lazy_static! { }; pub static ref DEFAULT_ALLOWED_DEVICES: Vec = { - let mut v = Vec::new(); + vec![ + // all mknod to all char devices + LinuxDeviceCgroup { + allow: true, + r#type: "c".to_string(), + major: Some(WILDCARD), + minor: Some(WILDCARD), + access: "m".to_string(), + }, - // all mknod to all char devices - v.push(LinuxDeviceCgroup { - allow: true, - r#type: "c".to_string(), - major: Some(WILDCARD), - minor: Some(WILDCARD), - access: "m".to_string(), - }); + // all mknod to all block devices + LinuxDeviceCgroup { + allow: true, + r#type: "b".to_string(), + major: Some(WILDCARD), + minor: Some(WILDCARD), + access: "m".to_string(), + }, - // all mknod to all block devices - v.push(LinuxDeviceCgroup { - allow: true, - r#type: "b".to_string(), - major: Some(WILDCARD), - minor: Some(WILDCARD), - access: "m".to_string(), - }); + // all read/write/mknod to char device /dev/console + LinuxDeviceCgroup { + allow: true, + r#type: "c".to_string(), + major: Some(5), + minor: Some(1), + access: "rwm".to_string(), + }, - // all read/write/mknod to char device /dev/console - v.push(LinuxDeviceCgroup { - allow: true, - r#type: "c".to_string(), - major: Some(5), - minor: Some(1), - access: "rwm".to_string(), - }); + // all read/write/mknod to char device /dev/pts/ + LinuxDeviceCgroup { + allow: true, + r#type: "c".to_string(), + major: Some(136), + minor: Some(WILDCARD), + access: "rwm".to_string(), + }, - // all read/write/mknod to char device /dev/pts/ - v.push(LinuxDeviceCgroup { - allow: true, - r#type: "c".to_string(), - major: Some(136), - minor: Some(WILDCARD), - access: "rwm".to_string(), - }); + // all read/write/mknod to char device /dev/ptmx + LinuxDeviceCgroup { + allow: true, + r#type: "c".to_string(), + major: Some(5), + minor: Some(2), + access: "rwm".to_string(), + }, - // all read/write/mknod to char device /dev/ptmx - v.push(LinuxDeviceCgroup { - allow: true, - r#type: "c".to_string(), - major: Some(5), - minor: Some(2), - access: "rwm".to_string(), - }); - - // all read/write/mknod to char device /dev/net/tun - v.push(LinuxDeviceCgroup { - allow: true, - r#type: "c".to_string(), - major: Some(10), - minor: Some(200), - access: "rwm".to_string(), - }); - - v + // all read/write/mknod to char device /dev/net/tun + LinuxDeviceCgroup { + allow: true, + r#type: "c".to_string(), + major: Some(10), + minor: Some(200), + access: "rwm".to_string(), + }, + ] }; } diff --git a/src/agent/rustjail/src/container.rs b/src/agent/rustjail/src/container.rs index 0cfc5e75cf..25be015e06 100644 --- a/src/agent/rustjail/src/container.rs +++ b/src/agent/rustjail/src/container.rs @@ -132,62 +132,62 @@ lazy_static! { }; pub static ref DEFAULT_DEVICES: Vec = { - let mut v = Vec::new(); - v.push(LinuxDevice { - path: "/dev/null".to_string(), - r#type: "c".to_string(), - major: 1, - minor: 3, - file_mode: Some(0o666), - uid: Some(0xffffffff), - gid: Some(0xffffffff), - }); - v.push(LinuxDevice { - path: "/dev/zero".to_string(), - r#type: "c".to_string(), - major: 1, - minor: 5, - file_mode: Some(0o666), - uid: Some(0xffffffff), - gid: Some(0xffffffff), - }); - v.push(LinuxDevice { - path: "/dev/full".to_string(), - r#type: String::from("c"), - major: 1, - minor: 7, - file_mode: Some(0o666), - uid: Some(0xffffffff), - gid: Some(0xffffffff), - }); - v.push(LinuxDevice { - path: "/dev/tty".to_string(), - r#type: "c".to_string(), - major: 5, - minor: 0, - file_mode: Some(0o666), - uid: Some(0xffffffff), - gid: Some(0xffffffff), - }); - v.push(LinuxDevice { - path: "/dev/urandom".to_string(), - r#type: "c".to_string(), - major: 1, - minor: 9, - file_mode: Some(0o666), - uid: Some(0xffffffff), - gid: Some(0xffffffff), - }); - v.push(LinuxDevice { - path: "/dev/random".to_string(), - r#type: "c".to_string(), - major: 1, - minor: 8, - file_mode: Some(0o666), - uid: Some(0xffffffff), - gid: Some(0xffffffff), - }); - v + vec![ + LinuxDevice { + path: "/dev/null".to_string(), + r#type: "c".to_string(), + major: 1, + minor: 3, + file_mode: Some(0o666), + uid: Some(0xffffffff), + gid: Some(0xffffffff), + }, + LinuxDevice { + path: "/dev/zero".to_string(), + r#type: "c".to_string(), + major: 1, + minor: 5, + file_mode: Some(0o666), + uid: Some(0xffffffff), + gid: Some(0xffffffff), + }, + LinuxDevice { + path: "/dev/full".to_string(), + r#type: String::from("c"), + major: 1, + minor: 7, + file_mode: Some(0o666), + uid: Some(0xffffffff), + gid: Some(0xffffffff), + }, + LinuxDevice { + path: "/dev/tty".to_string(), + r#type: "c".to_string(), + major: 5, + minor: 0, + file_mode: Some(0o666), + uid: Some(0xffffffff), + gid: Some(0xffffffff), + }, + LinuxDevice { + path: "/dev/urandom".to_string(), + r#type: "c".to_string(), + major: 1, + minor: 9, + file_mode: Some(0o666), + uid: Some(0xffffffff), + gid: Some(0xffffffff), + }, + LinuxDevice { + path: "/dev/random".to_string(), + r#type: "c".to_string(), + major: 1, + minor: 8, + file_mode: Some(0o666), + uid: Some(0xffffffff), + gid: Some(0xffffffff), + }, + ] }; }