diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-15 16:37:08 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-17 16:30:22 -0600 |
| commit | 45df4d0d9b577fecee798d672695fe24ff57fb1b (patch) | |
| tree | 1b99bf645035b58e0d6db08c7a83521f41f7a75b /vendor/rustix/src/backend/linux_raw/time | |
| parent | f94f79608393d4ab127db63cc41668445ef6b243 (diff) | |
feat: migrate from Cedar to SpiceDB authorization system
This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.
Key changes:
- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization
This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.
Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.
Diffstat (limited to 'vendor/rustix/src/backend/linux_raw/time')
| -rw-r--r-- | vendor/rustix/src/backend/linux_raw/time/mod.rs | 2 | ||||
| -rw-r--r-- | vendor/rustix/src/backend/linux_raw/time/syscalls.rs | 238 | ||||
| -rw-r--r-- | vendor/rustix/src/backend/linux_raw/time/types.rs | 93 |
3 files changed, 0 insertions, 333 deletions
diff --git a/vendor/rustix/src/backend/linux_raw/time/mod.rs b/vendor/rustix/src/backend/linux_raw/time/mod.rs deleted file mode 100644 index 1e0181a9..00000000 --- a/vendor/rustix/src/backend/linux_raw/time/mod.rs +++ /dev/null @@ -1,2 +0,0 @@ -pub(crate) mod syscalls; -pub(crate) mod types; diff --git a/vendor/rustix/src/backend/linux_raw/time/syscalls.rs b/vendor/rustix/src/backend/linux_raw/time/syscalls.rs deleted file mode 100644 index 58a969d1..00000000 --- a/vendor/rustix/src/backend/linux_raw/time/syscalls.rs +++ /dev/null @@ -1,238 +0,0 @@ -//! linux_raw syscalls supporting `rustix::time`. -//! -//! # Safety -//! -//! See the `rustix::backend` module documentation for details. -#![allow(unsafe_code, clippy::undocumented_unsafe_blocks)] - -use crate::backend::conv::{by_ref, ret, ret_infallible, ret_owned_fd}; -use crate::clockid::ClockId; -use crate::fd::{BorrowedFd, OwnedFd}; -use crate::io; -use crate::time::{Itimerspec, TimerfdClockId, TimerfdFlags, TimerfdTimerFlags}; -use crate::timespec::Timespec; -use core::mem::MaybeUninit; -#[cfg(target_pointer_width = "32")] -use linux_raw_sys::general::itimerspec as __kernel_old_itimerspec; -#[cfg(target_pointer_width = "32")] -use linux_raw_sys::general::timespec as __kernel_old_timespec; - -// `clock_gettime` has special optimizations via the vDSO. -pub(crate) use crate::backend::vdso_wrappers::{clock_gettime, clock_gettime_dynamic}; - -#[inline] -#[must_use] -pub(crate) fn clock_getres(id: ClockId) -> Timespec { - #[cfg(target_pointer_width = "32")] - unsafe { - let mut result = MaybeUninit::<Timespec>::uninit(); - if let Err(err) = ret(syscall!(__NR_clock_getres_time64, id, &mut result)) { - // See the comments in `clock_gettime_via_syscall` about emulation. - debug_assert_eq!(err, io::Errno::NOSYS); - clock_getres_old(id, &mut result); - } - result.assume_init() - } - #[cfg(target_pointer_width = "64")] - unsafe { - let mut result = MaybeUninit::<Timespec>::uninit(); - ret_infallible(syscall!(__NR_clock_getres, id, &mut result)); - result.assume_init() - } -} - -#[cfg(target_pointer_width = "32")] -unsafe fn clock_getres_old(id: ClockId, result: &mut MaybeUninit<Timespec>) { - let mut old_result = MaybeUninit::<__kernel_old_timespec>::uninit(); - ret_infallible(syscall!(__NR_clock_getres, id, &mut old_result)); - let old_result = old_result.assume_init(); - result.write(Timespec { - tv_sec: old_result.tv_sec.into(), - tv_nsec: old_result.tv_nsec.into(), - }); -} - -#[inline] -pub(crate) fn clock_settime(id: ClockId, timespec: Timespec) -> io::Result<()> { - // `clock_settime64` was introduced in Linux 5.1. The old `clock_settime` - // syscall is not y2038-compatible on 32-bit architectures. - #[cfg(target_pointer_width = "32")] - unsafe { - match ret(syscall_readonly!( - __NR_clock_settime64, - id, - by_ref(×pec) - )) { - Err(io::Errno::NOSYS) => clock_settime_old(id, timespec), - otherwise => otherwise, - } - } - #[cfg(target_pointer_width = "64")] - unsafe { - ret(syscall_readonly!(__NR_clock_settime, id, by_ref(×pec))) - } -} - -#[cfg(target_pointer_width = "32")] -unsafe fn clock_settime_old(id: ClockId, timespec: Timespec) -> io::Result<()> { - let old_timespec = __kernel_old_timespec { - tv_sec: timespec - .tv_sec - .try_into() - .map_err(|_| io::Errno::OVERFLOW)?, - tv_nsec: timespec.tv_nsec as _, - }; - ret(syscall_readonly!( - __NR_clock_settime, - id, - by_ref(&old_timespec) - )) -} - -#[inline] -pub(crate) fn timerfd_create(clockid: TimerfdClockId, flags: TimerfdFlags) -> io::Result<OwnedFd> { - unsafe { ret_owned_fd(syscall_readonly!(__NR_timerfd_create, clockid, flags)) } -} - -#[inline] -pub(crate) fn timerfd_settime( - fd: BorrowedFd<'_>, - flags: TimerfdTimerFlags, - new_value: &Itimerspec, -) -> io::Result<Itimerspec> { - let mut result = MaybeUninit::<Itimerspec>::uninit(); - - #[cfg(target_pointer_width = "64")] - unsafe { - ret(syscall!( - __NR_timerfd_settime, - fd, - flags, - by_ref(new_value), - &mut result - ))?; - Ok(result.assume_init()) - } - - #[cfg(target_pointer_width = "32")] - unsafe { - ret(syscall!( - __NR_timerfd_settime64, - fd, - flags, - by_ref(new_value), - &mut result - )) - .or_else(|err| { - // See the comments in `clock_gettime_via_syscall` about emulation. - if err == io::Errno::NOSYS { - timerfd_settime_old(fd, flags, new_value, &mut result) - } else { - Err(err) - } - })?; - Ok(result.assume_init()) - } -} - -#[cfg(target_pointer_width = "32")] -unsafe fn timerfd_settime_old( - fd: BorrowedFd<'_>, - flags: TimerfdTimerFlags, - new_value: &Itimerspec, - result: &mut MaybeUninit<Itimerspec>, -) -> io::Result<()> { - let mut old_result = MaybeUninit::<__kernel_old_itimerspec>::uninit(); - - // Convert `new_value` to the old `__kernel_old_itimerspec` format. - let old_new_value = __kernel_old_itimerspec { - it_interval: __kernel_old_timespec { - tv_sec: new_value - .it_interval - .tv_sec - .try_into() - .map_err(|_| io::Errno::OVERFLOW)?, - tv_nsec: new_value - .it_interval - .tv_nsec - .try_into() - .map_err(|_| io::Errno::INVAL)?, - }, - it_value: __kernel_old_timespec { - tv_sec: new_value - .it_value - .tv_sec - .try_into() - .map_err(|_| io::Errno::OVERFLOW)?, - tv_nsec: new_value - .it_value - .tv_nsec - .try_into() - .map_err(|_| io::Errno::INVAL)?, - }, - }; - ret(syscall!( - __NR_timerfd_settime, - fd, - flags, - by_ref(&old_new_value), - &mut old_result - ))?; - let old_result = old_result.assume_init(); - result.write(Itimerspec { - it_interval: Timespec { - tv_sec: old_result.it_interval.tv_sec.into(), - tv_nsec: old_result.it_interval.tv_nsec.into(), - }, - it_value: Timespec { - tv_sec: old_result.it_value.tv_sec.into(), - tv_nsec: old_result.it_value.tv_nsec.into(), - }, - }); - Ok(()) -} - -#[inline] -pub(crate) fn timerfd_gettime(fd: BorrowedFd<'_>) -> io::Result<Itimerspec> { - let mut result = MaybeUninit::<Itimerspec>::uninit(); - - #[cfg(target_pointer_width = "64")] - unsafe { - ret(syscall!(__NR_timerfd_gettime, fd, &mut result))?; - Ok(result.assume_init()) - } - - #[cfg(target_pointer_width = "32")] - unsafe { - ret(syscall!(__NR_timerfd_gettime64, fd, &mut result)).or_else(|err| { - // See the comments in `clock_gettime_via_syscall` about emulation. - if err == io::Errno::NOSYS { - timerfd_gettime_old(fd, &mut result) - } else { - Err(err) - } - })?; - Ok(result.assume_init()) - } -} - -#[cfg(target_pointer_width = "32")] -unsafe fn timerfd_gettime_old( - fd: BorrowedFd<'_>, - result: &mut MaybeUninit<Itimerspec>, -) -> io::Result<()> { - let mut old_result = MaybeUninit::<__kernel_old_itimerspec>::uninit(); - ret(syscall!(__NR_timerfd_gettime, fd, &mut old_result))?; - let old_result = old_result.assume_init(); - result.write(Itimerspec { - it_interval: Timespec { - tv_sec: old_result.it_interval.tv_sec.into(), - tv_nsec: old_result.it_interval.tv_nsec.into(), - }, - it_value: Timespec { - tv_sec: old_result.it_value.tv_sec.into(), - tv_nsec: old_result.it_value.tv_nsec.into(), - }, - }); - Ok(()) -} diff --git a/vendor/rustix/src/backend/linux_raw/time/types.rs b/vendor/rustix/src/backend/linux_raw/time/types.rs deleted file mode 100644 index ec6c91f5..00000000 --- a/vendor/rustix/src/backend/linux_raw/time/types.rs +++ /dev/null @@ -1,93 +0,0 @@ -use crate::ffi; -use bitflags::bitflags; - -bitflags! { - /// `TFD_*` flags for use with [`timerfd_create`]. - /// - /// [`timerfd_create`]: crate::time::timerfd_create - #[repr(transparent)] - #[derive(Copy, Clone, Eq, PartialEq, Hash, Debug)] - pub struct TimerfdFlags: ffi::c_uint { - /// `TFD_NONBLOCK` - #[doc(alias = "TFD_NONBLOCK")] - const NONBLOCK = linux_raw_sys::general::TFD_NONBLOCK; - - /// `TFD_CLOEXEC` - #[doc(alias = "TFD_CLOEXEC")] - const CLOEXEC = linux_raw_sys::general::TFD_CLOEXEC; - - /// <https://docs.rs/bitflags/*/bitflags/#externally-defined-flags> - const _ = !0; - } -} - -bitflags! { - /// `TFD_TIMER_*` flags for use with [`timerfd_settime`]. - /// - /// [`timerfd_settime`]: crate::time::timerfd_settime - #[repr(transparent)] - #[derive(Copy, Clone, Eq, PartialEq, Hash, Debug)] - pub struct TimerfdTimerFlags: ffi::c_uint { - /// `TFD_TIMER_ABSTIME` - #[doc(alias = "TFD_TIMER_ABSTIME")] - const ABSTIME = linux_raw_sys::general::TFD_TIMER_ABSTIME; - - /// `TFD_TIMER_CANCEL_ON_SET` - #[doc(alias = "TFD_TIMER_CANCEL_ON_SET")] - const CANCEL_ON_SET = linux_raw_sys::general::TFD_TIMER_CANCEL_ON_SET; - - /// <https://docs.rs/bitflags/*/bitflags/#externally-defined-flags> - const _ = !0; - } -} - -/// `CLOCK_*` constants for use with [`timerfd_create`]. -/// -/// [`timerfd_create`]: crate::time::timerfd_create -#[derive(Debug, Copy, Clone, Eq, PartialEq, Hash)] -#[repr(u32)] -#[non_exhaustive] -pub enum TimerfdClockId { - /// `CLOCK_REALTIME`—A clock that tells the “real” time. - /// - /// This is a clock that tells the amount of time elapsed since the Unix - /// epoch, 1970-01-01T00:00:00Z. The clock is externally settable, so it is - /// not monotonic. Successive reads may see decreasing times, so it isn't - /// reliable for measuring durations. - #[doc(alias = "CLOCK_REALTIME")] - Realtime = linux_raw_sys::general::CLOCK_REALTIME, - - /// `CLOCK_MONOTONIC`—A clock that tells an abstract time. - /// - /// Unlike `Realtime`, this clock is not based on a fixed known epoch, so - /// individual times aren't meaningful. However, since it isn't settable, - /// it is reliable for measuring durations. - /// - /// This clock does not advance while the system is suspended; see - /// `Boottime` for a clock that does. - #[doc(alias = "CLOCK_MONOTONIC")] - Monotonic = linux_raw_sys::general::CLOCK_MONOTONIC, - - /// `CLOCK_BOOTTIME`—Like `Monotonic`, but advances while suspended. - /// - /// This clock is similar to `Monotonic`, but does advance while the system - /// is suspended. - #[doc(alias = "CLOCK_BOOTTIME")] - Boottime = linux_raw_sys::general::CLOCK_BOOTTIME, - - /// `CLOCK_REALTIME_ALARM`—Like `Realtime`, but wakes a suspended system. - /// - /// This clock is like `Realtime`, but can wake up a suspended system. - /// - /// Use of this clock requires the `CAP_WAKE_ALARM` Linux capability. - #[doc(alias = "CLOCK_REALTIME_ALARM")] - RealtimeAlarm = linux_raw_sys::general::CLOCK_REALTIME_ALARM, - - /// `CLOCK_BOOTTIME_ALARM`—Like `Boottime`, but wakes a suspended system. - /// - /// This clock is like `Boottime`, but can wake up a suspended system. - /// - /// Use of this clock requires the `CAP_WAKE_ALARM` Linux capability. - #[doc(alias = "CLOCK_BOOTTIME_ALARM")] - BoottimeAlarm = linux_raw_sys::general::CLOCK_BOOTTIME_ALARM, -} |