diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-15 16:37:08 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-17 16:30:22 -0600 |
| commit | 45df4d0d9b577fecee798d672695fe24ff57fb1b (patch) | |
| tree | 1b99bf645035b58e0d6db08c7a83521f41f7a75b /vendor/rustix/src/process/pidfd_getfd.rs | |
| parent | f94f79608393d4ab127db63cc41668445ef6b243 (diff) | |
feat: migrate from Cedar to SpiceDB authorization system
This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.
Key changes:
- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization
This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.
Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.
Diffstat (limited to 'vendor/rustix/src/process/pidfd_getfd.rs')
| -rw-r--r-- | vendor/rustix/src/process/pidfd_getfd.rs | 56 |
1 files changed, 0 insertions, 56 deletions
diff --git a/vendor/rustix/src/process/pidfd_getfd.rs b/vendor/rustix/src/process/pidfd_getfd.rs deleted file mode 100644 index 1be215e0..00000000 --- a/vendor/rustix/src/process/pidfd_getfd.rs +++ /dev/null @@ -1,56 +0,0 @@ -//! The [`pidfd_getfd`] function and supporting types. - -#![allow(unsafe_code)] -use crate::fd::OwnedFd; -use crate::{backend, ffi, io}; -use backend::fd::{AsFd, RawFd}; - -/// Raw file descriptor in another process. -/// -/// A distinct type alias is used here to inform the user that normal file -/// descriptors from the calling process should not be used. The provided file -/// descriptor is used by the kernel as the index into the file descriptor -/// table of an entirely different process. -pub type ForeignRawFd = RawFd; - -bitflags::bitflags! { - /// All flags are reserved for future use. - #[repr(transparent)] - #[derive(Copy, Clone, Eq, PartialEq, Hash, Debug)] - pub struct PidfdGetfdFlags: ffi::c_uint { - /// <https://docs.rs/bitflags/*/bitflags/#externally-defined-flags> - const _ = !0; - } -} - -/// `syscall(SYS_pidfd_getfd, pidfd, flags)`—Obtain a duplicate of another -/// process' file descriptor. -/// -/// # References -/// - [Linux] -/// -/// # Warning -/// -/// This function is generally safe for the calling process, but it can impact -/// the target process in unexpected ways. If you want to ensure that Rust I/O -/// safety assumptions continue to hold in the target process, then the target -/// process must have communicated the file description number to the calling -/// process from a value of a type that implements `AsRawFd`, and the target -/// process must not drop that value until after the calling process has -/// returned from `pidfd_getfd`. -/// -/// When `pidfd_getfd` is used to debug the target, or the target is not a Rust -/// application, or `pidfd_getfd` is used in any other way, then extra care -/// should be taken to avoid unexpected behaviour or crashes. -/// -/// For further details, see the references above. -/// -/// [Linux]: https://man7.org/linux/man-pages/man2/pidfd_getfd.2.html -#[inline] -pub fn pidfd_getfd<Fd: AsFd>( - pidfd: Fd, - targetfd: ForeignRawFd, - flags: PidfdGetfdFlags, -) -> io::Result<OwnedFd> { - backend::process::syscalls::pidfd_getfd(pidfd.as_fd(), targetfd, flags) -} |