From 45df4d0d9b577fecee798d672695fe24ff57fb1b Mon Sep 17 00:00:00 2001 From: mo khan Date: Tue, 15 Jul 2025 16:37:08 -0600 Subject: feat: migrate from Cedar to SpiceDB authorization system This is a major architectural change that replaces the Cedar policy-based authorization system with SpiceDB's relation-based authorization. Key changes: - Migrate from Rust to Go implementation - Replace Cedar policies with SpiceDB schema and relationships - Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks - Update build system and dependencies for Go ecosystem - Maintain Envoy integration for external authorization This change enables more flexible permission modeling through SpiceDB's Google Zanzibar inspired relation-based system, supporting complex hierarchical permissions that were difficult to express in Cedar. Breaking change: Existing Cedar policies and Rust-based configuration will no longer work and need to be migrated to SpiceDB schema. --- vendor/rustix/src/backend/linux_raw/system/mod.rs | 2 - .../src/backend/linux_raw/system/syscalls.rs | 91 ---------------------- .../rustix/src/backend/linux_raw/system/types.rs | 39 ---------- 3 files changed, 132 deletions(-) delete mode 100644 vendor/rustix/src/backend/linux_raw/system/mod.rs delete mode 100644 vendor/rustix/src/backend/linux_raw/system/syscalls.rs delete mode 100644 vendor/rustix/src/backend/linux_raw/system/types.rs (limited to 'vendor/rustix/src/backend/linux_raw/system') diff --git a/vendor/rustix/src/backend/linux_raw/system/mod.rs b/vendor/rustix/src/backend/linux_raw/system/mod.rs deleted file mode 100644 index 1e0181a9..00000000 --- a/vendor/rustix/src/backend/linux_raw/system/mod.rs +++ /dev/null @@ -1,2 +0,0 @@ -pub(crate) mod syscalls; -pub(crate) mod types; diff --git a/vendor/rustix/src/backend/linux_raw/system/syscalls.rs b/vendor/rustix/src/backend/linux_raw/system/syscalls.rs deleted file mode 100644 index bbee2680..00000000 --- a/vendor/rustix/src/backend/linux_raw/system/syscalls.rs +++ /dev/null @@ -1,91 +0,0 @@ -//! linux_raw syscalls supporting `rustix::system`. -//! -//! # Safety -//! -//! See the `rustix::backend` module documentation for details. -#![allow(unsafe_code, clippy::undocumented_unsafe_blocks)] - -use super::types::RawUname; -use crate::backend::c; -use crate::backend::conv::{c_int, ret, ret_infallible, slice}; -use crate::fd::BorrowedFd; -use crate::ffi::CStr; -use crate::io; -use crate::system::{RebootCommand, Sysinfo}; -use core::mem::MaybeUninit; - -#[inline] -pub(crate) fn uname() -> RawUname { - let mut uname = MaybeUninit::::uninit(); - unsafe { - ret_infallible(syscall!(__NR_uname, &mut uname)); - uname.assume_init() - } -} - -#[inline] -pub(crate) fn sysinfo() -> Sysinfo { - let mut info = MaybeUninit::::uninit(); - unsafe { - ret_infallible(syscall!(__NR_sysinfo, &mut info)); - info.assume_init() - } -} - -#[inline] -pub(crate) fn sethostname(name: &[u8]) -> io::Result<()> { - let (ptr, len) = slice(name); - unsafe { ret(syscall_readonly!(__NR_sethostname, ptr, len)) } -} - -#[inline] -pub(crate) fn setdomainname(name: &[u8]) -> io::Result<()> { - let (ptr, len) = slice(name); - unsafe { ret(syscall_readonly!(__NR_setdomainname, ptr, len)) } -} - -#[inline] -pub(crate) fn reboot(cmd: RebootCommand) -> io::Result<()> { - unsafe { - ret(syscall_readonly!( - __NR_reboot, - c_int(c::LINUX_REBOOT_MAGIC1), - c_int(c::LINUX_REBOOT_MAGIC2), - c_int(cmd as i32) - )) - } -} - -#[inline] -pub(crate) fn init_module(image: &[u8], param_values: &CStr) -> io::Result<()> { - let (image, len) = slice(image); - unsafe { - ret(syscall_readonly!( - __NR_init_module, - image, - len, - param_values - )) - } -} - -#[inline] -pub(crate) fn finit_module( - fd: BorrowedFd<'_>, - param_values: &CStr, - flags: c::c_int, -) -> io::Result<()> { - unsafe { - ret(syscall_readonly!( - __NR_finit_module, - fd, - param_values, - c_int(flags) - )) - } -} - -#[inline] -pub(crate) fn delete_module(name: &CStr, flags: c::c_int) -> io::Result<()> { - unsafe { ret(syscall_readonly!(__NR_delete_module, name, c_int(flags))) } -} diff --git a/vendor/rustix/src/backend/linux_raw/system/types.rs b/vendor/rustix/src/backend/linux_raw/system/types.rs deleted file mode 100644 index 92cc5278..00000000 --- a/vendor/rustix/src/backend/linux_raw/system/types.rs +++ /dev/null @@ -1,39 +0,0 @@ -use crate::ffi; -use core::mem::size_of; - -/// `sysinfo` -#[non_exhaustive] -#[repr(C)] -pub struct Sysinfo { - /// Seconds since boot - pub uptime: ffi::c_long, - /// 1, 5, and 15 minute load averages - pub loads: [ffi::c_ulong; 3], - /// Total usable main memory size - pub totalram: ffi::c_ulong, - /// Available memory size - pub freeram: ffi::c_ulong, - /// Amount of shared memory - pub sharedram: ffi::c_ulong, - /// Memory used by buffers - pub bufferram: ffi::c_ulong, - /// Total swap space size - pub totalswap: ffi::c_ulong, - /// Swap space still available - pub freeswap: ffi::c_ulong, - /// Number of current processes - pub procs: ffi::c_ushort, - - pub(crate) pad: ffi::c_ushort, - - /// Total high memory size - pub totalhigh: ffi::c_ulong, - /// Available high memory size - pub freehigh: ffi::c_ulong, - /// Memory unit size in bytes - pub mem_unit: ffi::c_uint, - - pub(crate) f: [u8; 20 - 2 * size_of::() - size_of::()], -} - -pub(crate) type RawUname = linux_raw_sys::system::new_utsname; -- cgit v1.2.3