From 1ab58a21fb6ffcbd90ff5374599d0e80fed2d906 Mon Sep 17 00:00:00 2001
From: Harry Stern <harry@harrystern.net>
Date: Sun, 3 Mar 2024 23:14:38 -0500
Subject: [PATCH 1/2] Update libc

Signed-off-by: Harry Stern <harry@harrystern.net>
---
 Cargo.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Cargo.toml b/Cargo.toml
index a1f4bfc..88dae9b 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -13,6 +13,6 @@ edition = "2021"
 json = ["serde", "serde_json"]
 
 [dependencies]
-libc = "^0.2.39"
+libc = "^0.2.153"
 serde = { version = "^1.0.27", features = ["derive"], optional = true}
 serde_json = {version = "^1.0.9", optional = true}

From a7a9a7baa56e90add8a4d3f5b6ecc2f6dc3fc1bc Mon Sep 17 00:00:00 2001
From: Harry Stern <harry@harrystern.net>
Date: Sun, 3 Mar 2024 23:15:03 -0500
Subject: [PATCH 2/2] Use libc seccomp constants

Use libc constants now that rust-lang/libc/pull/3343 is merged and
released.

SECCOMP_RET_MASK does not exist anymore and appears to have not existed
for a while. SECCOMP_RET_DATA is exactly the same mask value, and the
usage here is in line with the man page.

Completes #60

Signed-off-by: Harry Stern <harry@harrystern.net>
---
 src/backend/bpf.rs | 13 +------------
 src/backend/mod.rs | 14 ++++++++------
 src/lib.rs         |  6 +-----
 3 files changed, 10 insertions(+), 23 deletions(-)

diff --git a/src/backend/bpf.rs b/src/backend/bpf.rs
index a29422a..aef397a 100644
--- a/src/backend/bpf.rs
+++ b/src/backend/bpf.rs
@@ -75,7 +75,7 @@ pub(crate) fn build_arch_validation_sequence(target_arch: TargetArch) -> Vec<soc
     vec![
         bpf_stmt(BPF_LD | BPF_W | BPF_ABS, SECCOMP_DATA_ARCH_OFFSET as u32),
         bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, audit_arch_value, 1, 0),
-        bpf_stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS),
+        bpf_stmt(BPF_RET | BPF_K, libc::SECCOMP_RET_KILL_PROCESS),
     ]
 }
 
@@ -112,17 +112,6 @@ pub const BPF_JGE: u16 = 0x30;
 // Test against the value in the K register.
 pub const BPF_K: u16 = 0x00;
 
-// Return codes for BPF programs.
-// See /usr/include/linux/seccomp.h .
-pub const SECCOMP_RET_ALLOW: u32 = 0x7fff_0000;
-pub const SECCOMP_RET_ERRNO: u32 = 0x0005_0000;
-pub const SECCOMP_RET_KILL_THREAD: u32 = 0x0000_0000;
-pub const SECCOMP_RET_KILL_PROCESS: u32 = 0x8000_0000;
-pub const SECCOMP_RET_LOG: u32 = 0x7ffc_0000;
-pub const SECCOMP_RET_TRACE: u32 = 0x7ff0_0000;
-pub const SECCOMP_RET_TRAP: u32 = 0x0003_0000;
-pub const SECCOMP_RET_MASK: u32 = 0x0000_ffff;
-
 // Architecture identifier for x86_64 LE.
 // See /usr/include/linux/audit.h .
 // Defined as:
diff --git a/src/backend/mod.rs b/src/backend/mod.rs
index 7ae49a8..d330b0c 100644
--- a/src/backend/mod.rs
+++ b/src/backend/mod.rs
@@ -19,12 +19,14 @@ use serde::Deserialize;
 use core::fmt::Formatter;
 use std::fmt::Display;
 
-use bpf::{
-    ARG_NUMBER_MAX, AUDIT_ARCH_AARCH64, AUDIT_ARCH_X86_64, BPF_MAX_LEN, SECCOMP_RET_ALLOW,
-    SECCOMP_RET_ERRNO, SECCOMP_RET_KILL_PROCESS, SECCOMP_RET_KILL_THREAD, SECCOMP_RET_LOG,
-    SECCOMP_RET_MASK, SECCOMP_RET_TRACE, SECCOMP_RET_TRAP,
+// See /usr/include/linux/seccomp.h
+use libc::{
+    SECCOMP_RET_ALLOW, SECCOMP_RET_DATA, SECCOMP_RET_ERRNO, SECCOMP_RET_KILL_PROCESS,
+    SECCOMP_RET_KILL_THREAD, SECCOMP_RET_LOG, SECCOMP_RET_TRACE, SECCOMP_RET_TRAP,
 };
 
+use bpf::{ARG_NUMBER_MAX, AUDIT_ARCH_AARCH64, AUDIT_ARCH_X86_64, BPF_MAX_LEN};
+
 pub use bpf::{sock_filter, BpfProgram, BpfProgramRef};
 
 /// Backend Result type.
@@ -173,11 +175,11 @@ impl From<SeccompAction> for u32 {
     fn from(action: SeccompAction) -> Self {
         match action {
             SeccompAction::Allow => SECCOMP_RET_ALLOW,
-            SeccompAction::Errno(x) => SECCOMP_RET_ERRNO | (x & SECCOMP_RET_MASK),
+            SeccompAction::Errno(x) => SECCOMP_RET_ERRNO | (x & SECCOMP_RET_DATA),
             SeccompAction::KillThread => SECCOMP_RET_KILL_THREAD,
             SeccompAction::KillProcess => SECCOMP_RET_KILL_PROCESS,
             SeccompAction::Log => SECCOMP_RET_LOG,
-            SeccompAction::Trace(x) => SECCOMP_RET_TRACE | (x & SECCOMP_RET_MASK),
+            SeccompAction::Trace(x) => SECCOMP_RET_TRACE | (x & SECCOMP_RET_DATA),
             SeccompAction::Trap => SECCOMP_RET_TRAP,
         }
     }
diff --git a/src/lib.rs b/src/lib.rs
index 2e93b78..10f3a79 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -208,10 +208,6 @@ pub use backend::{
     SeccompCmpOp, SeccompCondition, SeccompFilter, SeccompRule, TargetArch,
 };
 
-// Until https://github.com/rust-lang/libc/issues/3342 is fixed, define locally
-// From <linux/seccomp.h>
-const SECCOMP_SET_MODE_FILTER: libc::c_int = 1;
-
 // BPF structure definition for filter array.
 // See /usr/include/linux/filter.h .
 #[repr(C)]
@@ -361,7 +357,7 @@ fn apply_filter_with_flags(bpf_filter: BpfProgramRef, flags: libc::c_ulong) -> R
     let rc = unsafe {
         libc::syscall(
             libc::SYS_seccomp,
-            SECCOMP_SET_MODE_FILTER,
+            libc::SECCOMP_SET_MODE_FILTER,
             flags,
             bpf_prog_ptr,
         )