Do one add_seals call, rather than one per flag. (#4366)

When setting up a copy on write image, we add several seals, to prevent the image from being resized or modified. Set all the seals in a single call, rather than doing one call per seal.
2022-07-01 16:00:18 -07:00
parent f54ec712ef
commit a2197ebbeb
3 changed files with 10 additions and 8 deletions
--- a/crates/runtime/Cargo.toml
+++ b/crates/runtime/Cargo.toml
@@ -25,7 +25,7 @@ cfg-if = "1.0"
 backtrace = { version = "0.3.61" }
 rand = "0.8.3"
 anyhow = "1.0.38"
-memfd = { version = "0.4.1", optional = true }
+memfd = { version = "0.6.1", optional = true }

 [target.'cfg(target_os = "macos")'.dependencies]
 mach = "0.3.2"
--- a/crates/runtime/src/cow.rs
+++ b/crates/runtime/src/cow.rs
@@ -162,10 +162,12 @@ impl MemoryImage {
                // extra-super-sure that it never changes, and because
                // this costs very little, we use the kernel's "seal" API
                // to make the memfd image permanently read-only.
-                memfd.add_seal(memfd::FileSeal::SealGrow)?;
-                memfd.add_seal(memfd::FileSeal::SealShrink)?;
-                memfd.add_seal(memfd::FileSeal::SealWrite)?;
-                memfd.add_seal(memfd::FileSeal::SealSeal)?;
+                memfd.add_seals(&[
+                    memfd::FileSeal::SealGrow,
+                    memfd::FileSeal::SealShrink,
+                    memfd::FileSeal::SealWrite,
+                    memfd::FileSeal::SealSeal,
+                ])?;

                Ok(Some(MemoryImage {
                    fd: FdSource::Memfd(memfd),