Do one add_seals call, rather than one per flag. (#4366)

When setting up a copy on write image, we add several seals, to prevent
the image from being resized or modified. Set all the seals in a single
call, rather than doing one call per seal.

Cargo.lock

@@ -1631,11 +1631,11 @@ checksum = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d"
 
 [[package]]
 name = "memfd"
-version = "0.4.1"
+version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6627dc657574b49d6ad27105ed671822be56e0d2547d413bfbf3e8d8fa92e7a"
+checksum = "480b5a5de855d11ff13195950bdc8b98b5e942ef47afc447f6615cdcc4e15d80"
 dependencies = [
- "libc",
+ "rustix",
 ]
 
 [[package]]

crates/runtime/Cargo.toml

@@ -25,7 +25,7 @@ cfg-if = "1.0"
 backtrace = { version = "0.3.61" }
 rand = "0.8.3"
 anyhow = "1.0.38"
-memfd = { version = "0.4.1", optional = true }
+memfd = { version = "0.6.1", optional = true }
 
 [target.'cfg(target_os = "macos")'.dependencies]
 mach = "0.3.2"

crates/runtime/src/cow.rs

@@ -162,10 +162,12 @@ impl MemoryImage {
                 // extra-super-sure that it never changes, and because
                 // this costs very little, we use the kernel's "seal" API
                 // to make the memfd image permanently read-only.
-                memfd.add_seal(memfd::FileSeal::SealGrow)?;
+                memfd.add_seals(&[
-                memfd.add_seal(memfd::FileSeal::SealShrink)?;
+                    memfd::FileSeal::SealGrow,
-                memfd.add_seal(memfd::FileSeal::SealWrite)?;
+                    memfd::FileSeal::SealShrink,
-                memfd.add_seal(memfd::FileSeal::SealSeal)?;
+                    memfd::FileSeal::SealWrite,
+                    memfd::FileSeal::SealSeal,
+                ])?;
 
                 Ok(Some(MemoryImage {
                     fd: FdSource::Memfd(memfd),