Update seccomp.rs

michal92299 · web-flow · commit 01809a29e550 · 2026-04-03T10:55:41.000+02:00
diff --git a/source-code/src/seccomp.rs b/source-code/src/seccomp.rs
@@ -4,45 +4,45 @@ use miette::{miette, Result};
 
 pub fn apply_seccomp(profile_path: &str) -> Result<()> {
     let content = fs::read_to_string(profile_path)
-    .map_err(|e| miette!("Failed to read seccomp profile: {}", e))?;
+        .map_err(|e| miette!("Failed to read seccomp profile: {}", e))?;
 
     let profile: SeccompProfile = serde_json::from_str(&content)
-    .map_err(|e| miette!("Invalid seccomp profile: {}", e))?;
+        .map_err(|e| miette!("Invalid seccomp profile: {}", e))?;
 
     let default_action = str_to_scmp_action(&profile.default_action);
 
     let mut filter = ScmpFilterContext::new_filter(default_action)
-    .map_err(|e| miette!("Failed to create seccomp filter: {}", e))?;
+        .map_err(|e| miette!("Failed to create seccomp filter: {}", e))?;
 
     for arch in &profile.architectures {
         filter
-        .add_arch(str_to_scmp_arch(arch))
-        .map_err(|e| miette!("Failed to add arch {}: {}", arch, e))?;
+            .add_arch(str_to_scmp_arch(arch))
+            .map_err(|e| miette!("Failed to add arch {}: {}", arch, e))?;
     }
 
     for syscall_rule in &profile.syscalls {
         let action = str_to_scmp_action(&syscall_rule.action);
         for name in &syscall_rule.names {
             let syscall = ScmpSyscall::from_name(name)
-            .map_err(|e| miette!("Unknown syscall '{}': {}", name, e))?;
+                .map_err(|e| miette!("Unknown syscall '{}': {}", name, e))?;
             filter
-            .add_rule(action, syscall)
-            .map_err(|e| miette!("Failed to add rule for '{}': {}", name, e))?;
+                .add_rule(action, syscall)
+                .map_err(|e| miette!("Failed to add rule for '{}': {}", name, e))?;
         }
     }
 
     filter
-    .load()
-    .map_err(|e| miette!("Failed to load seccomp filter: {}", e))?;
+        .load()
+        .map_err(|e| miette!("Failed to load seccomp filter: {}", e))?;
 
     Ok(())
 }
 
 #[derive(serde::Deserialize)]
 struct SeccompProfile {
     default_action: String,
-        architectures: Vec<String>,
-        syscalls: Vec<SyscallRule>,
+    architectures: Vec<String>,
+    syscalls: Vec<SyscallRule>,
 }
 
 #[derive(serde::Deserialize)]
@@ -58,13 +58,13 @@ fn str_to_scmp_action(s: &str) -> ScmpAction {
         "SCMP_ACT_KILL_PROCESS" => ScmpAction::KillProcess,
         "SCMP_ACT_TRAP"  => ScmpAction::Trap,
         "SCMP_ACT_LOG"   => ScmpAction::Log,
-        "SCMP_ACT_ERRNO" => ScmpAction::Errno(libc::EPERM as u32),
+        "SCMP_ACT_ERRNO" => ScmpAction::Errno(libc::EPERM),
         s if s.starts_with("SCMP_ACT_ERRNO(") => {
-            let n: u32 = s
-            .trim_start_matches("SCMP_ACT_ERRNO(")
-            .trim_end_matches(')')
-            .parse()
-            .unwrap_or(libc::EPERM as u32);
+            let n: i32 = s
+                .trim_start_matches("SCMP_ACT_ERRNO(")
+                .trim_end_matches(')')
+                .parse()
+                .unwrap_or(libc::EPERM);
             ScmpAction::Errno(n)
         }
         _ => ScmpAction::Allow,
