23635136651

Committed 27 Mar 2026 07:00AM UTC coverage: 67.092% (-0.03%) from 67.122%

Build # 23635136651

Build Type

push

github

Committed by

web-flow

Commit Message

build(deps): bump sd-notify from 0.4.5 to 0.5.0 in /rust (#12642)

Bumps [sd-notify](https://github.com/lnicola/sd-notify) from 0.4.5 to
0.5.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/lnicola/sd-notify/blob/master/CHANGELOG.md">sd-notify's
changelog</a>.</em></p>
<blockquote>
<h2>[0.5.0] - 2025-01-18</h2>
<h3>Changed</h3>
<ul>
<li>(breaking) the <code>unset_env</code> parameters were split off into
separate unsafe functions</li>
<li>(breaking) <code>watchdog_enabled</code> now returns
<code>Option&lt;Duration&gt;</code></li>
<li>the MSRV is now defined as 1.82</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>fixed <code>booted</code> to return <code>Ok(false)</code> when not
running under systemd</li>
<li>fixed <code>watchdog_enabled</code> to handle missing
<code>WATCHDOG_PID</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/lnicola/sd-notify/commit/a4a9b073f"><code>a4a9b07</code></a>
Fix formatting</li>
<li><a
href="https://github.com/lnicola/sd-notify/commit/4c4feaecc"><code>4c4feae</code></a>
Merge pull request <a
href="https://redirect.github.com/lnicola/sd-notify/issues/21">#21</a>
from lnicola/booted</li>
<li><a
href="https://github.com/lnicola/sd-notify/commit/21df56d54"><code>21df56d</code></a>
Fix booted to work as expected when systemd is not running</li>
<li><a
href="https://github.com/lnicola/sd-notify/commit/f0a023810"><code>f0a0238</code></a>
Merge pull request <a
href="https://redirect.github.com/lnicola/sd-notify/issues/20">#20</a>
from lnicola/watchdog-enabled-no-pid</li>
<li><a
href="https://github.com/lnicola/sd-notify/commit/1e939695f"><code>1e93969</code></a>
Handle missing WATCHDOG_PID in watchdog_enabled</li>
<li><a
href="https://github.com/lnicola/sd-notify/commit/95697fc49785... (continued)

Coverage Stats

1 of 2 new or added lines in 2 files covered. (50.0%)

30 existing lines in 10 files now uncovered.

35767 of 53310 relevant lines covered (67.09%)

471376.3 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

72.0

/rust/headless-client/src/linux.rs

//! Implementation, Linux-specific

use super::TOKEN_ENV_KEY;
use anyhow::{Result, bail};
use nix::fcntl::AT_FDCWD;
use std::path::Path;

// The Client currently must run as root to control DNS
// Root group and user are used to check file ownership on the token
const ROOT_GROUP: u32 = 0;
const ROOT_USER: u32 = 0;

pub(crate) fn check_token_permissions(path: &Path) -> Result<()> {
    let Ok(stat) = nix::sys::stat::fstatat(AT_FDCWD, path, nix::fcntl::AtFlags::empty()) else {
        // File doesn't exist or can't be read
        tracing::info!(
            ?path,
            ?TOKEN_ENV_KEY,
            "No token found in env var or on disk"
        );
        bail!("Token file doesn't exist");
    };
    if stat.st_uid != ROOT_USER {
        bail!(
            "Token file `{}` should be owned by root user",
            path.display()
        );
    }
    if stat.st_gid != ROOT_GROUP {
        bail!(
            "Token file `{}` should be owned by root group",
            path.display()
        );
    }
    if stat.st_mode & 0o177 != 0 {
        bail!(
            "Token file `{}` should have mode 0o400 or 0x600",
            path.display()
        );
    }
    Ok(())
}

pub(crate) fn set_token_permissions(path: &Path) -> Result<()> {
    use nix::sys::stat::Mode;
    use nix::unistd::{Gid, Uid, chown};

    chown(
        path,
        Some(Uid::from_raw(ROOT_USER)),
        Some(Gid::from_raw(ROOT_GROUP)),
    )?;

    nix::sys::stat::fchmodat(
        AT_FDCWD,
        path,
        Mode::S_IRUSR | Mode::S_IWUSR,
        nix::sys::stat::FchmodatFlags::FollowSymlink,
    )?;

    Ok(())
}

/// Writes a token to the specified path with secure permissions.
/// Creates the parent directory if needed, writes the file with mode 0o600,
/// and sets ownership to root:root.
pub(crate) fn write_token(path: &Path, token: &str) -> Result<()> {
    use anyhow::Context as _;
    use std::io::Write;
    use std::os::unix::fs::OpenOptionsExt;

    if let Some(parent) = path.parent() {
        std::fs::create_dir_all(parent).context("Failed to create token directory")?;
    }

    let mut file = std::fs::OpenOptions::new()
        .write(true)
        .create(true)
        .truncate(true)
        .mode(0o600)
        .open(path)
        .context("Failed to create token file")?;

    file.write_all(token.as_bytes())
        .context("Failed to write token to file")?;

    set_token_permissions(path)?;

    Ok(())
}

pub(crate) fn notify_service_controller() -> Result<()> {
    Ok(sd_notify::notify(&[sd_notify::NotifyState::Ready])?)
}

1	//! Implementation, Linux-specific
2
3	use super::TOKEN_ENV_KEY;
4	use anyhow::{Result, bail};
5	use nix::fcntl::AT_FDCWD;
6	use std::path::Path;
7
8	// The Client currently must run as root to control DNS
9	// Root group and user are used to check file ownership on the token
10	const ROOT_GROUP: u32 = 0;
11	const ROOT_USER: u32 = 0;
12
13	pub(crate) fn check_token_permissions(path: &Path) -> Result<()> {	2✔
14	let Ok(stat) = nix::sys::stat::fstatat(AT_FDCWD, path, nix::fcntl::AtFlags::empty()) else {	2✔
15	// File doesn't exist or can't be read
16	tracing::info!(	×
17	?path,
18	?TOKEN_ENV_KEY,
19	"No token found in env var or on disk"
20	);
21	bail!("Token file doesn't exist");	×
22	};
23	if stat.st_uid != ROOT_USER {	2✔
24	bail!(	×
25	"Token file `{}` should be owned by root user",
26	path.display()	×
27	);
28	}	2✔
29	if stat.st_gid != ROOT_GROUP {	2✔
30	bail!(	×
31	"Token file `{}` should be owned by root group",
32	path.display()	×
33	);
34	}	2✔
35	if stat.st_mode & 0o177 != 0 {	2✔
36	bail!(	×
37	"Token file `{}` should have mode 0o400 or 0x600",
38	path.display()	×
39	);
40	}	2✔
41	Ok(())	2✔
42	}	2✔
43
44	pub(crate) fn set_token_permissions(path: &Path) -> Result<()> {	6✔
45	use nix::sys::stat::Mode;
46	use nix::unistd::{Gid, Uid, chown};
47
48	chown(	6✔
49	path,	6✔
50	Some(Uid::from_raw(ROOT_USER)),	6✔
51	Some(Gid::from_raw(ROOT_GROUP)),	6✔
52	)?;	×
53
54	nix::sys::stat::fchmodat(	6✔
55	AT_FDCWD,
56	path,	6✔
57	Mode::S_IRUSR \| Mode::S_IWUSR,	6✔
58	nix::sys::stat::FchmodatFlags::FollowSymlink,	6✔
59	)?;	×
60
61	Ok(())	6✔
62	}	6✔
63
64	/// Writes a token to the specified path with secure permissions.
65	/// Creates the parent directory if needed, writes the file with mode 0o600,
66	/// and sets ownership to root:root.
67	pub(crate) fn write_token(path: &Path, token: &str) -> Result<()> {	5✔
68	use anyhow::Context as _;
69	use std::io::Write;
70	use std::os::unix::fs::OpenOptionsExt;
71
72	if let Some(parent) = path.parent() {	5✔
73	std::fs::create_dir_all(parent).context("Failed to create token directory")?;	5✔
74	}	×
75
76	let mut file = std::fs::OpenOptions::new()	5✔
77	.write(true)	5✔
78	.create(true)	5✔
79	.truncate(true)	5✔
80	.mode(0o600)	5✔
81	.open(path)	5✔
82	.context("Failed to create token file")?;	5✔
83
84	file.write_all(token.as_bytes())	5✔
85	.context("Failed to write token to file")?;	5✔
86
87	set_token_permissions(path)?;	5✔
88
89	Ok(())	5✔
90	}	5✔
91
92	pub(crate) fn notify_service_controller() -> Result<()> {	×
NEW 93	Ok(sd_notify::notify(&[sd_notify::NotifyState::Ready])?)	×
94	}	×

firezone / firezone / 23635136651

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous