Implement thiserror for libcontainer - Part 1

crates/libcontainer/Cargo.toml

@@ -44,6 +44,7 @@ syscalls = "0.6.10"
 rust-criu = "0.4.0"
 clone3 = "0.2.3"
 regex = "1.7.3"
+thiserror = "1.0.24"
 
 [dev-dependencies]
 oci-spec = { version = "^0.6.0", features = ["proptests", "runtime"] }

crates/libcontainer/src/capabilities.rs

@@ -1,9 +1,8 @@
 //! Handles Management of Capabilities
-use crate::syscall::Syscall;
+use crate::syscall::{Syscall, SyscallError};
 use caps::Capability as CapsCapability;
 use caps::*;
 
-use anyhow::Result;
 use oci_spec::runtime::{Capabilities, Capability as SpecCapability, LinuxCapabilities};
 
 /// Converts a list of capability types to capabilities has set
@@ -124,14 +123,17 @@ impl CapabilityExt for SpecCapability {
 /// reset capabilities of process calling this to effective capabilities
 /// effective capability set is set of capabilities used by kernel to perform checks
 /// see <https://man7.org/linux/man-pages/man7/capabilities.7.html> for more information
-pub fn reset_effective<S: Syscall + ?Sized>(syscall: &S) -> Result<()> {
+pub fn reset_effective<S: Syscall + ?Sized>(syscall: &S) -> Result<(), SyscallError> {
     log::debug!("reset all caps");
     syscall.set_capability(CapSet::Effective, &caps::all())?;
     Ok(())
 }
 
 /// Drop any extra granted capabilities, and reset to defaults which are in oci specification
-pub fn drop_privileges<S: Syscall + ?Sized>(cs: &LinuxCapabilities, syscall: &S) -> Result<()> {
+pub fn drop_privileges<S: Syscall + ?Sized>(
+    cs: &LinuxCapabilities,
+    syscall: &S,
+) -> Result<(), SyscallError> {
     log::debug!("dropping bounding capabilities to {:?}", cs.bounding());
     if let Some(bounding) = cs.bounding() {
         syscall.set_capability(CapSet::Bounding, &to_set(bounding))?;

crates/libcontainer/src/lib.rs

@@ -8,11 +8,10 @@ pub mod notify_socket;
 pub mod process;
 pub mod rootfs;
 pub mod rootless;
+#[cfg(feature = "libseccomp")]
+pub mod seccomp;
 pub mod signal;
 pub mod syscall;
 pub mod tty;
 pub mod utils;
 pub mod workload;
-
-#[cfg(feature = "libseccomp")]
-pub mod seccomp;

crates/libcontainer/src/namespaces.rs

@@ -7,12 +7,29 @@
 //! UTS (hostname and domain information, processes will think they're running on servers with different names),
 //! Cgroup (Resource limits, execution priority etc.)
 
-use crate::syscall::{syscall::create_syscall, Syscall};
-use anyhow::{Context, Result};
+use crate::syscall::{syscall::create_syscall, Syscall, SyscallError};
 use nix::{fcntl, sched::CloneFlags, sys::stat, unistd};
 use oci_spec::runtime::{LinuxNamespace, LinuxNamespaceType};
 use std::collections;
 
+type Result<T> = std::result::Result<T, NamespaceError>;
+
+#[derive(Debug, thiserror::Error)]
+pub enum NamespaceError {
+    #[error("failed to set namespace")]
+    ApplyNamespaceSyscallFailed {
+        namespace: Box<LinuxNamespace>,
+        #[source]
+        err: SyscallError,
+    },
+    #[error("failed to set namespace")]
+    ApplyNamespaceUnixSyscallFailed {
+        namespace: Box<LinuxNamespace>,
+        #[source]
+        err: nix::Error,
+    },
+}
+
 static ORDERED_NAMESPACES: &[CloneFlags] = &[
     CloneFlags::CLONE_NEWUSER,
     CloneFlags::CLONE_NEWPID,
@@ -65,25 +82,43 @@ impl Namespaces {
             .filter_map(|c| self.namespace_map.get_key_value(c))
             .collect();
 
-        for (ns_type, ns) in to_enter {
-            self.unshare_or_setns(ns)
-                .with_context(|| format!("failed to enter {ns_type:?} namespace: {ns:?}"))?;
+        for (_, ns) in to_enter {
+            self.unshare_or_setns(ns)?;
         }
         Ok(())
     }
 
     pub fn unshare_or_setns(&self, namespace: &LinuxNamespace) -> Result<()> {
         log::debug!("unshare or setns: {:?}", namespace);
-        if namespace.path().is_none() {
-            self.command.unshare(get_clone_flag(namespace.typ()))?;
-        } else {
-            let ns_path = namespace.path().as_ref().unwrap();
-            let fd = fcntl::open(ns_path, fcntl::OFlag::empty(), stat::Mode::empty())
-                .with_context(|| format!("failed to open namespace fd: {ns_path:?}"))?;
-            self.command
-                .set_ns(fd, get_clone_flag(namespace.typ()))
-                .with_context(|| "failed to set namespace")?;
-            unistd::close(fd).with_context(|| "failed to close namespace fd")?;
+        match namespace.path() {
+            Some(path) => {
+                let fd = fcntl::open(path, fcntl::OFlag::empty(), stat::Mode::empty()).map_err(
+                    |err| NamespaceError::ApplyNamespaceUnixSyscallFailed {
+                        namespace: Box::new(namespace.to_owned()),
+                        err,
+                    },
+                )?;
+                self.command
+                    .set_ns(fd, get_clone_flag(namespace.typ()))
+                    .map_err(|err| NamespaceError::ApplyNamespaceSyscallFailed {
+                        namespace: Box::new(namespace.to_owned()),
+                        err,
+                    })?;
+                unistd::close(fd).map_err(|err| {
+                    NamespaceError::ApplyNamespaceUnixSyscallFailed {
+                        namespace: Box::new(namespace.to_owned()),
+                        err,
+                    }
+                })?;
+            }
+            None => {
+                self.command
+                    .unshare(get_clone_flag(namespace.typ()))
+                    .map_err(|err| NamespaceError::ApplyNamespaceSyscallFailed {
+                        namespace: Box::new(namespace.to_owned()),
+                        err,
+                    })?;
+            }
         }
 
         Ok(())