Skip to content

fix(exec): fix seccomp build on armv7 with i32-to-i64 syscall cast#8869

Merged
jdx merged 1 commit intomainfrom
fix/seccomp-armv7-type-mismatch
Apr 3, 2026
Merged

fix(exec): fix seccomp build on armv7 with i32-to-i64 syscall cast#8869
jdx merged 1 commit intomainfrom
fix/seccomp-armv7-type-mismatch

Conversation

@jdx
Copy link
Copy Markdown
Owner

@jdx jdx commented Apr 3, 2026
edited by cursor bot
Loading

Summary

  • Fix compile error on armv7 targets where libc::SYS_* constants are i32 but the BTreeMap<i64, ...> key expects i64
  • Adds as i64 cast which is a no-op on 64-bit and a widening conversion on 32-bit

Test plan

  • Compiles locally on x86_64
  • Verify armv7 and armv7-musl release builds pass in CI

🤖 Generated with Claude Code

Note

Low Risk
Low risk compile-time fix that only widens syscall IDs when inserting seccomp rules, primarily affecting 32-bit (e.g., armv7) builds.

Overview
Fixes a type mismatch in the seccomp network filter by casting libc::SYS_socket/libc::SYS_socketpair to i64 when inserting into the BTreeMap<i64, ...> rule map.

This restores builds on 32-bit targets where libc::SYS_* constants are i32, without changing the intended seccomp behavior on 64-bit platforms.

Written by Cursor Bugbot for commit 6ecd24c. This will update automatically on new commits. Configure here.

@jdx @claude
fix(exec): fix seccomp build on armv7 with i32-to-i64 syscall cast
6ecd24c 
On 32-bit armv7, libc::SYS_* constants are i32 but the BTreeMap key
type is i64, causing a type mismatch compile error.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Apr 3, 2026

Greptile Summary

This PR fixes a compile error on armv7 targets by casting libc::SYS_socket and libc::SYS_socketpair to i64 before inserting them into the BTreeMap<i64, Vec<SeccompRule>>. On 64-bit targets the cast is a no-op; on 32-bit (armv7) it is a widening sign-extension, which is correct since syscall numbers are always non-negative. The change is minimal and does not affect runtime behaviour on supported architectures.

Confidence Score: 5/5

Safe to merge — single-line widening cast is correct and does not affect runtime behaviour on any currently supported architecture.

The change is a minimal, correct fix: as i64 is a no-op on 64-bit and a safe widening sign-extension on 32-bit. Syscall numbers are always non-negative so sign extension preserves their value. No logic, control flow, or data is altered. There are no P0 or P1 findings.

No files require special attention.

Important Files Changed

Filename Overview
src/sandbox/seccomp.rs Adds as i64 cast when inserting syscall numbers into the BTreeMap<i64, ...> to fix a type mismatch compile error on armv7 where libc::SYS_* constants are i32.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[apply_seccomp_net_filter] --> B[prctl: PR_SET_NO_NEW_PRIVS]
    B --> C{arch?}
    C -->|x86_64| D[TargetArch::x86_64]
    C -->|aarch64| E[TargetArch::aarch64]
    C -->|other e.g. armv7| F[Return Error: unsupported arch]
    D --> G[Build SeccompRules for AF_INET / AF_INET6]
    E --> G
    G --> H[Insert syscall as i64 into BTreeMap]
    H --> I[SeccompFilter::new]
    I --> J[BpfProgram::try_into]
    J --> K[seccompiler::apply_filter]
    K --> L[Filter active: SYS_socket / SYS_socketpair blocked for inet families]
Loading

Reviews (1): Last reviewed commit: "fix(exec): fix seccomp build on armv7 wi..." | Re-trigger Greptile

gemini-code-assist[bot]
gemini-code-assist bot reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the seccomp network filter in src/sandbox/seccomp.rs by casting syscall constants to i64 to ensure type compatibility. While this change addresses compilation issues on 32-bit architectures, feedback suggests that additional configuration is required in the architecture matching logic to prevent runtime errors on ARM platforms.

src/sandbox/seccomp.rs
for syscall in [libc::SYS_socket, libc::SYS_socketpair] {
rules.insert(
syscall,
syscall as i64,
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

While this cast fixes the compilation error on 32-bit ARM architectures, the apply_seccomp_net_filter function will still return an error at runtime on armv7 because the architecture is not handled in the match block at line 24. To fully support armv7, you should also add "arm" => TargetArch::arm to that match block.

@jdx jdx merged commit bd3750c into main Apr 3, 2026
25 of 27 checks passed
@jdx jdx deleted the fix/seccomp-armv7-type-mismatch branch April 3, 2026 12:22
@mise-en-dev mise-en-dev mentioned this pull request Apr 3, 2026
Merged
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 3, 2026

Hyperfine Performance

mise x -- echo

Command Mean [ms] Min [ms] Max [ms] Relative
mise-2026.4.1 x -- echo 24.4 ± 1.5 22.6 47.2 1.04 ± 0.08
mise x -- echo 23.5 ± 0.8 21.9 28.1 1.00

mise env

Command Mean [ms] Min [ms] Max [ms] Relative
mise-2026.4.1 env 21.8 ± 0.6 21.0 27.7 1.00
mise env 22.6 ± 0.7 21.4 29.2 1.04 ± 0.05

mise hook-env

Command Mean [ms] Min [ms] Max [ms] Relative
mise-2026.4.1 hook-env 23.2 ± 2.7 21.6 54.6 1.00
mise hook-env 26.8 ± 5.4 23.5 59.0 1.15 ± 0.27
⚠️ Warning: Performance variance for hook-env is 15%

mise ls

Command Mean [ms] Min [ms] Max [ms] Relative
mise-2026.4.1 ls 23.1 ± 4.8 20.5 51.9 1.00
mise ls 24.2 ± 4.5 21.6 52.3 1.05 ± 0.29

xtasks/test/perf

Command mise-2026.4.1 mise Variance
install (cached) 166ms 162ms +2%
ls (cached) 89ms 83ms +7%
bin-paths (cached) 93ms 90ms +3%
task-ls (cached) 831ms 864ms -3%

jdx pushed a commit that referenced this pull request Apr 3, 2026
@mise-en-dev
chore: release 2026.4.3 (#8871)
e26b4e7 
### 🐛 Bug Fixes

- **(exec)** fix seccomp build on armv7 with i32-to-i64 syscall cast by
@jdx in [#8869](#8869)
@BrewTestBot BrewTestBot mentioned this pull request Apr 3, 2026
Merged
@jdx jdx restored the fix/seccomp-armv7-type-mismatch branch April 4, 2026 02:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdx