fix(exec): use i64::from() for seccomp syscall numbers to survive autofix#8882
Merged
fix(exec): use i64::from() for seccomp syscall numbers to survive autofix#8882
Conversation
…ofix The previous `as i64` cast was correct but clippy on x86_64 flagged it as unnecessary (since SYS_* is already i64 there), causing autofix-ci to revert it. Using i64::from() is not flagged by clippy and handles both i32 (armv7) and i64 (x86_64/aarch64) inputs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jdx
force-pushed
the
fix/seccomp-armv7-type-mismatch
branch
from
6ecd24c to
1bb9fca
Compare
jdx
changed the title
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request updates the seccomp filter implementation in src/sandbox/seccomp.rs by casting syscall constants to i64 to resolve compilation errors on certain architectures. Feedback indicates that while this fixes the build, additional changes are required in the architecture matching logic to ensure runtime support for armv7.
src/sandbox/seccomp.rs
Outdated
| for syscall in [libc::SYS_socket, libc::SYS_socketpair] { | ||
| rules.insert( | ||
| syscall as i64, | ||
| // SYS_* constants are i32 on armv7, i64 on x86_64/aarch64 |
Contributor
There was a problem hiding this comment.
While this cast fixes the compilation error on armv7, the apply_seccomp_net_filter function will still return an error at runtime on this architecture because arm is not handled in the target_arch match block (lines 24-28). To fully support armv7, you should add "arm" => TargetArch::arm to that match block.
Contributor
Greptile SummaryThis PR fixes a cross-platform compilation issue in
Confidence Score: 5/5Safe to merge — the fix correctly resolves the cross-platform type mismatch and prevents clippy from reverting it. The change is minimal and precisely targeted: No files require special attention. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A["[libc::SYS_socket, libc::SYS_socketpair]"] -->|".map(i64::from)"| B{Platform}
B -->|armv7: SYS_* is i32| C["From<i32> for i64 → converts to i64"]
B -->|x86_64 / aarch64: SYS_* is i64| D["From<i64> for i64 → identity (no-op)"]
C --> E["syscall: i64"]
D --> E
E --> F["rules.insert(syscall, ...)"]
F --> G["BTreeMap<i64, Vec<SeccompRule>>"]
Reviews (3): Last reviewed commit: "fix(exec): use allow(clippy::useless_con..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
autofix-ci runs clippy on x86_64 where SYS_* is already i64, so it strips any conversion (both `as i64` and `i64::from()`). Adding the clippy allow attribute prevents autofix from reverting the i64::from() conversion needed for armv7 where SYS_* is i32. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.3 x -- echo |
23.9 ± 0.7 | 22.3 | 30.8 | 1.00 |
mise x -- echo |
24.6 ± 0.6 | 22.8 | 28.7 | 1.03 ± 0.04 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.3 env |
23.8 ± 0.7 | 22.7 | 28.5 | 1.00 |
mise env |
24.1 ± 0.4 | 23.1 | 25.4 | 1.01 ± 0.03 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.3 hook-env |
24.6 ± 0.4 | 23.3 | 25.9 | 1.00 |
mise hook-env |
24.7 ± 0.6 | 23.6 | 31.8 | 1.00 ± 0.03 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.3 ls |
21.8 ± 0.7 | 20.3 | 30.4 | 1.00 |
mise ls |
22.2 ± 0.7 | 21.4 | 31.3 | 1.02 ± 0.05 |
xtasks/test/perf
| Command | mise-2026.4.3 | mise | Variance |
|---|---|---|---|
| install (cached) | 153ms | 152ms | +0% |
| ls (cached) | 82ms | 81ms | +1% |
| bin-paths (cached) | 85ms | 86ms | -1% |
| task-ls (cached) | 844ms | 808ms | +4% |
jdx
pushed a commit
that referenced
this pull request
Apr 5, 2026
### 🚀 Features - **(ci)** auto-convert external PRs to draft mode by @jdx in [#8896](#8896) - **(deps)** add `depends` field for user-specified tool dependencies by @cprecioso in [#8776](#8776) - **(dotnet)** support runtime-only installs by @fragon10 in [#8524](#8524) - **(npm)** apply install_before to transitive dependencies by @risu729 in [#8851](#8851) - **(task)** allow passing arguments to task dependencies via {{usage.*}} templates by @jdx in [#8893](#8893) - add options field to BackendListVersionsCtx by @esteve in [#8875](#8875) ### 🐛 Bug Fixes - **(backend)** filter PEP 440 .dev versions in fuzzy version matching by @richardthe3rd in [#8849](#8849) - **(ci)** update COPR BuildRequires rust version to match MSRV 1.88 by @jdx in [#8911](#8911) - **(ci)** add Ruby build dependencies to e2e Docker image by @jdx in [#8910](#8910) - **(ci)** add missing build dependencies to e2e Docker image by @jdx in [#8912](#8912) - **(ci)** add missing build dependencies to e2e Docker image by @jdx in [#8914](#8914) - **(ci)** use Node 24 LTS for corepack e2e test by @jdx in [#8915](#8915) - **(ci)** add libxml2 and pkg-config to e2e Docker image by @jdx in [#8917](#8917) - **(ci)** add libxml2-dev to e2e image and disable Swift SPM tests by @jdx in [#8918](#8918) - **(docs)** use sans-serif font for badges by @jdx in [#8887](#8887) - **(env)** parse --env=VALUE and -E=VALUE flag forms correctly by @jdx in [#8889](#8889) - **(exec)** use i64::from() for seccomp syscall numbers to survive autofix by @jdx in [#8882](#8882) - **(github)** preserve tool options like filter_bins when version specified via CLI by @jdx in [#8888](#8888) - **(github)** use alias-specific options when tool_alias has its own config by @jdx in [#8892](#8892) - **(install)** add locked_verify_provenance setting and detect github attestations at lock time by @jdx in [#8901](#8901) - **(lock)** prune stale version entries during filtered `mise lock <tool>` runs by @altendky in [#8599](#8599) - **(python)** use lockfile URL for precompiled installs by @hehaoqian in [#8750](#8750) - **(release)** verify all build targets succeed before releasing by @jdx in [#8886](#8886) - **(ruby)** support build revisions for precompiled binaries in mise.lock by @jdx in [#8900](#8900) - **(swift)** fall back to Ubuntu 24.04 for unsupported Ubuntu versions by @jdx in [#8916](#8916) - **(zsh)** avoid duplicate trust warning after cd by @timothysparg in [#8898](#8898) - update flake.lock and add fix for rust-bindgen to default.nix by @esteve in [#8874](#8874) - when direnv diff is empty, do not try to parse it by @yaleman in [#8857](#8857) - skip trust check for plain .tool-versions in task list by @dportalesr in [#8876](#8876) ### 🚜 Refactor - **(go)** rename go_* settings to go.* namespace by @jdbruijn in [#8598](#8598) ### 📚 Documentation - **(tasks)** clarify task_config.includes behavior by @risu729 in [#8905](#8905) ### 🧪 Testing - **(ci)** run e2e tests inside Docker containers by @jdx in [#8899](#8899) ### 📦️ Dependency Updates - bump ubi from 0.8 to 0.9 by @jdx in [#8906](#8906) - bump zip from 3 to 8 by @jdx in [#8908](#8908) - update lockfile deps (hold back rattler) by @jdx in [#8909](#8909) - update bun.lock by @jdx in [#8913](#8913) ### 📦 Registry - add turso ([github:tursodatabase/turso-cli](https://github.com/tursodatabase/turso-cli)) by @kenn in [#8884](#8884) - remove carp test by @jdx in [#8894](#8894) ### Chore - **(ci)** add workflow to warn PRs modifying vendored aqua-registry by @jdx in [#8897](#8897) - **(ci)** use github.token for draft conversion in auto-draft workflow by @jdx in [#8903](#8903) - remove deprecated settings older than 12 months by @jdx in [#8904](#8904) ### New Contributors - @dportalesr made their first contribution in [#8876](#8876) - @timothysparg made their first contribution in [#8898](#8898) - @hehaoqian made their first contribution in [#8750](#8750) - @jdbruijn made their first contribution in [#8598](#8598) - @cprecioso made their first contribution in [#8776](#8776) - @yaleman made their first contribution in [#8857](#8857) - @kenn made their first contribution in [#8884](#8884) - @fragon10 made their first contribution in [#8524](#8524) ## 📦 Aqua Registry Updates #### New Packages (6) - [`ahkohd/oyo`](https://github.com/ahkohd/oyo) - [`bellicose100xp/jiq`](https://github.com/bellicose100xp/jiq) - [`kurama/dealve-tui`](https://github.com/kurama/dealve-tui) - [`micahkepe/jsongrep`](https://github.com/micahkepe/jsongrep) - [`textfuel/lazyjira`](https://github.com/textfuel/lazyjira) - [`ubugeeei/vize`](https://github.com/ubugeeei/vize) #### Updated Packages (1) - [`sigstore/cosign`](https://github.com/sigstore/cosign)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
as i64fix for armv7 seccomp build was reverted by autofix-ci because clippy on x86_64 flags it as an unnecessary cast (SYS_* is already i64 there)i64::from(syscall)instead, which clippy won't flag and handles both i32 (armv7) and i64 (x86_64/aarch64)Test plan
build-tarball-linux-armv7CI job passes🤖 Generated with Claude Code
Note
Low Risk
Low risk: behavior is unchanged, but it touches Linux seccomp rule construction; main risk is mis-conversion of syscall numbers on some architectures.
Overview
Updates the Linux seccomp network filter to build the syscall rule map using
i64::from(via.map(i64::from)) instead of casting, and suppresses Clippy’suseless_conversionto prevent autofix from reverting the change.This keeps syscall keys consistently typed across architectures when inserting
SYS_socket/SYS_socketpairrules.Reviewed by Cursor Bugbot for commit c14c90f. Bugbot is set up for automated code reviews on this repo. Configure here.