agent_guard/control_plane.rs
1//! Control plane trait for agent-guard.
2//!
3//! This trait defines the interface for security control planes on Linux.
4
5use crate::error::Result;
6use crate::receipt::{Action, SecurityDecision, Subject};
7
8/// Control plane for enforcing security policies on agents.
9///
10/// Implementations provide Linux-native security mechanisms such as:
11/// - BPF LSM hooks
12/// - cgroup v2 restrictions
13/// - Landlock sandboxing
14/// - seccomp filters
15/// - eBPF programs
16pub trait ControlPlane {
17 /// Initialize the control plane.
18 fn initialize(&mut self) -> Result<()>;
19
20 /// Check if the control plane is initialized and ready.
21 fn is_initialized(&self) -> bool;
22
23 /// Evaluate an action and return a security decision.
24 fn evaluate(&mut self, subject: &Subject, action: &Action) -> Result<SecurityDecision>;
25
26 /// Enforce a security decision.
27 fn enforce(&mut self, decision: &SecurityDecision) -> Result<()>;
28
29 /// Release resources held by this control plane.
30 fn shutdown(&mut self) -> Result<()>;
31}