Module permission

Expand description

The Permission trait and all built-in permission types.

Permissions are zero-sized marker types that encode what kind of I/O a capability token grants. Built-in permissions cover filesystem, network, environment, and process operations. Library authors can define custom permissions using #[capsec::permission].

§Built-in permissions

Type	Category	What it grants
`FsRead`	Filesystem	Read files, list directories, check metadata
`FsWrite`	Filesystem	Write, create, delete files and directories
`FsAll`	Filesystem	All filesystem operations (subsumes `FsRead` + `FsWrite`)
`NetConnect`	Network	Open outbound TCP/UDP connections
`NetBind`	Network	Bind listeners and sockets to local ports
`NetAll`	Network	All network operations (subsumes `NetConnect` + `NetBind`)
`EnvRead`	Environment	Read environment variables
`EnvWrite`	Environment	Modify or remove environment variables
`Spawn`	Process	Execute subprocesses
`Ambient`	Everything	Full ambient authority — the “god token”

§Custom permissions

Use #[capsec::permission] to define domain-specific permissions:

#[capsec::permission]
pub struct DbRead;

#[capsec::permission(subsumes = [DbRead])]
pub struct DbAll;

§Tuples

Two permissions can be bundled via a tuple: (FsRead, NetConnect) is itself a Permission, and Cap<(FsRead, NetConnect)> satisfies both Has<FsRead> and Has<NetConnect>. All 2-tuple combinations of built-in permissions are supported.

§Subsumption

Some permissions imply others. FsAll subsumes both FsRead and FsWrite, meaning a Cap<FsAll> can be used anywhere a Cap<FsRead> is required. Ambient subsumes everything.

Structs§

Ambient: Full ambient authority — grants every permission.
EnvRead: Permission to read environment variables.
EnvWrite: Permission to modify or remove environment variables.
FsAll: Permission for all filesystem operations. Subsumes FsRead and FsWrite.
FsRead: Permission to read files, list directories, and check metadata.
FsWrite: Permission to write, create, rename, and delete files and directories.
NetAll: Permission for all network operations. Subsumes NetConnect and NetBind.
NetBind: Permission to bind TCP listeners and UDP sockets to local ports.
NetConnect: Permission to open outbound TCP and UDP connections.
Spawn: Permission to spawn and execute subprocesses via std::process::Command.

Traits§

Permission: Marker trait for all capability permissions.
Subsumes: Indicates that Self implies permission P.