Crate capsicum

Source
Expand description

§Entering capability mode

 use capsicum::{enter, sandboxed};
 use std::fs::File;
 use std::io::Read;

 let mut ok_file = File::open("/etc/passwd").unwrap();
 let mut s = String::new();

 enter().expect("enter failed!");
 assert!(sandboxed(), "application is not sandboxed!");

 match File::create("/tmp/cant_touch_this") {
     Ok(_) => panic!("application is not properly sandboxed!"),
     Err(e) => println!("properly sandboxed: {:?}", e)
 }

 match ok_file.read_to_string(&mut s) {
     Ok(_) => println!("This is okay since we opened the descriptor before sandboxing"),
     Err(_) => panic!("application is not properly sandboxed!")
 }

§Limit capability rights to files

use capsicum::{CapRights, Right, FileRights};
use std::fs::File;
use std::io::Read;
let mut ok_file = File::open("/etc/passwd").unwrap();
let mut s = String::new();

FileRights::new()
    .allow(Right::Seek)
    .allow(Right::Read)
    .limit(&ok_file).unwrap();

assert!(ok_file.read_to_string(&mut s).is_ok());

§Opening new files in a subdirectory after entering capability mode

 use std::fs::File;
 use std::io::Read;

 // Before entering capability mode, we can open files in the global namespace.
 let aa = cap_std::ambient_authority();
 let etc = cap_std::fs::Dir::open_ambient_dir("/etc", aa).unwrap();

 capsicum::enter().expect("enter failed!");

 // Now, we can no longer access the global file system namespace.
 let aa = cap_std::ambient_authority();
 cap_std::fs::Dir::open_ambient_dir("/etc", aa).unwrap_err();
 std::fs::File::open("/etc/passwd").unwrap_err();

 // But we can still open children of our already-open directory
 let passwd = etc.open("passwd").unwrap();

Modules§

caspercasper
Rust bindings to FreeBSD’s libcasper
util
Deprecated utilities

Macros§

servicecasper
Declare a Casper service.
service_connectioncasper
Declare a connection to an existing Casper service.

Structs§

FcntlRights
Used to limit which fcntl(2) commands can be used on a file in capability mode.
FcntlsBuilderDeprecated
Used to construct a new set of allowed fcntl commands.
FileRights
Used to reduce (but never expand) the capabilities on a file descriptor.
IoctlsBuilder
Used to construct a new set of allowed ioctl commands.
RightsBuilderDeprecated
Used to construct a new set of allowed file rights.

Enums§

Fcntl
Fcntl commands that may be limited on file descriptors.
IoctlRights
Used to reduce (but never expand) the ioctl commands that may be used on a file descriptor.
Right
Capsicum capability rights for file descriptors.

Traits§

CapRights
A set of capabilities that may be restricted on file descriptors.

Functions§

enter
Actually enter capability mode.
get_mode
Returns true if the process is in a capability mode.
sandboxed
Returns true if the process is in a capability mode.