Crate capsicum

source ·
Expand description

§Entering capability mode

 use capsicum::{enter, sandboxed};
 use std::fs::File;
 use std::io::Read;

 let mut ok_file = File::open("/etc/passwd").unwrap();
 let mut s = String::new();

 enter().expect("enter failed!");
 assert!(sandboxed(), "application is not sandboxed!");

 match File::create("/tmp/cant_touch_this") {
     Ok(_) => panic!("application is not properly sandboxed!"),
     Err(e) => println!("properly sandboxed: {:?}", e)
 }

 match ok_file.read_to_string(&mut s) {
     Ok(_) => println!("This is okay since we opened the descriptor before sandboxing"),
     Err(_) => panic!("application is not properly sandboxed!")
 }

§Limit capability rights to files

use capsicum::{CapRights, Right, FileRights};
use std::fs::File;
use std::io::Read;
let mut ok_file = File::open("/etc/passwd").unwrap();
let mut s = String::new();

FileRights::new()
    .allow(Right::Seek)
    .allow(Right::Read)
    .limit(&ok_file).unwrap();

assert!(ok_file.read_to_string(&mut s).is_ok());

§Opening new files in a subdirectory after entering capability mode

 use std::fs::File;
 use std::io::Read;

 // Before entering capability mode, we can open files in the global namespace.
 let aa = cap_std::ambient_authority();
 let etc = cap_std::fs::Dir::open_ambient_dir("/etc", aa).unwrap();

 capsicum::enter().expect("enter failed!");

 // Now, we can no longer access the global file system namespace.
 let aa = cap_std::ambient_authority();
 cap_std::fs::Dir::open_ambient_dir("/etc", aa).unwrap_err();
 std::fs::File::open("/etc/passwd").unwrap_err();

 // But we can still open children of our already-open directory
 let passwd = etc.open("passwd").unwrap();

Modules§

  • caspercasper
    Rust bindings to FreeBSD’s libcasper
  • util
    Deprecated utilities

Macros§

Structs§

  • FcntlRights
    Used to limit which fcntl(2) commands can be used on a file in capability mode.
  • FcntlsBuilderDeprecated
    Used to construct a new set of allowed fcntl commands.
  • FileRights
    Used to reduce (but never expand) the capabilities on a file descriptor.
  • IoctlsBuilder
    Used to construct a new set of allowed ioctl commands.
  • RightsBuilderDeprecated
    Used to construct a new set of allowed file rights.

Enums§

  • Fcntl
    Fcntl commands that may be limited on file descriptors.
  • IoctlRights
    Used to reduce (but never expand) the ioctl commands that may be used on a file descriptor.
  • Right
    Capsicum capability rights for file descriptors.

Traits§

  • CapRights
    A set of capabilities that may be restricted on file descriptors.

Functions§

  • enter
    Actually enter capability mode.
  • get_mode
    Returns true if the process is in a capability mode.
  • sandboxed
    Returns true if the process is in a capability mode.