In capability-based security context, ambient authority means anything a program can do that interacts with the outside world that isn't represented by a handle.
This crate defines a function ambient_authority which returns a value of
type AmbientAuthority, which is an empty type used in function signatures
to declare that they use ambient authority.
The convention for a crate to declare that its API avoids ambient authority is:
-
If the crate wishes to have functions which use ambient authority, adding an
AmbientAuthorityargument to them, and re-exporting theambient_authorityfunction andAmbientAuthoritytype from this crate. -
Ensure that all other
pubfunctions avoid using ambient authority, including mutable static state such as staticAtomicstate, staticCells orRefCells, oronce_cellorlazy_staticstate with initialization that uses ambient authority.
The instructions for a user wishing to only use capability-oriented crates are:
- Manually ensure that all immediate dependencies follow the above convention.
- Copy the clippy/clippy.toml file into their top level source directory, add
#![deny(clippy::disallowed_method)]to their main.rs or lib.rs, and runcargo +nightly clippyor equivalent.